IOS Security Basics

Cisco IOS Security Basic Example Template

Description:
If you are not actively securing your network devices themselves, you might as well not have any additional security in place at all. Cisco has many ways to prevent known attacks from taking place against IOS devices. Use the following example as a starter template for switch configurations with security being the primary concern. This configuration will cover a good portion of initial setup for new devices, however you may need to still make modifications to add trunk or routed links, VLANs, and more to complete the configuration.

[divider]
[tabs]

[tab title=”View Configuration”]
View the configuration:


! BEGIN
hostname secureIOS
service password-encryption
! CHANGE CREDENTIALS AND DOMAIN NAME AS DESIRED
username cisco privilege 15 secret 0 cisco123!@!
enable secret 0 c1sc0!!
ip domain-name N3TW0RK
! GENERATING AN RSA KEY FOR SSH
crypto key generate rsa modulus 1024
! ENABLING SSH V2 AND SETTING PARAMETERS TO MITIGATE BRUTE FORCE ATTEMPTS
ip ssh version 2
ip ssh authentication-retries 3
ip ssh time-out 120
! DISABLE SERVICES THAT OPEN MORE VULNERABILITIES
no ip http server
no ip http secure-server
! CONSOLE SECURITY
line console 0
login local
exec-timeout 3
exit
! MITIGATION BANNER MESSAGE
banner login #
 UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
 You must have explicit, authorized permission to access or configure this device.
 Unauthorized attempts and actions to access or use this system may result in civil and/or 
criminal penalties.
 All activities performed on this device are logged and monitored.
#
! LOGIN RESTRICTIONS
login block-for 5 attempts 3 within 20
login delay 5
login on-failure log
login on-success log
! REMOTE ACCESS SECURITY
ip access-list standard SSH
remark Administrative SSH Management ACL
! ADJUST THE PERMIT STATEMENT TO YOUR SUBNET YOU WILL BE REMOTING IN FROM ONLY.
permit X.X.X.X log
deny any log
exit
login quiet-mode access-class SSH-ADMIN
line vty 0 15
access-class SSH in
! MANAGEMENT RESTRICTION TO SPECIFIC INTERFACE
control-plane host
management-interface Vlan 10 allow ssh tftp snmp
exit
! ACCESS PORT SECURITY
interface range FastEthernet1 - 48
 description ACCESS-PORT
 switchport mode access
 ! Change the following vlans to match your network.
 switchport access vlan 5
 switchport voice vlan 10
 ! Remove the following 2 lines for any trunk ports.
 spanning-tree portfast
 spanning-tree bpuguard
 no cdp enable
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security maximum 2
 ! Remove the following to keep the ports closed initially.
 no shutdown
exit

[/tab]

[tab title=”Edit Configuration”]
Edit and Use:

[/tab]
[/tabs]

[button color=”blue” size=”medium” align=”center” style=”lessround” target=”_blank” link=”https://www.nsa.gov/ia/_files/switches/switch-guide-version1_01.pdf” ]View More Documentation[/button]

Google+ Linkedin

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*
*