Configuring enhanced security

Prerequisites
If you have switch configuration that you want to retain, create a backup. This procedure erases all configuration, including the current running configuration, the startup configuration, and all historical configuration checkpoints.
Procedure
  1. Set enhanced security mode:
    1. Reboot the switch into the Service OS with command boot system serviceos.
      If on an 8400 Switch with both Management Modules:
      1. Issue the boot command only on the active Management Module. This command ensures that both Management Modules are booted into the Service OS.

      2. Perform steps b to e on both modules starting with the active module.

    2. Log in to the Service OS as admin.
    3. Enter command secure-mode enhanced.
    4. When prompted about the mode change, respond with y for "yes."
    5. Wait for the reboot and zeroization to complete. The switch firmware boots automatically.
  2. Ensure adequate password requirements:
    1. Before adding users, enable and configure password complexity as described in password complexity. To maintain enhanced security, configure the password complexity subcommand settings no smaller than their defaults.
    2. Configure passwords for all users, including admin. To make your password complexity settings applicable to the default admin user, change the admin password after enabling password complexity. The new admin password must respect your password complexity settings.
  3. Ensure proper login management as follows:
    1. Configure local user session management as described in CLI user session management using cli-session and its subcommands max-per-user, timeout, and tracking-range to achieve the wanted configuration. To maintain enhanced security, configure cli-session subcommand settings no smaller than their defaults.
    2. Restrict remote SSH connections to only use certified crypto algorithms using ssh certified-algorithms-only.
    3. Configure pre- and post-login banners using respectively, banner motd, and banner exec.
  4. Ensure that the switch date and time is accurately set using clock datetime <DATE> <TIME>.
  5. When logging to a remote syslog server is required, ensure that the connection to the server is cryptographically secure. See Configuring remote logging using SSH reverse tunnel.

To ensure that enhanced security is maintained, also respect these requirements:
  • Do not configure remote logging with a remote server directly without setting up an SSH tunnel.

  • Do not configure passwords and secret keys using the plaintext option.

NOTE:
When in enhanced security mode, the switch (Product OS) start-shell command is disabled for security purpose. If you attempt to use this command while in enhanced security mode, it is rejected and the following error message is displayed:
The start-shell command is not available in enhanced secure mode.
NOTE:

When in enhanced security mode, the following Service OS commands are disabled for security purposes: config-clear, password, sh, and update . If you attempt to use any of these Service OS commands while in enhanced security mode, the command is rejected and an error message is displayed: