AxisNetworkSwitchesHardeningGuide
Basichardening
Thedefaultrootaccounthasfullprivilegesandshouldbereservedforadministrativetasks.Itisrecommendedtocreateaclient
useraccountwithlimitedprivilegesfordailyoperation(ifrequired).Thisreducestheriskofcompromisingthedeviceadministrator
password.
Webinterfacecongurationpath
Advanced>Security>Conguration>Switch>Users
Congurenetworksettings
CSC#12:NetworkInfrastructureManagement
ThedeviceIPcongurationdependsonthenetworkconguration,suchasIPv4/IPv6,staticordynamic(DHCP)networkaddress,
subnetmaskanddefaultrouter.Itisrecommendedtoreviewyournetworktopologywhenaddingnewtypesofcomponents.
ItisrecommendedtousestaticIPaddresscongurationonAxisdevicestoensurenetworkreachabilityanddisentanglethe
dependencytoe.g.,aDHCPserverinthenetworkthatmightbeatargetforattacks.
Webinterfacecongurationpath
Advanced>System>Conguration>IP>IPInterfaces
Correctdateandtimeconguration
CSC#8:AuditLogManagement
Fromasecurityperspective,itisimportantthatthedateandtimearecorrectsothat,forexample,thesystemlogsaretime-stamped
withtherightinformation,anddigitalcerticatescanbevalidatedandusedduringruntime.Withoutpropertime-sync,servicesthat
relyondigitalcerticatessuchasHTTPS,IEEE802.1x,andothersmaynotworkcorrectly.
ItisrecommendedthattheAxisdeviceclockissynchronizedwithaNetworkTimeProtocol(NTP)server,preferablytwo.For
individualsandsmallorganizationsthatdonothavealocalNTPserver,apublicNTPservermaybeused.Checkwithyourinternet
serviceprovideroruseapublicNTPserversuchaspool.ntp.org.
Webinterfacecongurationpath
Basic>Date&Time
CongureVLANs
CSC#1:InventoryandControlofEnterpriseAssets
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
CSC#13:NetworkMonitoringandDefense
BythemeansofVLANs,itispossibletosegmentthephysicalnetworkvirtuallyintoseveraldifferentnetworks.Bybreakingupthe
networkintomultiple,distinct,andmutuallyisolatedbroadcastdomains,thereceivednetworktrafcofhostsinthenetworkcanbe
lowered,thenetworkattacksurfacecanbeminimized,andnetworkhostsandresourcesarebundledorganizationallywithinone
VLAN,withouttheneedofbeingmadeavailabletotheentirephysicalnetwork.Thisincreasesoverallnetworksecurity.
Webinterfacecongurationpath
Advanced>VLANs
CongureIPsourceguard
CSC#4:SecureCongurationofEnterpriseAssetsandSoftware
CSC#13:NetworkMonitoringandDefense
6