Axis Network Switches Hardening User manual
- Category
- Network switches
- Type
- User manual
Axis Network Switches Hardening offers robust security features to protect your network. Easily manage and configure your switch with its intuitive web interface. Secure your data with HTTPS encryption and protect against unauthorized access with strong passwords and user accounts. Keep your network up-to-date with the latest firmware to ensure optimal performance and security.
Axis Network Switches Hardening offers robust security features to protect your network. Easily manage and configure your switch with its intuitive web interface. Secure your data with HTTPS encryption and protect against unauthorized access with strong passwords and user accounts. Keep your network up-to-date with the latest firmware to ensure optimal performance and security.
AxisNetworkSwitchesHardeningGuide
AxisNetworkSwitchesHardeningGuide
Introduction
Introduction
AxisCommunicationsstrivestoapplycybersecuritybestpracticesinthedesign,development,andtestingofourdevicestominimize
theriskofawsthatcouldbeexploitedinanattack.However,securinganetwork,itsdevices,andtheservicesitsupportsrequires
activeparticipationbytheentirevendorsupplychain,aswellastheend-userorganization.Asecureenvironmentdependsonits
users,processes,andtechnology.Thepurposeofthisguideistosupportyouinsecuringyournetwork,devices,andservices.
FromanIT/networkperspective,theAxisswitchisanetworkdevicelikeanyother.Unlikealaptopcomputer,however,anetwork
switchdoesnothaveusersvisitingpotentiallyharmfulwebsites,openingmaliciousemailattachments,orinstallinguntrusted
applications.Nevertheless,anetworkswitchisadevicewithaninterfacethatmayexposeriskstothesystemitisconnectedto.
Thisguidefocusesonreducingtheexposuretotheserisks.
TheguideprovidestechnicaladviceforanyoneinvolvedindeployingAxissolutions.Itestablishesabaselinecongurationaswell
asahardeningguidethatdealswiththeevolvingthreatlandscape.Youmayneedtheproduct’susermanualtolearnhowto
congurespecicsettings.
Webinterfaceconguration
TheguidereferstomodifyingdevicesettingswithinthewebinterfaceoftheAxisdeviceaccordingtothefollowinginstructions:
Webinterfacecongurationpath
Advanced>Security
Changelog
DateandtimeVersionChanges
September20221.0Initialversion
Scope
Thehardeninginstructionsoutlinedinthisguidearewrittenfor,andcanbeappliedto,Axismanagedswitchesthataremanageable
viawebinterfaceorSSHconsole,suchastheAXIST85PoE+NetworkSwitchSeries.Dependingonthedevice,somefunctions
mightnotbeapplicableoravailable.
Securitynotications
ItisrecommendedtosubscribetoAxisSecurityNoticationServicetoreceiveinformationaboutnewlydiscoveredvulnerabilitiesin
Axisproducts,solutionsandservicesandothersecurity-relatedtechnicalinformationthatcontributetooperatingAxisdevices
inasecuremanner.
CISprotectionlevels
Asameansofstructuringourrecommendationsinthecontextofacybersecurityframework,Axishaschosentofollowthemethods
outlinedinCenterforInternetSafety(CIS)Controls-Version8.TheCIScontrols,previouslyknownasSANSTop20CriticalSecurity
Controls,provide18categoriesofCriticalSecurityControls(CSC)focusedonaddressingthemostcommoncybersecurityrisk
categoriesinanorganization.
ThisguidereferstotheCriticalSecurityControlsbyaddingtheCSCnumber(CSC#)foreachhardeningitem.Formoreinformation
ontheCSCcategories,seehttps://www.cisecurity.org/controls/cis-controls-list.
2
AxisNetworkSwitchesHardeningGuide
Defaultprotection
Defaultprotection
Axisdevicesaredeliveredwithpredeneddefaultprotectionsettings.Thereareseveralsecuritycontrolsthatyoudonotneedto
congure.Thesecontrolsallowforbasicdeviceprotectionandserveasthefundamentformoreextendedhardening.
Credentialedaccess
AnAxisnetworkswitchwillbeabletooperateout-of-theboxusingitsdefaultsettings.Accesstoadministrativefunctionscan
howeveronlybereachedusingtheautomaticrandomlygeneratedpasswordlocatedontheproductlabelonthebottomofthe
Axisswitch.Duringrstsetup,theuserwillneedtochangethepasswordduringrstaccess.Formoreinformation,seeSetdevice
rootpasswordonpage5.
Networkprotocols
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
OnlyaminimumnumberofnetworkprotocolsandservicesareenabledbydefaultinAxisnetworkswitches.Inthetablebelow
youcanseewhichtheseare.
ProtocolPortTransportComments
HTTP80TCPGeneralHTTPtrafcsuchas
webinterfaceaccessorVAPIX.
HTTPS443TCPGeneralHTTPtrafcsuchas
webinterfaceaccessorVAPIX.
NTP123UDPUsedbytheAxisdevicefor
timesynchronizationwitha
NTPserver.
SSDP/UPnP1900UDPUsedby3rdpartyapplications
todiscovertheAxisdevicevia
UPnPdiscoveryprotocol.
Bonjour5353UDPUsedby3rdpartyapplications
todiscovertheAxisdevice
viamDNSdiscoveryprotocol
(Bonjour).
Itisrecommendedtodisableunusednetworkprotocolsandserviceswheneverpossible.
HTTPSenabled
CSC#3:DataProtection
HTTPSisenabledbydefaultwithaself-signedcerticate.Thisenablessettingthedevicepasswordinasecureway.
Webinterfacecongurationpath
Advanced>Security>Conguration>Switch>AuthMethod
Advanced>Security>Conguration>Switch>HTTPS
Decommissioning
CSC#3:DataProtection
3
AxisNetworkSwitchesHardeningGuide
Defaultprotection
WhendecommissioninganAxisdevice,afactorydefaultshouldbeexecuted.Afterthefactorydefault,allsettingsappliedbythe
customerareerased.
Axisdevicesusebothvolatileandnon-volatilememory,andwhilethevolatilememoryiserasedwhenremovingthepower,
informationstoredinthenon-volatilememoryremainsandismadeavailableagainatstart-up.Tosecurelydeletepersistent,
sensitivedataonthedevice,afactorydefaultneedstobeperformed.
4
AxisNetworkSwitchesHardeningGuide
Basichardening
Basichardening
ThebasichardeningistheminimumlevelofprotectionrecommendedforAxisdevices.Thebelowlistedhardeningitemsare
"congurableontheedge",meaningtheycanbedirectlyconguredintheAxisdevicewithouthavingfurtherdependenciestoany
3rdpartynetworkinfrastructure,videoorevidencemanagementsystems(VMS,EMS),orother3rdpartyequipmentorapplication.
Factorydefaultsettings
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
Beforestarting,makesurethatthedeviceisinaknownfactorydefaultstate.Thefactorydefaultisimportantwhendecommissioning
devicesaswellasclearinguser-data.
Webinterfacecongurationpath
Advanced>Maintenance>FactoryDefaults
Upgradetolatestrmware
CSC#2:InventoryandControlofSoftwareAssets
Patchingsoftwareandrmwareisanimportantaspectofcybersecurity.Anattackerwilloftentrytoexploitcommonlyknown
vulnerabilities,andiftheygainnetworkaccesstoanunpatchedservice,theymaysucceed.Makesureyoualwaysusethelatest
rmwaresinceitmayincludesecuritypatchesforknownvulnerabilities.Thereleasenotesforaspecicrmwaremayexplicitly
mentionacriticalsecurityx,butnotallgeneralxes.
Firmwarecanbedownloadedathttps://www.axis.com/support/rmware.
