TickYouOff
Sign in
Back
🔒

Cisco IOS Switch STIG (Y26M01)

Medium 21 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps network and security teams apply the Cisco IOS Switch STIG controls to Catalyst and similar Cisco switches. It’s for administrators who need a practical, ordered list to harden management, update firmware, enforce AAA, and verify compliance.

Source: https://ncp.nist.gov/checklist/958

Progress
0 / 21
  1. Download Cisco IOS Switch STIG package and resources — Get the latest STIG, XCCDF, and automated content from DISA.
  2. Inventory target switches and record models and IOS versions — List device model, serial, IOS version, and role for each switch.
  3. Backup current switch configurations and images — Save configs and boot images to secure storage before changes.
  4. Review STIG requirements against device capabilities — Identify controls not applicable or requiring compensating controls.
  5. Schedule maintenance window and notify stakeholders — Plan downtime and approvals for firmware or config changes.
  6. Update IOS to STIG-approved firmware and patches — Apply vendor-supplied images that address known vulnerabilities.
  7. Harden management access — Group of management hardening tasks for secure admin access.
  8. Set enable secret using a strong hashed password — Use strong passphrase and bcrypt/MD5 or better where supported.
  9. Configure SSH for secure remote management — Disable legacy SSH versions and enforce strong key lengths.
  10. Disable Telnet and other insecure management protocols — Remove or deny inbound Telnet, HTTP, and legacy protocols.
  11. Configure SNMPv3 with authentication and privacy — Use SNMPv3 users, auth, and encryption; remove SNMPv1/2c.
  12. Implement AAA (RADIUS/TACACS+) and enforce least privilege — Use centralized auth, role-based access, and logging of commands.
  13. Configure centralized logging and remote syslog with timestamps — Send logs to secure collectors and set proper timestamps.
  14. Configure NTP and restrict acceptable time sources — Point to trusted NTP servers and use authentication where available.
  15. Implement VLAN and port security: disable unused ports — Shutdown unused interfaces and apply port-security where needed.
  16. Configure management-plane and control-plane ACLs — Restrict who can reach management services and control protocols.
  17. Disable unnecessary services and features (CDP, HTTP, etc.) — Turn off protocols/features not required for operation.
  18. Harden STP and enable BPDU Guard and PortFast where appropriate — Protect topology and prevent accidental network loops.
  19. Run STIG compliance scan and remediate findings — Use automated tools and manual checks to validate compliance.
  20. Document changes, update inventories, and record justification — Capture config diffs, approvals, and mitigation rationale.
  21. Schedule regular audits and enable automated checks — Plan recurring scans and monitor for configuration drift.
Sign in to save
📝 My Notes