Rule ID
SV-273672r1110975_rule
Version
V1R1
CCIs
A compromised switch introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each switch is to enable only the capabilities required for operation.
Review the switch configuration to determine if services or functions not required for operation, or not related to switch functionality, are enabled. 1. Check that web authentication is enabled. Router#show webauth The result returned will be blank. 2. Check that web services are enabled. Router#show web HTTP server status: Disabled HTTPS server status: Disabled No web connection. 3. Check if the telnet service is enabled. Router#show telnet Telnet server status: Disabled Telnet connections: 4. Check if the tftp service is enabled. Router#show running-config | include tftp no tftp client enable tftp disable If unnecessary services and functions are enabled on the switch, this is a finding.
Remove unneeded services and functions from the switch. Router# configure terminal Router(config)# no telnet server enable vlan 1 Router(config)# no tftp-server Router(config)#web-management disable Router(config)# vlan xxx (xxx = vlan ID) Router(config-vlan-1)#no webauth Router(config)#write memory