I’ve been working on this XOS Hardening Guide for a while now, just finished it. I tried to make it pretty straight-forward, commands are in code blocks, things that you need to swap out are in [BRACKETED BOLD].
This is written assuming you are on a new switch, modifications should be put in place if it’s being applied to an existing switch (for example, you might not want to run the command that deletes all of your VLAN’s). Many of these are also judgement calls – what I have here is probably my judgement but adjust for your own environment/risk tolerance level.
Configure Management
Create Management VLAN
configure vlan Default delete ports all
create vlan [MANAGEMENT VLAN NAME]
configure vlan [MANAGEMENT VLAN NAME] tag [802.1Q VLAN TAG]
configure vlan [MANAGEMENT VLAN NAME] ipaddress [MANAGEMENT IP]
enable ipforwarding vlan [MANAGEMENT VLAN NAME]
Configure Management ACL
vi MANAGE_ACL.pol
# Limits Management Access to Switch
# Last Updated – 05/30/11 by byeager
entry PERMIT_MANAGE {
if {
source-address [MANAGEMENT SUBNET];
} then {
permit;
}
}
entry DENY {
if {
} then {
deny;
}
}
:wq
Configure Management Protocols
disable telnet
disable web http
disable web https
configure ssh2 key
enable ssh2
enable ssh2 access-profile [MANAGEMENT ACL]
configure idletimeout [TIME IN MINUTES]
enable idletimeout
Configure Local Accounts
configure failsafe-account
configure failsafe-account deny all
configure failsafe-account permit serial
create account admin [USERNAME] encrypted [PASSWORD]
delete account admin
Configure TACACS Authentication (Be aware…)
configure tacacs primary server [AAA SERVER IP] client-ip [ADJACENT SWITCH IP] vr VR-Default
configure tacacs primary shared-secret [AUTH STRING]
enable tacacs
Note: You can apply any lockout/password policies to whatever use database you point your RADIUS/TACACS+ server to.
Configure Monitoring
Configure SNMP ACL
vi SNMP_ACL.pol
# Limits SNMP Access to Switch
# Last Updated – 05/30/11 by byeager
entry PERMIT_SNMP {
if {
source-address [MONITORING SERVER];
} then {
permit;
}
}
entry DENY {
if {
} then {
deny;
}
}
:wq
Configure SNMP v2
configure snmp delete community readwrite all
configure snmp delete community readonly all
configure snmp add community readonly [COMMUNITY]
configure snmp sysContact [ADMIN CONTACT]
configure snmp sysLocation [LOCATION]
configure snmp sysNAME [DEVICE NAME]
configure snmp access-profile [SNMP ACL] readonly
Configure Remote Syslogging
configure timezone name [TIMEZONE] [GMT OFFSET] autodst begins every second sunday march at 2 0 ends every first sunday november at 2 0
configure sntp primary [IP ADDRESS] vr [VIRTUAL ROUTER]
configure sntp secondary [IP ADDRESS] vr [VIRTUAL ROUTER]
enable sntp-client
configure syslog add [IP ADDRESS] vr [VIRTUAL ROUTER] [LOGGING LEVEL]
Miscellaneous
Configure Warning Banner
configure banner acknowledge
[BANNER]
Disable EDP
disable edp ports all
Disable Ports Not in Use
disable ports [PORT NUMBER(S)]
Beyond this, just use best practice. Label your ports appropriately, monitor your logs, segment your users onto appropriate VLAN’s, etc. XOS also supports various port security options but as how you would want to configure those varies hugely among environments, I didn’t include them in this post.