• TCP/SYN Attack – use ACL to allow traffic from TCP connections that were established from the internal network and block packets from an external network that have only the SYN flag set. (DoS)

• Verify that the security policy specifies how ACLs will be implementation to support the secure processing environment.

• Consult the reference material for more thorough narrative for ACL best practices.

• Routing protocols – gathers information about available networks.

• OSPF, BGP, RIP are IETF standards• IS-IS is ISO standard• EIGRP is Cisco Proprietary

• Authenticated router updates ensure that the update messages came from legitimate sources, bogus messages are automatically discarded.

• Configure passive-interfaces to prevent update distribution.

• Review configuration to verify implementation.

• Cisco Discovery Protocol (CDP) – Cisco proprietary protocol, provides the capability for sharing system information between Cisco products

• If this information is not required for operational needs, then it should be disabled.

• Review config to verify that CDP is disabled.

• Port Security – no security by default.

• All switch ports or interfaces should be secured before the switch is deployed.

• If port not being used, configure shutdown.

• MAC addresses are learned dynamically by default and not saved in config file.

• Static entries are manually entered for each port and saved in the running configuration.

• Sticky entries are similar to static entries except they are dynamically learned and are saved in the config.

• Each active port can be restricted by a maximum MAC address count with an action selected for any violations.

• Verify that policy establishes minimum security requirements for port security.

• Verify that unused ports are disabled.

• Verify that active ports are restricted by a maximum MAC address count.

• Verify that the action selected for any violations is based on established policy requirements.

• A Virtual Local Area Network (VLAN) is a broadcast domain configured in the switch.

• All members of a VLAN are grouped logically into the same broadcast domain independent of their physical location.

• Routing is required for communication among members of different VLANs.

• Cisco switches use VLAN 1 as the default VLAN to assign to their ports, including the management ports.

• Protocols such as CDP and VTP, need to be sent on a specific VLAN, VLAN 1.

• VLAN 1 may span the entire network

• Provides attackers easier access and extended reach for their attacks.