Would love to see whatever you find, but I think a lot of them would be handled by some of the general items covered in the NIST800-53 guidelines, such as log to a central location, change default passwords.


Of course, a list of all those to change does make it easier :)


________________________________
From: Aaron Howard <***@uni.edu>
Sent: Thursday, March 27, 2014 8:54 AM
To: Enterasys Customer Mailing List
Subject: [enterasys] Security configuration best practices

We're conducting an IT risk assessment and networking is in scope. For most systems we're using manufacturer security recommendations as a baseline for system security. For example Microsoft or Oracle's system hardening guides. I'm looking for a similar document for Enterasys/Extreme equipment. If there's not an Enterasys specific document, is there a general network security document others have used or can suggest? I'm thinking of some DOD documents, but they focus on Cisco.

If this Enterasys specific document doesn't exist there needs to be one created, by this community or Extreme. I can think of several important changes like removing the backdoor rw account that doesn't have a password, that really need to be in a best practices document so that others don't have to learn it the expensive way.

--
Aaron Howard
Interim Director of ITS Network Services / Computer Network System Manager
University of Northern Iowa
Office: 319-273-5813 | http://www.uni.edu/its/projects

* --To unsubscribe from enterasys, send email to ***@unc.edu<mailto:***@unc.edu> with the body: unsubscribe enterasys ***@clayton.edu

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

I have template I've developed over the years does the following:

enable ssh
disable telnet/web management
enables SNMPv3
removes default SNMP configuration
applies system lockout policy
change host vlan/management address


William Summers
Network Administrator
Deerfield Academy
Tel. 413.774.1838
________________________________________
From: Dan Newcombe <***@clayton.edu>
Sent: Thursday, March 27, 2014 9:01 AM
To: Enterasys Customer Mailing List
Subject: RE: [enterasys] Security configuration best practices

Would love to see whatever you find, but I think a lot of them would be handled by some of the general items covered in the NIST800-53 guidelines, such as log to a central location, change default passwords.


Of course, a list of all those to change does make it easier :)


________________________________
From: Aaron Howard <***@uni.edu>
Sent: Thursday, March 27, 2014 8:54 AM
To: Enterasys Customer Mailing List
Subject: [enterasys] Security configuration best practices

We're conducting an IT risk assessment and networking is in scope. For most systems we're using manufacturer security recommendations as a baseline for system security. For example Microsoft or Oracle's system hardening guides. I'm looking for a similar document for Enterasys/Extreme equipment. If there's not an Enterasys specific document, is there a general network security document others have used or can suggest? I'm thinking of some DOD documents, but they focus on Cisco.

If this Enterasys specific document doesn't exist there needs to be one created, by this community or Extreme. I can think of several important changes like removing the backdoor rw account that doesn't have a password, that really need to be in a best practices document so that others don't have to learn it the expensive way.

--
Aaron Howard
Interim Director of ITS Network Services / Computer Network System Manager
University of Northern Iowa
Office: 319-273-5813 | http://www.uni.edu/its/projects

* --To unsubscribe from enterasys, send email to ***@unc.edu<mailto:***@unc.edu> with the body: unsubscribe enterasys ***@clayton.edu

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys ***@deerfield.edu

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

For our default config on switches we also disable the rw/ro accounts

Bill Handler
PCS | Engineering Services Manager
Technology | Training | Results
Direct: 865.273.8030
Toll-free: 877.690.5999 Ext. 122
Fax: 865.273.1961
Web: http://www.pcsknox.com
 

How can PCS help you prepare for PARCC Testing?

-----Original Message-----
From: Summers, William [mailto:***@deerfield.edu]
Sent: Thursday, March 27, 2014 9:25 AM
To: Enterasys Customer Mailing List
Subject: RE: [enterasys] Security configuration best practices

I have template I've developed over the years does the following:

enable ssh
disable telnet/web management
enables SNMPv3
removes default SNMP configuration
applies system lockout policy
change host vlan/management address


William Summers
Network Administrator
Deerfield Academy
Tel. 413.774.1838
________________________________________
From: Dan Newcombe <***@clayton.edu>
Sent: Thursday, March 27, 2014 9:01 AM
To: Enterasys Customer Mailing List
Subject: RE: [enterasys] Security configuration best practices

Would love to see whatever you find, but I think a lot of them would be handled by some of the general items covered in the NIST800-53 guidelines, such as log to a central location, change default passwords.


Of course, a list of all those to change does make it easier :)


________________________________
From: Aaron Howard <***@uni.edu>
Sent: Thursday, March 27, 2014 8:54 AM
To: Enterasys Customer Mailing List
Subject: [enterasys] Security configuration best practices

We're conducting an IT risk assessment and networking is in scope. For most systems we're using manufacturer security recommendations as a baseline for system security. For example Microsoft or Oracle's system hardening guides. I'm looking for a similar document for Enterasys/Extreme equipment. If there's not an Enterasys specific document, is there a general network security document others have used or can suggest? I'm thinking of some DOD documents, but they focus on Cisco.