Webinterfacecongurationpath
Advanced>Maintenance>Firmware>FirmwareUpgrade
Setdevicerootpassword
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
CSC#5:AccountManagement
Thedevicerootaccountisthemaindeviceadministrationaccount.Duringrstsetup,theuserwillneedtochangethepassword
duringrstaccess.Makesuretouseastrongpasswordandlimittheusageoftherootaccounttoadministrationtasksonly.Itisnot
recommendedtousetherootaccountindailyproduction.
WhenoperatingAxisdevices,usingthesamepasswordsimpliesmanagementbutlowersthesecurityincaseofbreachordata
leak.UsinguniquepasswordsforeachsingleAxisdeviceprovideshighsecuritybutcomeswithanincreasedcomplexitytodevice
management.Passwordrotationisrecommended.
Itisrecommendedtoimplementsufcientpasswordcomplexityandlength,suchasNISTpasswordrecommendations.Axisswitches
supportpasswordsupto31characters.Passwordsshorterthan8charactersareconsideredweak.
Webinterfacecongurationpath
Advanced>Security>Conguration>Switch>Users
Createaclientaccount
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
CSC#5:AccountManagement
5
AxisNetworkSwitchesHardeningGuide
Basichardening
Thedefaultrootaccounthasfullprivilegesandshouldbereservedforadministrativetasks.Itisrecommendedtocreateaclient
useraccountwithlimitedprivilegesfordailyoperation(ifrequired).Thisreducestheriskofcompromisingthedeviceadministrator
password.
Webinterfacecongurationpath
Advanced>Security>Conguration>Switch>Users
Congurenetworksettings
CSC#12:NetworkInfrastructureManagement
ThedeviceIPcongurationdependsonthenetworkconguration,suchasIPv4/IPv6,staticordynamic(DHCP)networkaddress,
subnetmaskanddefaultrouter.Itisrecommendedtoreviewyournetworktopologywhenaddingnewtypesofcomponents.
ItisrecommendedtousestaticIPaddresscongurationonAxisdevicestoensurenetworkreachabilityanddisentanglethe
dependencytoe.g.,aDHCPserverinthenetworkthatmightbeatargetforattacks.
Webinterfacecongurationpath
Advanced>System>Conguration>IP>IPInterfaces
Correctdateandtimeconguration
CSC#8:AuditLogManagement
Fromasecurityperspective,itisimportantthatthedateandtimearecorrectsothat,forexample,thesystemlogsaretime-stamped
withtherightinformation,anddigitalcerticatescanbevalidatedandusedduringruntime.Withoutpropertime-sync,servicesthat
relyondigitalcerticatessuchasHTTPS,IEEE802.1x,andothersmaynotworkcorrectly.
ItisrecommendedthattheAxisdeviceclockissynchronizedwithaNetworkTimeProtocol(NTP)server,preferablytwo.For
individualsandsmallorganizationsthatdonothavealocalNTPserver,apublicNTPservermaybeused.Checkwithyourinternet
serviceprovideroruseapublicNTPserversuchaspool.ntp.org.
Webinterfacecongurationpath
Basic>Date&Time
CongureVLANs
CSC#1:InventoryandControlofEnterpriseAssets
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
CSC#13:NetworkMonitoringandDefense
BythemeansofVLANs,itispossibletosegmentthephysicalnetworkvirtuallyintoseveraldifferentnetworks.Bybreakingupthe
networkintomultiple,distinct,andmutuallyisolatedbroadcastdomains,thereceivednetworktrafcofhostsinthenetworkcanbe
lowered,thenetworkattacksurfacecanbeminimized,andnetworkhostsandresourcesarebundledorganizationallywithinone
VLAN,withouttheneedofbeingmadeavailabletotheentirephysicalnetwork.Thisincreasesoverallnetworksecurity.
Webinterfacecongurationpath
Advanced>VLANs
CongureIPsourceguard
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
CSC#13:NetworkMonitoringandDefense
6
AxisNetworkSwitchesHardeningGuide
Basichardening
IPsourceguardisafeatureusedtorestrictIPtrafconDHCPsnoopinguntrustedportsbylteringtrafcbasedontheDHCP
snoopingtableormanuallyconguredIPsourcebindings.IthelpspreventIPspoongattackswhenahosttriestospoofand
usetheIPaddressofanotherhost.
ExampleofanIPsourceguardcongurationallowingonlyonedynamicclientonswitchport1.Onswitchport2onlystatically
conguredclientsareallowed.
ExampleofanIPsourceguardstatictable.
Webinterfacecongurationpath
Advanced>Security>Conguration>Network>IPSourceGuard>Conguration
CongureACLs
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
CSC#13:NetworkMonitoringandDefense
ACLisanacronymforAccessControlList.Itisalistcontainingaccesscontrolentries(ACE)whichspecifyindividualusersorgroups
permittedordeniedtospecictrafcobjects,suchasaprocessoraprogram.
ACLimplementationscanbequitecomplex.Innetworking,theACLreferstoalistofserviceportsornetworkservicesthatare
availableonahostorserver,eachwithalistofhostsorserverspermittedordeniedusingtheservice.ACLcangenerallybe
conguredtocontrolinboundtrafc,andinthiscontext,theyarelikerewalls.
7
AxisNetworkSwitchesHardeningGuide
Basichardening
ExampleofanACEcongurationblockingICMPtrafconswitchport1.
ExampleofanACEcongurationblockingallIPv4trafconswitchport1to/fromthe10.0.1.0/24subnet.
Webinterfacecongurationpath
Advanced>Security>Conguration>Network>ACL>AccessControlList
Disableunusedservices/functions
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
Eventhoughunusedservices/functionsarenotanimmediatesecuritythreat,itisgoodpracticetodisableunusedservices/functions
toreduceunnecessaryrisks.Belowaresomeservices/functionsthatcouldbedisabledifnotused.
SSH
AccesstothenetworkswitchviaSSHallowsformoregranularanddetailedcongurationthanthewebinterface.Itisalsoused
fortroubleshootinganddebuggingpurposes.Whilebeingasecurecommunicationprotocol,itisrecommendedtomakesurethat
theSSHaccessisdisabledwhennolongerused.
8
AxisNetworkSwitchesHardeningGuide
Basichardening
Webinterfacecongurationpath
Advanced>Security>Conguration>Switch>AuthMethod
Discoveryprotocols
Discoveryprotocols,suchasBonjourorUPnP,aresupportservicesthatmakeiteasiertondtheAxisdeviceanditsservicesonthe
network.Afterdeployment,oncetheAxisdeviceIPaddressisknown,itisrecommendedtodisablethediscoveryprotocoltostop
theAxisdevicefromannouncingitspresenceonthenetwork.
Webinterfacecongurationpath
Advanced>System>Conguration>Information>BonjourDiscovery
Advanced>UPnP
Unusedphysicalnetworkports
Notallphysicalnetworkportsmightbeoccupiedatalltimes.Itisrecommendedtodisableunusednetworkportsadministrativelyon
theswitchside.Leavingunusednetworkportsunattendedandactiveimposesaseveresecurityrisk.
Webinterfacecongurationpath
Advanced>Ports>Conguration
Switchrebootschedule
CSC#2:InventoryandControlofSoftwareAssets
Duringnormaloperation,anyrecurrentscheduledrestartoftheswitchshouldnotberequiredsincethiswouldalsoinvolve
disconnectionorrestartoftheconnecteddevices(ifpoweredbytheswitch).Itisrecommendedtokeepthisoptiondisabled
untilneededfortroubleshootinganddebuggingpurposesonly.
