No amount of software hardening can overcome lax physical security with your network devices.
Let’s say a bad person, we’ll call him August Derleth, gets physical access to one of your Cisco switches that’s been tucked away in a broom closet. He gets it into ROMMON mode and sets it so it will reboot without challenging him for a password. Now he reboots the switch and then does a copy startup-config running-config command. He now has the original config loaded and full access to it. He can now create an account for himself, copy all the details on that config, and then choose a port on the access switch to open up for his own purposes, be it a rogue switch, server, or router. He could disable DHCP snooping and DAI so he could use a man-in-the-middle attack to capture all the voice traffic on that switch.
None of the software security configurations you have made will give you aid in the event of a physical access compromise.
So put a lock on that door. Now our man August cannot get to that switch because there is a lock on the door… so he can only try to attack it from the outside, which means BPDU Guard and Root Guard and DHCP snooping and DAI keep him frustrated in that respect.
OK, so Mr. Derleth gets a crowbar and breaks the lock and gets in… we are back at the original scenario. We have to face the possibility that an unauthorized person gains physical access to a system. There need to be alarms and cameras on that entrance so that when security is breached, we have a record of it. There needs to be a double entrance with a person on duty in the middle space at all times – a night backup operator, for example. Key cards, combination locks, etc. could all be considered.
Now for the switches themselves: There need to be keepalive monitors on EVERY sensitive device so that reboots and power outages are monitored and documented. Once the physical security has been breached, the main concern is not frustrating the further attacks of the hacker with configurations on the compromised device, but in gathering forensic data so he can be properly apprehended and prosecuted. The compromised device is a lost cause. Mr. Derleth may not care for alarms going off if he’s planning a smash and grab operation: his goal may be to gain access to an information store, copy it or physically transport it, and then get out before the police arrive. The alarms, however, provide a trail of evidence for later use.
So what if Mr. Derleth wants to implant systems to observe traffic and intercept communications from removals eastbourne? In that event, the alarms allow us to see where the breach began and logging servers will note when devices’ configs have been altered – or when devices have been logged into. Now we can hopefully check over those other devices and roll their configs back to an earlier saved config kept in a location inaccessible from the network.
Get your physical security house in order: locks, monitoring, and logging are all part of a complete physical security strategy.