Local and Remote Access
Local and Remote Access
Follow these guidelines to ensure the security of local and remote access to your systems:
- Create a banner to state that unauthorized access is prohibited.
- Use access control lists where appropriate.
- Set time-outs for extended sessions and set privilege levels.
- Use authentication, authorization, and accounting (AAA) features for local and remote access to a switch.
- If possible, use the RADIUS and TACACS+ security protocols:- RADIUS (Remote Authentication Dial In User Service) is a client/server protocol that secures networks against unauthorized access.- TACACS+ (Terminal Access Controller Access-Control System) is a protocol that permits a remote access server to communicate with an authentication server to determine if a user has access to the network.
- Use the port mirroring capability of the switch for intrusion detection system (IDS) access.
- Implement port security to limit access based upon a MAC address. Disable auto-trunking on all ports.
- Limit remote configuration to specific IP addresses using SSH instead of Telnet. Telnet passes user names and passwords in clear text, potentially allowing everyone on the LAN segment to see login credentials. Set a strong password for SSH.
- Early versions of SNMP are not secure and transmit authentication data in unencrypted text. Only version 3 of SNMP can provide secure transmissions.
- Some products come out of the box with PUBLIC set as the default SNMP community string. Attackers can query a community to draw a very complete network map and possibly modify management information base (MIB) values. If SNMP is necessary, change the default SNMP community string to a strong community string.
- Enable logging and send logs to a dedicated secure log host.
- Configure logging to include accurate time information, using NTP and timestamps.
- Review logs for possible incidents and archive them in accordance with the security policy.
- If your system controller uses a browser interface, be sure to log out after using it.
< Previous Page | Next Page >