Webinterfacecongurationpath
Advanced>Maintenance>RebootSchedule
HTTPS
CSC#3:DataProtection
ItisrecommendedtoconguretheAxisdeviceforHTTPSonly(noHTTPaccesspossible).Whileaself-signedcerticateisnottrusted
bydesign,itisadequateforsecureaccesstotheAxisdeviceduringinitialcongurationandwhennopublickeyinfrastructure(PKI)is
availableathand.Ifavailable,theself-signedcerticateshouldberemovedandreplacedwithpropersignedclientcerticatesof
thePKI-authorityofchoice.
Webinterfacecongurationpath
Advanced>Security>Conguration>Switch>AuthMethod
Advanced>Security>Conguration>Switch>HTTPS
CongureARPinspection
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
CSC#13:NetworkMonitoringandDefense
Severaldifferenttypesofwell-knownattacksknownas"ARPCachePoisoning"canbelaunchedagainstahostordevicesconnected
tolayer2networksby"poisoning"theARPcachesofthenetworkswitch.Theresultofasuccessfulattackwouldbeatemporary
9
AxisNetworkSwitchesHardeningGuide
Basichardening
lossofnetworkhostsandtrafc.ARPinspectionisusedtoblocksuchattacks.OnlyvalidARPrequestsandresponsescango
throughtheswitchdevice.
ExampleofanARPinspectioncongurationonswitchport1and2.
Webinterfacecongurationpath
Advanced>Security>Conguration>Network>ARPInspection
Congureportsecuritylimitcontrol
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
CSC#13:NetworkMonitoringandDefense
Portsecuritylimitcontrolallowsforlimitingthenumberofusersonagivenport.AuserisidentiedbyaMACaddressandVLAN
ID.Iflimitcontrolisenabledonaport,thelimitspeciesthemaximumnumberofusersontheport.Ifthenumberisexceeded,
aselectedactionistaken.
Whileportsecuritylimitcontrolcanbeenabledthroughthewebinterface,thelimitcanonlybesetviathecommandlineinterface.
Exampleofaportsecuritylimitcontrolcongurationonswitchport1and2.
10
AxisNetworkSwitchesHardeningGuide
Basichardening
Webinterfacecongurationpath
Advanced>Security>Conguration>Network>LimitControl
Commandlinecongurationpath
CongurationMode>interfaceGigabitEthernetx/x>port-securitymaximumx
11
AxisNetworkSwitchesHardeningGuide
Extendedhardening
Extendedhardening
Thehardeninginstructionsoutlinedinthissectionareanextensionthatbuildonthedefaultandbasichardeningdescribedin
previoussections.WhilethedefaultandbasichardeningcanbeconguredandenableddirectlyintheAxisdevice,theextended
hardeningofAxisdevicesrequireactiveparticipationbytheentirevendorsupplychain,aswellastheend-userorganizationand
theunderlyingIT-and/ornetworkinfrastructure.
Limitinternetexposure
CSC#12:NetworkInfrastructureManagement
ItisnotrecommendedtoexposetheAxisdeviceasapublicwebserverorpublicnetworkaccessofanykind,allowingunknown
clientstogainnetworkaccesstothedevice.
Networkvulnerabilityscanning
CSC#1:InventoryandControlofEnterpriseAssets
CSC#12:NetworkInfrastructureManagement
ItisrecommendedtoperformregularvulnerabilityassessmentsoftheinfrastructuretheAxisdeviceispartofaswellasoftheAxis
deviceitself.Thesevulnerabilityassessmentsareusuallyperformedbynetworksecurityscanners.
Thepurposeofavulnerabilityassessmentistoprovideasystematicreviewofpotentialsecurityvulnerabilitiesandmiscongurations.
PleasemakesurethattheAxisdevicebeingtestedisupdatedtothelatestavailablermwarebeforestartingthescan.
Itisrecommendedtoreviewthescanningreportandlteroutknownfalse-positivesforAxisdevicesstatedhere.
ThereportandremainingremarksthatareleftshouldbesubmittedinahelpdesktickettoAxissupport.
