management vlan audit steps
DESCRIPTION
Management VLAN Audit Steps. Verify that management VLAN has been reassigned. Verify that operational VLANs do not have access to the management VLAN. Verify that the ports in the management VLAN are not configured as trunks. Trunk Ports. - PowerPoint PPT PresentationTRANSCRIPT
• Verify that management VLAN has been reassigned.
• Verify that operational VLANs do not have access to the management VLAN.
• Verify that the ports in the management VLAN are not configured as trunks.
• A trunk is a point-to-point link between two network devices that carries traffic for more than one VLAN.
• A trunk allows you to extend the VLANs across an entire network.
• A trunk does not belong to a specific VLAN, rather it is a conduit for VLANs between switches and routers.
• DTP is implemented by default on Cisco switches .• DTP automatically negotiates how the port will
operate, trunk or access mode. • By default, a Cisco Ethernet port's default DTP
mode is "dynamic desirable”, which enables a port to go to trunk mode automatically.
• Review the switch configuration to verify that DTP is disabled.
VTP is a Cisco-proprietary messaging protocol used to distribute VLAN configuration information over trunks.
A switch may be in one of three VTP modes: server, transparent and client.
In server mode administrators can create, modify and delete VLANs for the entire VTP management domain.
By default, VTP – no authentication and the switch is in VTP Server mode.
• If VTP is necessary, verify the following:• VTP management domain is established. • A strong password is assigned to the VTP
management domain.• Non-management switches are configured in
client mode.
• By auditing device for these basic hardening steps, overall security of the network can be improved.
• However, in all cases, a comprehensive review should be performed.
• Reference the works cited page for links to documented security configuration benchmarks and checklists.
Mark [email protected]
Router Security Guidance Activity of the System and Network Attack Center (SNAC), 2005
http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf
Cisco IOS Switch Security Configuration Guide, http://www.nsa.gov/ia/
Center for Internet Security, http://benchmarks.cisecurity.org/downloads/audit-tools/
US-Cert, https://www.us-cert.gov/security-publications
Information Assurance Support Environment, http://iase.disa.mil/stigs/
SANS Institute InfoSec Reading Room - Cisco Router Hardening Step-by-Step www.sans.org
Cisco Checklist - www.sans.org
Configuring a Cisco Router with TACACS+ Authentication. http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/13865-tacplus.html
Cisco Guide to Harden Cisco IOS Devices, Document ID: 13608 http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
Various Articles related to Cisco device security, http://www.ciscopress.com/articles/
NIST – National Vulnerability Database http://web.nvd.nist.gov/
ISACA – www.isaca.org