Every network administrator should know how to secure their network so that they lessen the encounter of malicious activity. Sometimes it really just comes down to following some best practices in securing a Cisco switch or router. Here are 5 easy steps to secure your Cisco switch or router.
enable secretWhen you use the command,
show rundo you see your passwords in plain text? That’s a no-no. Use
enable secret your-passwordto encrypt it to keep nosy people from seeing your password and entering your switch or router. Enable secret will encrypt your password – AWAY WITH PLAIN TEXT.
encrypt plain text passwordsIf you’ve moved over to encrypted passwords and noticed that your existing passwords are still in plain text then run the global configuration command:
service password-encryptionto encrypt all your passwords.
secure console accessPhysical security should be your first line of defense. But what if you have shotty physical security? Then use console security to stop curious users from connecting to your console port:
conf t line con 0 login password your-passwordBe aware that this does not protect your Cisco device from the password recovery procedure. This is why physical security is important!
secure remote accessWhat protocol are you using to remote into your Cisco switches and routers for management? If you said Telnet, shame on you! Telnet does not encrypt any traffic between you and your Cisco devices. Everything you type is in cleartext. The best alternative is to use SSH. All traffic between you and your Cisco switch or router will be encrypted.
conf t line vty 0 4 login local transport input ssh username user password user-passwordip domain-name domain crypto key generate rsaThe above commands will allow only SSH traffic to your Cisco switch or router and will prompt for a username and password, in which the user account should be on the switch.
parking lot or shutdown the interfaceOrganize your network with the use of virtual local area networks (vlans). Put accounting on their own vlan, HR on their own vlan, IT on their own vlan. Not only is it good to segment these departments, you can also create a parking lot vlan. A parking lot vlan is where you can put all unused interfaces. So if a malicious user wanted to connect to your network via an open port from the wall, they wouldn’t be able to connect to anything because that unused port would be put on a vlan that is not being used.
conf t vlan 3 name parking-lot int fa0/15 switchport mode access switchport access vlan 3A better solution would be to shutdown an unused interface. When an interface is shut down that means it cannot be used until you use the no shutdown command to bring the interface back up.
conf t int fa0/15 shutdownTo bring it back to a working interface:
conf t int fa0/15 no shutAnd those are my 5 easy steps to securing your Cisco switch or router. There are other advanced ways but if you’re new to Cisco then the above steps will be better than having a non-secured network. If you have any questions or feedback please comment below!
Tags: Cisco IOS