Configuring enhanced security

Prerequisites
If you have switch configuration that you want to retain, create a backup. This procedure erases all configuration, including the current running configuration, the startup configuration, and all historical configuration checkpoints.
Procedure
  1. Set enhanced security mode:
    1. Reboot the switch into the Service OS with commandboot system serviceos.
      If on an 8400 Switch with both Management Modules:

      1. Issue thebootcommand only on the active Management Module. This command ensures that both Management Modules are booted into the Service OS.

      2. Perform steps b to e on both modules starting with the active module.

    2. Log in to the Service OS asadmin.
    3. Enter commandsecure-mode enhanced.
    4. When prompted about the mode change, respond withyfor "yes."
    5. Wait for the reboot and zeroization to complete. The switch firmware boots automatically.
  2. Ensure adequate password requirements:
    1. Before adding users, enable and configure password complexity as described inpassword complexity. To maintain enhanced security, configure thepassword complexitysubcommand settings no smaller than their defaults.
    2. Configure passwords for all users, includingadmin. To make your password complexity settings applicable to the default admin user, change the admin password after enabling password complexity. The new admin password must respect your password complexity settings.
  3. Ensure proper login management as follows:
    1. Configure local user session management as described inCLI user session management commandsusingcli-sessionand its subcommandsmax-per-user,timeout, andtracking-rangeto achieve the wanted configuration. To maintain enhanced security, configurecli-sessionsubcommand settings no smaller than their defaults.
    2. Restrict remote SSH connections to only use certified crypto algorithms usingssh certified-algorithms-only.
    3. Configure pre- and post-login banners using respectively,banner motd, andbanner exec.
  4. Ensure that the switch date and time is accurately set usingclock datetime.
  5. When logging to a remote syslog server is required, ensure that the connection to the server is cryptographically secure. SeeConfiguring remote logging using SSH reverse tunnel.

To ensure that enhanced security is maintained, also respect these requirements:

  • Do not configure remote logging with a remote server directly without setting up an SSH tunnel.

  • 不使用t配置密码和密钥he plaintext option.

NOTE:
When in enhanced security mode, the switch (Product OS)start-shellcommand is disabled for security purpose. If you attempt to use this command while in enhanced security mode, it is rejected and the following error message is displayed:
The start-shell command is not available in enhanced secure mode.
NOTE:

When in enhanced security mode, the following Service OS commands are disabled for security purposes:config-clear,password,sh, andupdate. If you attempt to use any of these Service OS commands while in enhanced security mode, the command is rejected and an error message is displayed: