Configuring enhanced security

Prerequisites
If you have switch configuration that you want to retain, create a backup. This procedure erases all configuration, including the current running configuration, the startup configuration, and all historical configuration checkpoints.
Procedure
  1. Set enhanced security mode:
    1. Reboot the switch into the Service OS with command boot system serviceos.
      If on an 8400 Switch with both Management Modules:
      1. Issue the boot command only on the active Management Module. This command ensures that both Management Modules are booted into the Service OS.

      2. Perform steps b to e on both modules starting with the active module.

    2. Log in to the Service OS as admin.
    3. Enter command secure-mode enhanced.
    4. When prompted about the mode change, respond with y for "yes."
    5. Wait for the reboot and zeroization to complete. The switch firmware boots automatically.
  2. Ensure adequate password requirements:
    1. Configure an enforced minimum password length using aaa authentication minimum-password-length <LENGTH>. By default there is no minimum password length enforcement. Whenever the minimum password length is set or changed, all passwords that are no longer compliant must be manually changed to be compliant.
    2. Configure passwords for all users, including admin.
  3. Ensure proper login management as follows:
    1. Configure local login attempt limiting using aaa authentication limit-login-attempts <ATTEMPTS> lockout-time <LOCKOUT-TIME>. By default there is no local login attempt limiting. When RADIUS or TACACS+ or RADIUS remote login is configured, this local login limit configuration has no effect.
    2. Restrict remote SSH connections to only use certified crypto algorithms using ssh certified-algorithms-only.
    3. Configure pre- and post-login banners using respectively, banner motd, and banner exec.
    4. Configure the session inactivity timeout (default is 30 minutes) using session-timeout <MINUTES>.
  4. Ensure that the switch date and time is accurately set using clock datetime <DATE> <TIME>.
  5. When logging to a remote syslog server is required, ensure that the connection to the server is cryptographically secure. See Configuring remote logging using SSH reverse tunnel.

To ensure that enhanced security is maintained, also respect these requirements:
  • Do not configure remote logging with a remote server directly without setting up an SSH tunnel.

  • Do not configure passwords and secret keys using the plaintext option.