Enforcing Switch Security
Switch Management Access Security
It is important to evaluate the level of management access vulnerability existing in your network and take steps to ensure that all reasonable security precautions are in place. This includes both configurable security options and physical access to the switch hardware.
Local Manager PasswordIn the default configuration, there is no password protection. Configuring a local Manager password is a fundamental step in reducing the possibility of unauthorized access through the switch’s web browser and console (CLI and Menu) interfaces. The Manager password can easily be set using the CLI password manager command, the Menu interface Console Passwords option, or the password options under the Security tab in the web browser interface.
Inbound Telnet Access and Web Browser AccessThe default remote management protocols enabled on the switch are plain text protocols, which transfer passwords in open or plain text that is easily captured. To reduce the chances of unauthorized users capturing your passwords, secure and encrypted protocols such as SSH and SSL must be used for remote access. This enables you to employ increased access security while still retaining remote client access.
■SSHv2 provides
■SSLv3/TLSv1 provides remote web browser access to the switch via encrypted paths between the switch and management station clients capable of SSL/TLS operation.
(For information on SSH and SSL/TLS, refer to the chapters on these topics in the Advanced Traffic Management Guide for your switch.)
Also, access security on the switch is incomplete without disabling Telnet and the standard web browser access.Among the methods for blocking unauthorized access attempts using Telnet or the Web browser are the following two commands:
■no
■no
If you choose not to disable Telnet and web browser access, you may want to consider using RADIUS accounting to maintain a record of
Secure Copy and SFTP provide a secure alternative to TFTP and
11