TickYouOff
Sign in
Back
🔒

Cisco NX-OS Switch STIG Hardening

Hard 22 items · 4 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist helps network and security teams apply core DISA STIG controls to Cisco NX-OS switches (Nexus 3000/7000/9000). It’s intended for network engineers, system administrators, and auditors preparing devices for compliance.

Source: https://ncp.nist.gov/checklist/1311

Progress
0 / 22
  1. Verify device inventory and NX-OS version — Record model, serial, and NX-OS release to match applicable STIGs.
  2. Verify image signatures and checksums — Check vendor-provided SHA256/RSA signatures before installing images.
  3. Enable image verification and secure boot — Enable features that prevent unsigned images from booting.
  4. Harden administrative access: configure AAA with TACACS+/RADIUS — Use centralized authentication and RBAC; avoid local-only auth.
  5. Configure TACACS+ servers with secure keys — Add redundant servers and strong shared secrets; use TLS/TCP where supported.
  6. Configure local user fallback and RBAC roles — Keep a locked-down local admin account for emergency access and map roles.
  7. Configure local accounts: remove default accounts and set secure passwords — Delete or disable default accounts; use unique, strong passwords.
  8. Enforce password policies: complexity, length, and aging — Apply minimum length, complexity rules, and periodic password rotation.
  9. Enable SSH v2 and disable Telnet — Ensure only encrypted remote management is allowed.
  10. Configure SSH keys and cipher policies — Prefer strong KEX and ciphers; rotate host keys periodically.
  11. Limit management access: restrict management interfaces and source IPs — Restrict management to specific VLANs, interfaces, and trusted IPs.
  12. Configure SNMPv3 with auth and encryption; disable SNMP v1/v2c — Use user-based SNMPv3 and AES/SHA; avoid community strings.
  13. Configure SNMP views, groups, and ACLs — Limit OID access and restrict SNMP source IPs.
  14. Configure logging: remote syslog, secure transport, and log retention — Send logs to a protected collector and set retention policies.
  15. Configure NTP with authenticated sources and restrict access — Use authenticated NTP servers and allow NTP from trusted hosts.
  16. Disable or restrict unnecessary services (HTTP, FTP, Telnet, BOOTP) — Turn off services not required to reduce the attack surface.
  17. Apply ACLs for control-plane and management-plane protection — Use control-plane policing and management ACLs per STIG guidance.
  18. Implement AAA accounting and logging for admin actions — Enable command accounting and log changes for audit trails.
  19. Regularly apply patches and firmware updates per DISA guidance — Follow DISA STIG release notes and vendor advisories for updates.
  20. Backup configurations and document baseline; store securely — Export configs and images, and save approved baselines off-box.
  21. Test and validate configuration against STIG and produce report — Run XCCDF/SCAP scans, remediate findings, and retain evidence.
  22. Subscribe to DISA Cyber Exchange for STIG updates and change notifications — Monitor cyber.mil for STIGs, errata, and maintenance schedules.
Sign in to save
📝 My Notes