If this Enterasys specific document doesn't exist there needs to be one created, by this community or Extreme. I can think of several important changes like removing the backdoor rw account that doesn't have a password, that really need to be in a best practices document so that others don't have to learn it the expensive way.

--
Aaron Howard
Interim Director of ITS Network Services / Computer Network System Manager University of Northern Iowa
Office: 319-273-5813 | http://cp.mcafee.com/d/avndygA76QmjhO-qekT73hOyrKrjopoKyesdFIcInju76QS6mbEzxNJNBVBVBZYSg9X10_UwFqR2Iax_bCRHkaMG7YKrjRNdxBB_HYqem3hOy-PRXBQQn3hPOb8VV5YtORQX8EGTKVOEuvkzaT0QSyrhdTV5MQsL8EIFTudTdw0CUiXQ6YBeCbhG8_qt3p2HsbunpooouushbKfTjd79EVKM2zVkDjUCurxrLgrdIfffCMmd96y0QJ_2vNSxqxFtd40NZCUOCmd45GMtAhrzIVlwq827QCq85EXqsHvgS-OrwSI9

* --To unsubscribe from enterasys, send email to ***@unc.edu<mailto:***@unc.edu> with the body: unsubscribe enterasys ***@clayton.edu

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys ***@deerfield.edu

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys ***@pcsknox.com

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

Aaron,

Some of the Enterasys best practice recommendations are covered in the
switch/router/mgmt/wireless training classes. Every network is different
depending on if you are switching or switching and routing. We have a
default config that we push to every box during burn in. If the box is
routing some additional considerations are added.

*Switching*
create new administrative last resort account
enable management login via Radius
clear ro and rw accounts

disable inbound and outbound telnet
enable ssh

disable default snmp config
enable snmp v3
enable snmp inform traps

disable spantree

disable gvrp

disable cdp

disable ciscodp

disable lacp or if enabled set lacp aadminkey (controls lag group)

enable logging to syslog server (we log everything for forensics)

*Routing*
OSPF MD5 Authentication
VRRP MD5 Authentication
ACLs as needed

Additionally, you can use Policy Manager to control rogue devices on user
ports such as DHCP servers, DNS servers, etc.
--
Darrin E. Green
Senior Technical Support Specialist
Dallas Area Rapid Transit
1401 Pacific Avenue
Dallas, Texas 75202
Ph 214-749-3173
Fax 214-749-3656
Email ***@dart.org

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

Aaron,

One of the networks we run here uses almost exclusively Enterasys equipment
for the transport. As security guidance, we use DISA STIGS, and although
some of them are geared towards Cisco equipment, for the most part, the
concepts are not much different.

The STIG viewer can be found here:
http://iase.disa.mil/stigs/stig_viewing_guidance.html

The L2 and L3 STIGS you may want to look at can be found here:

http://iase.disa.mil/stigs/net_perimeter/network_infra/routers_switches.html

The ones you'll probably want to look at are
u_network_infrastructure_router_l3_switch_v8r16_stig.zip and
u_network_l2_switch_v8r16_stig.zip. These zip files contain STIGs that are
Cisco and Juniper specific, but also contain generic sets of STIGs. You
will be able to generate checklists using the STIG viewer, and be able to
sort them by importance. Remember that these are only minimum levels of
protection, and that you will be free to configure your equipment at a
higher level if you wish. We do. Also, note that there will be guidelines
contained within these sets of STIGs for configurations that may not be
applicable to your site. For example, if you're not running BGP, there is
no need to configure it for authentication.

While I can't speak for any Enterasys/Extreme networks specific
documentation, the STIGs will give you a good baseline from which to begin
to harden your network, or to check your current configurations against.


Marcus D Florido
IT Systems Analyst
MITSC EAST Network Management




-----Original Message-----
From: Aaron Howard [mailto:***@uni.edu]
Sent: Thursday, March 27, 2014 8:55 AM
To: Enterasys Customer Mailing List
Subject: [enterasys] Security configuration best practices

We're conducting an IT risk assessment and networking is in scope. For most
systems we're using manufacturer security recommendations as a baseline for
system security. For example Microsoft or Oracle's system hardening guides.
I'm looking for a similar document for Enterasys/Extreme equipment. If
there's not an Enterasys specific document, is there a general network
security document others have used or can suggest? I'm thinking of some DOD
documents, but they focus on Cisco.

If this Enterasys specific document doesn't exist there needs to be one
created, by this community or Extreme. I can think of several important
changes like removing the backdoor rw account that doesn't have a password,
that really need to be in a best practices document so that others don't
have to learn it the expensive way.