Trustedpublickeyinfrastructure(PKI)
CSC#3:DataProtection
CSC#12:NetworkInfrastructureManagement
ItisrecommendedtodeploywebserverandclientcerticatesinAxisdevicesthataretrustedandsignedbyapublicorprivate
CerticateAuthority(CA)ofchoice.ACA-signedcerticatewhosetrustchaincanbevalidatedhelpstoremovebrowsercerticate
warningswhenconnectingoverHTTPSandensurestheauthenticityoftheAxisdevicewhendeployingaNetworkAccessControl
(NAC)solution.ThismitigatestheriskofanattackingcomputerimpersonatinganAxisdevice.NotethatAXISDeviceManager
hasabuilt-inCAservicethatcanbeusedtoissuesignedcerticatestoAxisdevices.
IEEE802.1xnetworkaccesscontrol
CSC#6:AccessControlManagement
CSC#13:NetworkMonitoringandDefense
AxisdeviceshavesupportforIEEE802.1xport-basednetworkaccesscontrolutilizingtheEAP-TLSmethod.Foroptimalprotection,
authenticationofAxisdevicesmustutilizeclientcerticatessignedbyatrustedCerticateAuthority(CA)ofchoice.Seethe
followingguidelineonhowtocongureanAxisnetworkswitchforIEEE802.1x.
Webinterfacecongurationpath
Advanced>Security>Conguration>AAA>RADIUS
Advanced>Security>Conguration>Network>NAS
12
AxisNetworkSwitchesHardeningGuide
Extendedhardening
SMTPmonitoring
CSC#8:AuditLogManagement
AxisnetworkswitchescanbeconguredtosendoutalarmeventsthroughSMTPmessages.
Webinterfacecongurationpath
Advanced>SMTP
SNMPmonitoring
CSC#8:AuditLogManagement
AxisdevicessupportthefollowingSNMPprotocols:
•SNMPv1:supportedforlegacyreasonsonly,shouldnotbeused.
•SNMPv2c:maybeusedonaprotectednetworksegment.
•SNMPv3:recommendedformonitoringpurposes.
Webinterfacecongurationpath
Advanced>Security>Conguration>Switch>SNMP
Remotesyslog
CSC#8:AuditLogManagement
Axisdevicescanbeconguredtosendalllogmessagesencryptedtoacentralsyslogserver.Thissimpliesauditsandprevents
logmessagesfrombeingdeletedintheAxisdeviceeitherintentionally/maliciouslyorunintentionally.Italsoallowsforextended
retentiontimeofdevicelogsdependingoncompanypolicies.
Webinterfacecongurationpath
Advanced>System>Conguration>Log
13
Ver.M2.2
AxisNetworkSwitchesHardeningGuideDate:October2022
©AxisCommunicationsAB,2022PartNo.
-
1
-
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
-
13
-
14
Axis Network Switches Hardening User manual
- Category
- Network switches
- Type
- User manual
Axis Network Switches Hardening offers robust security features to protect your network. Easily manage and configure your switch with its intuitive web interface. Secure your data with HTTPS encryption and protect against unauthorized access with strong passwords and user accounts. Keep your network up-to-date with the latest firmware to ensure optimal performance and security.
Ask a question and I''ll find the answer in the document
Finding information in a document is now easier with AI
Related papers
-
Axis C1610-VE Installation guide
-
Axis OS Vulnerability Scanner User guide
-
Axis Communications 241SA User manual
-
-
-
Axis AXIS 241QA User manual
-
Axis Communications 243Q User manual
-
Axis Communications 233D User manual
-
-
Axis 211W User manual
Other documents
-
Mobotix HUB Hardening User guide
-
Eurotherm Cybersecurity Good Practices User guide
-
Kofax ControlSuite 1.2 User guide
-
Cisco 5505 - ASA Firewall Edition Bundle Configuration manual
-
-
Eaton Network-M2 User manual
-
Sollae Systems CSC-H64 User manual
-
Barco Set of 2 Buttons and a Tray Owner's manual
-
-
Juniper Networks IDP250 User manual
