Aaron, Some of the Enterasys best practice recommendations are covered in the switch/router/mgmt/wireless training classes. Every network is different depending on if you are switching or switching and routing. We have a default config that we push to every box during burn in. If the box is routing some additional considerations are added.
*Switching* create new administrative last resort account enable management login via Radius clear ro and rw accounts disable inbound and outbound telnet enable ssh disable default snmp config enable snmp v3 enable snmp inform traps disable spantree disable gvrp disable cdp disable ciscodp disable lacp or if enabled set lacp aadminkey (controls lag group) enable logging to syslog server (we log everything for forensics) *Routing* OSPF MD5 Authentication VRRP MD5 Authentication ACLs as needed Additionally, you can use Policy Manager to control rogue devices on user ports such as DHCP servers, DNS servers, etc. On Thu, Mar 27, 2014 at 7:54 AM, Aaron Howard <[email protected]> wrote: > We're conducting an IT risk assessment and networking is in scope. For > most systems we're using manufacturer security recommendations as a > baseline for system security. For example Microsoft or Oracle's system > hardening guides. I'm looking for a similar document for Enterasys/Extreme > equipment. If there's not an Enterasys specific document, is there a > general network security document others have used or can suggest? I'm > thinking of some DOD documents, but they focus on Cisco. > > If this Enterasys specific document doesn't exist there needs to be one > created, by this community or Extreme. I can think of several important > changes like removing the backdoor rw account that doesn't have a password, > that really need to be in a best practices document so that others don't > have to learn it the expensive way. > > -- > Aaron Howard > Interim Director of ITS Network Services / Computer Network System Manager > > University of Northern Iowa > Office: 319-273-5813 | http://www.uni.edu/its/projects > > > - --To unsubscribe from enterasys, send email to [email protected] with > the body: unsubscribe enterasys [email protected] > > -- Darrin E. Green Senior Technical Support Specialist Dallas Area Rapid Transit 1401 Pacific Avenue Dallas, Texas 75202 Ph 214-749-3173 Fax 214-749-3656 Email [email protected] --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
