Most switches help in complying with secure management best practices

In assessing switch management and security, we sought to answer three questions: Did devices follow current best practices by default? Could users configure switches to follow these best practices? And could switches be wiped clean of any sensitive information before being taken out of deployment?

The "wipe clean" question stems from regulatory requirements in a growing number of industries. For example, NIST, the U.S. government's standards body, and the credit card industry's Payment Card Industry Data Security Standard (PCI DSS) both require the deletion of any personally identifiable information before disposal.

We assessed reset capabilities by deleting the startup configuration file of each switch after putting it through performance and security tests. For all but the Alcatel-Lucent, Extreme and HP switches, that was enough to wipe the systems clean. HP's ProCurve switch stores passwords separately in flash memory, but these can be deleted through use of front-panel buttons. The procedure is documented, and HP also says it's moving toward inclusion of encrypted passwords in the switch configuration file.

The Alcatel-Lucent and Extreme switches both retain passwords even after a factory reset. In addition, Extreme's Summit X450 also retains the private SSH key, which could allow an attacker to pose as an authorized device even after the switch has been retired.

We also determined which management methods were enabled by default, and which would need to be enabled or disabled by network managers (see Management and Security Methods table).

These best practices include disabling insecure management methods such as telnet (supported out of the box over IPv4 by all switches by default), Web and SSHv1. Best practices mean accessing the switch only through secure means such as SSHv2 and/or Secure-HTTP and also logging switch events to a syslog server (a requirement under many enterprise security policies).

Cisco's Catalyst 3750E adhered the closest to security best practices. However, it supports telnet by default, as do all other switches. Also, when enabling SSH the Catalyst supports the insecure Version 1 of that protocol (although SSHv1 can be disabled via an additional command).

In general, management over IPv6 isn't as solid as over v4. Two switches, from Dell and HP, didn't support IPv6 management on their default VLANs in our tests, although HP says it's currently shipping 13.x software that does support IPv6 on the default VLAN. Also, there were a couple of cases where options offered with IPv4 weren't available over IPv6. We were unable to configure syslog over IPv6 on the Cisco Catalyst or Extreme Summit X450. And the Extreme switch didn't support Web or SSL-based management over IPv6.

As with multicast and 802.1X, IPv6 support is relatively new in many switches, and support for all features is far from complete. For network managers considering IPv6 deployment, it's not enough to consider whether a switch will forward IPv6 packets; supporting management over IPv6 is critical as well.