スイッチのハードニングらしい。

So here are some of the things we did to start with on the switches:

• Default passwords - change the default passwords on the device, all of them, not just the one on the account being used. A number of switches have multiple built in accounts, some of which are easily forgotten.
• SNMP v3 - if the device supports it used it, otherwise use a nice long comunity string, just be aware that it will be compromised and at least read access to the device will be gained.
• Logging - Use centralised logging of switch activities.
• AAA - Create a management group in AD, place those that need access to the devices in the group and then use Radius to authenticate users. This does make access as good as the password used by staff, but you can also use tokens to authenticate. Shouldn't be much of a problem as people generally don't need to log into switches anyway.
• Backup userid/password - if using AAA authentication make sure you have a local userid or password that can be used in case the radius servers aren't available.
• Management VLAN - Many switches support a management VLAN so configure it and then use ACL to control access to this VLAN. This just takes the management function of the main network and makes life harder for the pentester.
• Network Segmentation - Set up VLANs to segregate your network segments, then use ACLs to control traffic flows between them (Note: use with care as this is easy to get wrong). Also for network segments of different security requirements such as a DMZ, use a different physical switch, don't just VLAN them off.
• Labeling of Ports - Not really a security measure as such, but many switches allow you to name ports. This means that with a simple show command you can see which port is your uplink, downlink, etc. Comes in handy when the diagram is missing or out of date. Of course this does mean that if someone compromises the device they know what to target.
• SSH /Telnet - Use SSH v2, disable telnet.
• Web interface - If you need it use SSL, otherwise disable it. Unfortunately many switches still need you to mange the device using multiple interface as not all the functionality is available from every interface.
• TFTP - well if you really, really need it, but at least configure the location that is valid.
• Management IPs - Many switches allow you to configure the management IP addresses for the device. Configure these and you make life harder for attackers.

InfoSec Handlers Diary Blog - Switch hardening on your network