Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3973 | NET-VLAN-002 | SV-3973r1_rule | ECSC-1 | Low |
Description |
---|
It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member. |
STIG | Date |
---|---|
Layer 2 Switch Security Technical Implementation Guide | 2013-10-08 |
Check Text ( C-4035r1_chk ) |
---|
Review the switch configurations and examine all interfaces. Each interface not in use should have membership to a VLAN that is not used for any other purpose. Below would be an example.interface FastEthernet0/5switchport mode accessswitchport access vlan 999shutdownFor older switches such as the Catalyst 1900, you would see something like the following:interface FastEthernet0/5vlan-membership static 999shutdown |
Fix Text (F-3906r1_fix) |
---|
Assign all disabled ports to an unused VLAN. Do not use VLAN1. |