Securing Your Switches

Switches like this Cisco SG200-26 are suitable for small businesses and modest networking needs.

Some of the savvier hackers and crackers can actually attack your network at the router and switch level. Other than disabling Telnet on your VTY lines by default, switches and routers don’t have any automatic security settings, so you’ll have to decide on the level of security you’ll need.

Telnet sends traffic in plain text, including the password, so it really won’t matter how complex the password is if somebody happens to be listening for Telnet traffic at the time you type it in. Secure Shell (SSH) is a more useful options in terms of security because it encrypts data. You can enable SSH by using the transport input ssh command.

Protect the Global Configuration Mode: The Global Configuration Mode gives you a prompt of Switch(config)# when working with your switch and allows the user to change and erase the configuration. To prevent an unauthorized user from getting into this mode, set an encrypted password using the enable secret command. It is possible to set an unencrypted password with the enable password command, but I wouldn’t recommend this if you are truly serious about securing your router. The service password-encryption command does encrypt passwords, but this is a very weak and easily cracked encryption. Once the Secret password is set, unauthorized users will have a more difficult job of getting past the point where they can view but not change settings and won’t be able to see the password.

Change the Native VLAN: The switch uses the native VLAN to handle specific types of traffic such as information defined by Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP), Dynamic Trunking Protocol (DTP) and Port Aggregation Protocol (PAGP). By default, the switch uses VLAN 1. This can be changed to any number between 1 and 4095 to avoid reserved ranges for VLANS. You can inspect the VLAN used by specific interfaces, such as show interfaces fastethernet 0/1 switchport, which gives you the VLAN along with other useful switchport information used by Fast Ethernet 0/1. You can change the VLAN number by using the command switchport trunk native vlan 888, and then prevent native VLAN data from moving over the cable by using the command switchport trunk allowed vlan remove 888. If you change the VLAN on each interface to a number other than 1, it will take a very patient cracker to first guess the VLANs being used by your interfaces and then use that information to exploit your network at the switch level.

Change the Management VLAN: You can set a Switch Virtual Interface (SVI) to your switch by adding an IP address to it. This is useful for management by giving you the ability to telnet into it, but can also be a security risk if the SVI is placed on VLAN 1. It can be changed by typing in vlan number, where number is the numeral of the VLAN you want your SVI to reside on, and then typing interface vlan number.

Turn On Port Security: Switch ports can be set to provide an extra level of security by defining the number of MAC addresses or the specific MAC addresses allowed on your ports. This is useful for blocking a MAC address that you suspect has been causing problems and keeping unknown devices off your switch, but will have to be tweaked every time you replace equipment or add new devices to a network.

To set security on each interface, start with the command switchport port-security while in the interface mode on your router. The command switchport port-security ? should inform you that you can set MAC addresses or a maximum number of MAC addresses on your network. To add a MAC address you know to be safe, use the command switchport port-security mac-address youraddress, where youraddress is the MAC address you want to add.

You can also set the port to discard frames by an unknown MAC by using switchport port-security violation ? This gives you the options protect (simply drop all frames from unknown MACs), restrict (drop frames from unknown MACs once the maximum number of trusted MAC addresses has been reach), or shutdown (Shuts down the port if a security violation occurs). If your switch goes down after you add a new device or the new device can’t transmit data over the network, you can check port-security settings with the command show port-security int interface-name, in which interface-name is the name of the interface you are using.

Disable CDP: Cisco Discovery Protocol (CDP) is enabled by default on most switches and routers. There are a few exceptions, such as ASR routers. CDP allows Cisco devices to see information about other network devices. Turning it off on devices that connect to your ISP or another company’s devices is recommended. An easy way to see if CDP is enabled is to type in show cdp neighbor detail on a switch’s management system. If the output displays detailed information about devices it is directly connected to, CDP is enabled. CDP can be disabled at the Global Configuration level by typing in no cdp run or for specific interfaces by accessing each Interface mode and typing in no cdp enable.

Add a Banner Message: This is mostly useful for prosecuting cases in which somebody actually got into your network at the router and switch level. It basically adds a notification such as “No Unauthorized Access Allowed.” The Banner Messages is added using banner motd # Unauthorized Access Will Be Prosecuted #. The # signs are referred to as delimiting characters and set the boundaries for your message. The delimiting character can be any symbol you are comfortable with. When anyone tries to telnet into your switch, they will now see the message Unauthorized Access Will Be Prosecuted. Now they can’t claim ignorance when it comes to a court case.

Set A VTP Password: VTP ensures that the switches on your network exchange accurate VLAN information. This information can be secured by using the command vtp domain 60days, which changes the VTP domain name to 60days. Set your password by using the command vtp password yourpassword.

Restrict Allowed VLANs: Using the switchport trunk allowed vlan ? command on each interface will display options you can use to restrict the VLANs that can send data through the switch. Commands such as switchport trunk allowed vlan 7-12 tell the interface to only allow VLANs with numbers within that specific range.

Update the IOS: Microsoft Windows isn’t the only OS that issues regular updates. It’s just the loudest about it. Updating the IOS on your switches and routers can help fix bugs and plug security holes on your switches and routers. It does require that you have a TFTP server that can connect to the switch and know the filesystem used on your Cisco device. Use show file system if you need to check the filesystem on your switch. The command will typically look like, copy tftp: flash:. The system will prompt you for the IP address of the TFTP server, and then the name of the file you want to copy. It will also prompt you for confirmation because this will erase the old system, which will also erase the existing configuration. (No worries if you’ve been making backups of your configuration. Just be sure to back it up one more time before you start.) To confirm the install, type in show version and it should display the IOS version you currently have.

Going For Your Certification?