Network Switches Hardening

Axis Network Switches Hardening User manual

  • Hello! I've reviewed the Axis Network Switches Hardening Guide. This document provides detailed configurations and security recommendations for Axis devices, covering topics from basic setup to advanced security measures. I can assist you with any questions you have about the configuration of features like VLANs, ACLs, IP Source Guard, as well as extended hardening techniques described in the guide.
  • What should I do when decommissioning an Axis device?
    Why is it important to set a strong password?
    How often should I upgrade the firmware?
AxisNetworkSwitchesHardeningGuide
AxisNetworkSwitchesHardeningGuide
Introduction
Introduction
AxisCommunicationsstrivestoapplycybersecuritybestpracticesinthedesign,development,andtestingofourdevicestominimize
theriskofawsthatcouldbeexploitedinanattack.However,securinganetwork,itsdevices,andtheservicesitsupportsrequires
activeparticipationbytheentirevendorsupplychain,aswellastheend-userorganization.Asecureenvironmentdependsonits
users,processes,andtechnology.Thepurposeofthisguideistosupportyouinsecuringyournetwork,devices,andservices.
FromanIT/networkperspective,theAxisswitchisanetworkdevicelikeanyother.Unlikealaptopcomputer,however,anetwork
switchdoesnothaveusersvisitingpotentiallyharmfulwebsites,openingmaliciousemailattachments,orinstallinguntrusted
applications.Nevertheless,anetworkswitchisadevicewithaninterfacethatmayexposeriskstothesystemitisconnectedto.
Thisguidefocusesonreducingtheexposuretotheserisks.
TheguideprovidestechnicaladviceforanyoneinvolvedindeployingAxissolutions.Itestablishesabaselinecongurationaswell
asahardeningguidethatdealswiththeevolvingthreatlandscape.Youmayneedtheproduct’susermanualtolearnhowto
congurespecicsettings.
Webinterfaceconguration
TheguidereferstomodifyingdevicesettingswithinthewebinterfaceoftheAxisdeviceaccordingtothefollowinginstructions:
Webinterfacecongurationpath
Advanced>Security
Changelog
DateandtimeVersionChanges
September20221.0Initialversion
Scope
Thehardeninginstructionsoutlinedinthisguidearewrittenfor,andcanbeappliedto,Axismanagedswitchesthataremanageable
viawebinterfaceorSSHconsole,suchastheAXIST85PoE+NetworkSwitchSeries.Dependingonthedevice,somefunctions
mightnotbeapplicableoravailable.
Securitynotications
ItisrecommendedtosubscribetoAxisSecurityNoticationServicetoreceiveinformationaboutnewlydiscoveredvulnerabilitiesin
Axisproducts,solutionsandservicesandothersecurity-relatedtechnicalinformationthatcontributetooperatingAxisdevices
inasecuremanner.
CISprotectionlevels
Asameansofstructuringourrecommendationsinthecontextofacybersecurityframework,Axishaschosentofollowthemethods
outlinedinCenterforInternetSafety(CIS)Controls-Version8.TheCIScontrols,previouslyknownasSANSTop20CriticalSecurity
Controls,provide18categoriesofCriticalSecurityControls(CSC)focusedonaddressingthemostcommoncybersecurityrisk
categoriesinanorganization.
ThisguidereferstotheCriticalSecurityControlsbyaddingtheCSCnumber(CSC#)foreachhardeningitem.Formoreinformation
ontheCSCcategories,seehttps://www.cisecurity.org/controls/cis-controls-list.
2
AxisNetworkSwitchesHardeningGuide
Defaultprotection
Defaultprotection
Axisdevicesaredeliveredwithpredeneddefaultprotectionsettings.Thereareseveralsecuritycontrolsthatyoudonotneedto
congure.Thesecontrolsallowforbasicdeviceprotectionandserveasthefundamentformoreextendedhardening.
Credentialedaccess
AnAxisnetworkswitchwillbeabletooperateout-of-theboxusingitsdefaultsettings.Accesstoadministrativefunctionscan
howeveronlybereachedusingtheautomaticrandomlygeneratedpasswordlocatedontheproductlabelonthebottomofthe
Axisswitch.Duringrstsetup,theuserwillneedtochangethepasswordduringrstaccess.Formoreinformation,seeSetdevice
rootpasswordonpage5.
Networkprotocols
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
OnlyaminimumnumberofnetworkprotocolsandservicesareenabledbydefaultinAxisnetworkswitches.Inthetablebelow
youcanseewhichtheseare.
ProtocolPortTransportComments
HTTP80TCPGeneralHTTPtrafcsuchas
webinterfaceaccessorVAPIX.
HTTPS443TCPGeneralHTTPtrafcsuchas
webinterfaceaccessorVAPIX.
NTP123UDPUsedbytheAxisdevicefor
timesynchronizationwitha
NTPserver.
SSDP/UPnP1900UDPUsedby3rdpartyapplications
todiscovertheAxisdevicevia
UPnPdiscoveryprotocol.
Bonjour5353UDPUsedby3rdpartyapplications
todiscovertheAxisdevice
viamDNSdiscoveryprotocol
(Bonjour).
Itisrecommendedtodisableunusednetworkprotocolsandserviceswheneverpossible.
HTTPSenabled
CSC#3:DataProtection
HTTPSisenabledbydefaultwithaself-signedcerticate.Thisenablessettingthedevicepasswordinasecureway.
Webinterfacecongurationpath
Advanced>Security>Conguration>Switch>AuthMethod
Advanced>Security>Conguration>Switch>HTTPS
Decommissioning
CSC#3:DataProtection
3
AxisNetworkSwitchesHardeningGuide
Defaultprotection
WhendecommissioninganAxisdevice,afactorydefaultshouldbeexecuted.Afterthefactorydefault,allsettingsappliedbythe
customerareerased.
Axisdevicesusebothvolatileandnon-volatilememory,andwhilethevolatilememoryiserasedwhenremovingthepower,
informationstoredinthenon-volatilememoryremainsandismadeavailableagainatstart-up.Tosecurelydeletepersistent,
sensitivedataonthedevice,afactorydefaultneedstobeperformed.
4
AxisNetworkSwitchesHardeningGuide
Basichardening
Basichardening
ThebasichardeningistheminimumlevelofprotectionrecommendedforAxisdevices.Thebelowlistedhardeningitemsare
"congurableontheedge",meaningtheycanbedirectlyconguredintheAxisdevicewithouthavingfurtherdependenciestoany
3rdpartynetworkinfrastructure,videoorevidencemanagementsystems(VMS,EMS),orother3rdpartyequipmentorapplication.
Factorydefaultsettings
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
Beforestarting,makesurethatthedeviceisinaknownfactorydefaultstate.Thefactorydefaultisimportantwhendecommissioning
devicesaswellasclearinguser-data.
Webinterfacecongurationpath
Advanced>Maintenance>FactoryDefaults
Upgradetolatestrmware
CSC#2:InventoryandControlofSoftwareAssets
Patchingsoftwareandrmwareisanimportantaspectofcybersecurity.Anattackerwilloftentrytoexploitcommonlyknown
vulnerabilities,andiftheygainnetworkaccesstoanunpatchedservice,theymaysucceed.Makesureyoualwaysusethelatest
rmwaresinceitmayincludesecuritypatchesforknownvulnerabilities.Thereleasenotesforaspecicrmwaremayexplicitly
mentionacriticalsecurityx,butnotallgeneralxes.
Firmwarecanbedownloadedathttps://www.axis.com/support/rmware.
Webinterfacecongurationpath
Advanced>Maintenance>Firmware>FirmwareUpgrade
Setdevicerootpassword
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
CSC#5:AccountManagement
Thedevicerootaccountisthemaindeviceadministrationaccount.Duringrstsetup,theuserwillneedtochangethepassword
duringrstaccess.Makesuretouseastrongpasswordandlimittheusageoftherootaccounttoadministrationtasksonly.Itisnot
recommendedtousetherootaccountindailyproduction.
WhenoperatingAxisdevices,usingthesamepasswordsimpliesmanagementbutlowersthesecurityincaseofbreachordata
leak.UsinguniquepasswordsforeachsingleAxisdeviceprovideshighsecuritybutcomeswithanincreasedcomplexitytodevice
management.Passwordrotationisrecommended.
Itisrecommendedtoimplementsufcientpasswordcomplexityandlength,suchasNISTpasswordrecommendations.Axisswitches
supportpasswordsupto31characters.Passwordsshorterthan8charactersareconsideredweak.
Webinterfacecongurationpath
Advanced>Security>Conguration>Switch>Users
Createaclientaccount
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
CSC#5:AccountManagement
5
AxisNetworkSwitchesHardeningGuide
Basichardening
Thedefaultrootaccounthasfullprivilegesandshouldbereservedforadministrativetasks.Itisrecommendedtocreateaclient
useraccountwithlimitedprivilegesfordailyoperation(ifrequired).Thisreducestheriskofcompromisingthedeviceadministrator
password.
Webinterfacecongurationpath
Advanced>Security>Conguration>Switch>Users
Congurenetworksettings
CSC#12:NetworkInfrastructureManagement
ThedeviceIPcongurationdependsonthenetworkconguration,suchasIPv4/IPv6,staticordynamic(DHCP)networkaddress,
subnetmaskanddefaultrouter.Itisrecommendedtoreviewyournetworktopologywhenaddingnewtypesofcomponents.
ItisrecommendedtousestaticIPaddresscongurationonAxisdevicestoensurenetworkreachabilityanddisentanglethe
dependencytoe.g.,aDHCPserverinthenetworkthatmightbeatargetforattacks.
Webinterfacecongurationpath
Advanced>System>Conguration>IP>IPInterfaces
Correctdateandtimeconguration
CSC#8:AuditLogManagement
Fromasecurityperspective,itisimportantthatthedateandtimearecorrectsothat,forexample,thesystemlogsaretime-stamped
withtherightinformation,anddigitalcerticatescanbevalidatedandusedduringruntime.Withoutpropertime-sync,servicesthat
relyondigitalcerticatessuchasHTTPS,IEEE802.1x,andothersmaynotworkcorrectly.
ItisrecommendedthattheAxisdeviceclockissynchronizedwithaNetworkTimeProtocol(NTP)server,preferablytwo.For
individualsandsmallorganizationsthatdonothavealocalNTPserver,apublicNTPservermaybeused.Checkwithyourinternet
serviceprovideroruseapublicNTPserversuchaspool.ntp.org.
Webinterfacecongurationpath
Basic>Date&Time
CongureVLANs
CSC#1:InventoryandControlofEnterpriseAssets
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
CSC#13:NetworkMonitoringandDefense
BythemeansofVLANs,itispossibletosegmentthephysicalnetworkvirtuallyintoseveraldifferentnetworks.Bybreakingupthe
networkintomultiple,distinct,andmutuallyisolatedbroadcastdomains,thereceivednetworktrafcofhostsinthenetworkcanbe
lowered,thenetworkattacksurfacecanbeminimized,andnetworkhostsandresourcesarebundledorganizationallywithinone
VLAN,withouttheneedofbeingmadeavailabletotheentirephysicalnetwork.Thisincreasesoverallnetworksecurity.
Webinterfacecongurationpath
Advanced>VLANs
CongureIPsourceguard
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
CSC#13:NetworkMonitoringandDefense
6
AxisNetworkSwitchesHardeningGuide
Basichardening
IPsourceguardisafeatureusedtorestrictIPtrafconDHCPsnoopinguntrustedportsbylteringtrafcbasedontheDHCP
snoopingtableormanuallyconguredIPsourcebindings.IthelpspreventIPspoongattackswhenahosttriestospoofand
usetheIPaddressofanotherhost.
ExampleofanIPsourceguardcongurationallowingonlyonedynamicclientonswitchport1.Onswitchport2onlystatically
conguredclientsareallowed.
ExampleofanIPsourceguardstatictable.
Webinterfacecongurationpath
Advanced>Security>Conguration>Network>IPSourceGuard>Conguration
CongureACLs
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
CSC#13:NetworkMonitoringandDefense
ACLisanacronymforAccessControlList.Itisalistcontainingaccesscontrolentries(ACE)whichspecifyindividualusersorgroups
permittedordeniedtospecictrafcobjects,suchasaprocessoraprogram.
ACLimplementationscanbequitecomplex.Innetworking,theACLreferstoalistofserviceportsornetworkservicesthatare
availableonahostorserver,eachwithalistofhostsorserverspermittedordeniedusingtheservice.ACLcangenerallybe
conguredtocontrolinboundtrafc,andinthiscontext,theyarelikerewalls.
7
AxisNetworkSwitchesHardeningGuide
Basichardening
ExampleofanACEcongurationblockingICMPtrafconswitchport1.
ExampleofanACEcongurationblockingallIPv4trafconswitchport1to/fromthe10.0.1.0/24subnet.
Webinterfacecongurationpath
Advanced>Security>Conguration>Network>ACL>AccessControlList
Disableunusedservices/functions
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
Eventhoughunusedservices/functionsarenotanimmediatesecuritythreat,itisgoodpracticetodisableunusedservices/functions
toreduceunnecessaryrisks.Belowaresomeservices/functionsthatcouldbedisabledifnotused.
SSH
AccesstothenetworkswitchviaSSHallowsformoregranularanddetailedcongurationthanthewebinterface.Itisalsoused
fortroubleshootinganddebuggingpurposes.Whilebeingasecurecommunicationprotocol,itisrecommendedtomakesurethat
theSSHaccessisdisabledwhennolongerused.
8
AxisNetworkSwitchesHardeningGuide
Basichardening
Webinterfacecongurationpath
Advanced>Security>Conguration>Switch>AuthMethod
Discoveryprotocols
Discoveryprotocols,suchasBonjourorUPnP,aresupportservicesthatmakeiteasiertondtheAxisdeviceanditsservicesonthe
network.Afterdeployment,oncetheAxisdeviceIPaddressisknown,itisrecommendedtodisablethediscoveryprotocoltostop
theAxisdevicefromannouncingitspresenceonthenetwork.
Webinterfacecongurationpath
Advanced>System>Conguration>Information>BonjourDiscovery
Advanced>UPnP
Unusedphysicalnetworkports
Notallphysicalnetworkportsmightbeoccupiedatalltimes.Itisrecommendedtodisableunusednetworkportsadministrativelyon
theswitchside.Leavingunusednetworkportsunattendedandactiveimposesaseveresecurityrisk.
Webinterfacecongurationpath
Advanced>Ports>Conguration
Switchrebootschedule
CSC#2:InventoryandControlofSoftwareAssets
Duringnormaloperation,anyrecurrentscheduledrestartoftheswitchshouldnotberequiredsincethiswouldalsoinvolve
disconnectionorrestartoftheconnecteddevices(ifpoweredbytheswitch).Itisrecommendedtokeepthisoptiondisabled
untilneededfortroubleshootinganddebuggingpurposesonly.
Webinterfacecongurationpath
Advanced>Maintenance>RebootSchedule
HTTPS
CSC#3:DataProtection
ItisrecommendedtoconguretheAxisdeviceforHTTPSonly(noHTTPaccesspossible).Whileaself-signedcerticateisnottrusted
bydesign,itisadequateforsecureaccesstotheAxisdeviceduringinitialcongurationandwhennopublickeyinfrastructure(PKI)is
availableathand.Ifavailable,theself-signedcerticateshouldberemovedandreplacedwithpropersignedclientcerticatesof
thePKI-authorityofchoice.
Webinterfacecongurationpath
Advanced>Security>Conguration>Switch>AuthMethod
Advanced>Security>Conguration>Switch>HTTPS
CongureARPinspection
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
CSC#13:NetworkMonitoringandDefense
Severaldifferenttypesofwell-knownattacksknownas"ARPCachePoisoning"canbelaunchedagainstahostordevicesconnected
tolayer2networksby"poisoning"theARPcachesofthenetworkswitch.Theresultofasuccessfulattackwouldbeatemporary
9
AxisNetworkSwitchesHardeningGuide
Basichardening
lossofnetworkhostsandtrafc.ARPinspectionisusedtoblocksuchattacks.OnlyvalidARPrequestsandresponsescango
throughtheswitchdevice.
ExampleofanARPinspectioncongurationonswitchport1and2.
Webinterfacecongurationpath
Advanced>Security>Conguration>Network>ARPInspection
Congureportsecuritylimitcontrol
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
CSC#13:NetworkMonitoringandDefense
Portsecuritylimitcontrolallowsforlimitingthenumberofusersonagivenport.AuserisidentiedbyaMACaddressandVLAN
ID.Iflimitcontrolisenabledonaport,thelimitspeciesthemaximumnumberofusersontheport.Ifthenumberisexceeded,
aselectedactionistaken.
Whileportsecuritylimitcontrolcanbeenabledthroughthewebinterface,thelimitcanonlybesetviathecommandlineinterface.
Exampleofaportsecuritylimitcontrolcongurationonswitchport1and2.
10
AxisNetworkSwitchesHardeningGuide
Basichardening
Webinterfacecongurationpath
Advanced>Security>Conguration>Network>LimitControl
Commandlinecongurationpath
CongurationMode>interfaceGigabitEthernetx/x>port-securitymaximumx
11
AxisNetworkSwitchesHardeningGuide
Extendedhardening
Extendedhardening
Thehardeninginstructionsoutlinedinthissectionareanextensionthatbuildonthedefaultandbasichardeningdescribedin
previoussections.WhilethedefaultandbasichardeningcanbeconguredandenableddirectlyintheAxisdevice,theextended
hardeningofAxisdevicesrequireactiveparticipationbytheentirevendorsupplychain,aswellastheend-userorganizationand
theunderlyingIT-and/ornetworkinfrastructure.
Limitinternetexposure
CSC#12:NetworkInfrastructureManagement
ItisnotrecommendedtoexposetheAxisdeviceasapublicwebserverorpublicnetworkaccessofanykind,allowingunknown
clientstogainnetworkaccesstothedevice.
Networkvulnerabilityscanning
CSC#1:InventoryandControlofEnterpriseAssets
CSC#12:NetworkInfrastructureManagement
ItisrecommendedtoperformregularvulnerabilityassessmentsoftheinfrastructuretheAxisdeviceispartofaswellasoftheAxis
deviceitself.Thesevulnerabilityassessmentsareusuallyperformedbynetworksecurityscanners.
Thepurposeofavulnerabilityassessmentistoprovideasystematicreviewofpotentialsecurityvulnerabilitiesandmiscongurations.
PleasemakesurethattheAxisdevicebeingtestedisupdatedtothelatestavailablermwarebeforestartingthescan.
Itisrecommendedtoreviewthescanningreportandlteroutknownfalse-positivesforAxisdevicesstatedhere.
ThereportandremainingremarksthatareleftshouldbesubmittedinahelpdesktickettoAxissupport.
Trustedpublickeyinfrastructure(PKI)
CSC#3:DataProtection
CSC#12:NetworkInfrastructureManagement
ItisrecommendedtodeploywebserverandclientcerticatesinAxisdevicesthataretrustedandsignedbyapublicorprivate
CerticateAuthority(CA)ofchoice.ACA-signedcerticatewhosetrustchaincanbevalidatedhelpstoremovebrowsercerticate
warningswhenconnectingoverHTTPSandensurestheauthenticityoftheAxisdevicewhendeployingaNetworkAccessControl
(NAC)solution.ThismitigatestheriskofanattackingcomputerimpersonatinganAxisdevice.NotethatAXISDeviceManager
hasabuilt-inCAservicethatcanbeusedtoissuesignedcerticatestoAxisdevices.
IEEE802.1xnetworkaccesscontrol
CSC#6:AccessControlManagement
CSC#13:NetworkMonitoringandDefense
AxisdeviceshavesupportforIEEE802.1xport-basednetworkaccesscontrolutilizingtheEAP-TLSmethod.Foroptimalprotection,
authenticationofAxisdevicesmustutilizeclientcerticatessignedbyatrustedCerticateAuthority(CA)ofchoice.Seethe
followingguidelineonhowtocongureanAxisnetworkswitchforIEEE802.1x.
Webinterfacecongurationpath
Advanced>Security>Conguration>AAA>RADIUS
Advanced>Security>Conguration>Network>NAS
12
AxisNetworkSwitchesHardeningGuide
Extendedhardening
SMTPmonitoring
CSC#8:AuditLogManagement
AxisnetworkswitchescanbeconguredtosendoutalarmeventsthroughSMTPmessages.
Webinterfacecongurationpath
Advanced>SMTP
SNMPmonitoring
CSC#8:AuditLogManagement
AxisdevicessupportthefollowingSNMPprotocols:
SNMPv1:supportedforlegacyreasonsonly,shouldnotbeused.
SNMPv2c:maybeusedonaprotectednetworksegment.
SNMPv3:recommendedformonitoringpurposes.
Webinterfacecongurationpath
Advanced>Security>Conguration>Switch>SNMP
Remotesyslog
CSC#8:AuditLogManagement
Axisdevicescanbeconguredtosendalllogmessagesencryptedtoacentralsyslogserver.Thissimpliesauditsandprevents
logmessagesfrombeingdeletedintheAxisdeviceeitherintentionally/maliciouslyorunintentionally.Italsoallowsforextended
retentiontimeofdevicelogsdependingoncompanypolicies.
Webinterfacecongurationpath
Advanced>System>Conguration>Log
13
Ver.M2.2
AxisNetworkSwitchesHardeningGuideDate:October2022
©AxisCommunicationsAB,2022PartNo.
/