Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
12345678910
5
OL-11615-01
SSH in Cisco IOS 108
SNMP Access 108
Other Security Services 109
TCP Intercept 109
Private VLANs 109
802.1X Authentication 110
Catalyst 6500 Security Service Modules 110
Firewall Services Module (FWSM) 111
IPSec VPN Services Module 111
WebVPN Services Module 111
Content Switching Module with SSL (CSM-S) 111
Anomaly Guard Services Module 111
Traffic Anomaly Detector Services Module 111
Network Analysis Module (NAM) 112
Commonly Used Protocols 112
Basic Tools and Techniques for Device Hardening
Device hardening ensures the security of a device by controlling access to the device, disabling services
that are not needed, and by establishing mechanisms to help control the use of system resources.
This section presents a compilation of best practices for device hardening on Cisco Catalyst 6500 and
4500 Series switches. Most of these best practices are based on tools and techniques that have been
available for quite some time, and which can be considered reliable.
The following is a list of the recommended hardening best practices for Catalyst switches:
Disabling Unneeded Services, page 5
Controlling Switch Access, page 6
Access Control Lists, page 7
Locking Down Unused Ports, page 16
Disabling Unneeded Services
To facilitate deployment, Cisco Catalyst switches arrive with many services that are considered
appropriate for most network environments already enabled. However, because not all networks have the
same requirements, some of these services might not be needed and can be disabled. Disabling unneeded
services has two benefits. It helps preserve system resources, and eliminates the potential of security
exploits on the disabled services.
Disabling unneeded services becomes especially important for services that are known to be prone to
being used for malicious purposes. Some services that are enabled by default can be used by attackers
to obtain network and user information, bypass security controls, and even generate DoS attacks. A
directed broadcast is a good example of a default service found in some switches and routers that could
be used for DoS attacks. An IP-directed broadcast packet is an IP packet with a destination address that
is a valid broadcast address for an IP subnet. When a directed broadcast packet reaches a switch that is