TickYouOff
Sign in
Back
🔒

IOS XE Switch STIG Checklist

Medium 20 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist guides network and security teams through applying the Cisco IOS XE Switch STIG to Catalyst and IOS XE switches. It covers inventory, configuration backups, patching, management hardening, port security, logging, and ongoing compliance checks. Use it to help bring switches into STIG-compliant configurations for DoD or enterprise environments.

Source: https://ncp.nist.gov/checklist/1309

Progress
0 / 20
  1. Inventory all Cisco IOS XE switches in scope — List models, serials, locations, and management IPs.
  2. Download the latest Cisco IOS XE Switch STIG — Retrieve the Y26M01 STIG and XCCDF package from cyber.mil.
  3. Backup current device configurations and startup-configs — Save running and startup configs to secure storage before changes.
  4. Verify current IOS version and installed image on each switch — Record software versions to compare against STIG requirements.
  5. Schedule a maintenance window for upgrades and configuration changes — Notify users and coordinate outage times with stakeholders.
  6. Apply IOS updates and security patches — Follow vendor upgrade procedures and validate images in lab when possible.
  7. Configure secure management access — Harden device admin access and restrict how admins connect.
  8. Enable SSH v2 and strong cryptographic algorithms — Disable legacy SSH versions and prefer strong ciphers and KEX.
  9. Disable Telnet and HTTP server — Use SSH and HTTPS only for management; remove cleartext protocols.
  10. Configure AAA with TACACS+ or RADIUS and role-based access — Centralize authentication and enforce least privilege for admins.
  11. Configure NTP and ensure accurate time synchronization — Point to trusted NTP servers and secure NTP traffic where possible.
  12. Configure secure logging and forward logs to a remote collector — Enable appropriate logging levels and send logs to a protected syslog.
  13. Disable unnecessary services and legacy protocols — Turn off CDP, HTTP, SNMP v1/v2, and other unused features.
  14. Implement port security and VLAN segmentation — Protect edge ports and separate management traffic into dedicated VLANs.
  15. Set port-security limits and violation actions — Define maximum MAC addresses and configure violation behavior.
  16. Disable unused ports and place them in a shutdown state — Administratively shut down or errdisable interfaces that are not in use.
  17. Implement ACLs to restrict management access to trusted hosts — Limit SSH/HTTPS and management VLAN access to admin networks only.
  18. Document configuration changes and update baselines — Record changes, update network diagrams, and save baseline configs.
  19. Plan regular compliance audits and automated STIG scans — Schedule scans and remediation cycles to maintain STIG compliance.
  20. Notify stakeholders and update change records after completion — Inform owners, close tickets, and report the maintenance outcome.
Sign in to save
📝 My Notes