Configuring enhanced security
Prerequisites
If you have switch configuration that you want to retain, create a backup. This procedure erases all configuration, including the current running configuration, the startup configuration, and all historical configuration checkpoints.
Procedure
-
Set enhanced security mode:
-
Ensure adequate password requirements:
- Configure an enforced minimum password length using
aaa authentication minimum-password-length <LENGTH>
. By default there is no minimum password length enforcement. Whenever the minimum password length is set or changed, all passwords that are no longer compliant must be manually changed to be compliant. - Configure passwords for all users, including
admin
.
- Configure an enforced minimum password length using
-
Ensure proper login management as follows:
- Configure local login attempt limiting using
aaa authentication limit-login-attempts <ATTEMPTS> lockout-time <LOCKOUT-TIME>
. By default there is no local login attempt limiting. When RADIUS or TACACS+ or RADIUS remote login is configured, this local login limit configuration has no effect. - Restrict remote SSH connections to only use certified crypto algorithms using
ssh certified-algorithms-only
. - Configure pre- and post-login banners using respectively,
banner motd
, andbanner exec
. - Configure the session inactivity timeout (default is 30 minutes) using
session-timeout <MINUTES>
.
- Configure local login attempt limiting using
-
Ensure that the switch date and time is accurately set using
clock datetime <DATE> <TIME>
. - When logging to a remote syslog server is required, ensure that the connection to the server is cryptographically secure. See Configuring remote logging using SSH reverse tunnel.
To ensure that enhanced security is maintained, also respect these requirements:
Do not configure remote logging with a remote server directly without setting up an SSH tunnel.
Do not configure passwords and secret keys using the plaintext option.
NOTE:
When in enhanced security mode, the switch (Product OS)
start-shell
command is disabled for security purpose. If you attempt to use this command while in enhanced security mode, it is rejected and the following error message is displayed:
The start-shell command is not available in enhanced secure mode.
NOTE:
When in enhanced security mode, the following Service OS commands are disabled for security purposes:
config-clear
,
password
,
sh
, and
update
. If you attempt to use any of these Service OS commands while in enhanced security mode, the command is rejected and an error message is displayed: