1.8.1 Disable Power on Auto Provisioning (POAP)

Information

PowerOn Auto Provisioning (POAP) allows the switch to be auto-provisioned at the time of power-on. This can be extremely useful in a tightly controlled environment, with a solid 'network as code' mindset and dev-ops procedures in place for network operations.

Rationale:

Impact:

Without solid procedures and a well-controlled environment, POAP provides a malicious actor the ability to compromise a switch as it is being deployed out of the box. This 'day 0' approach to compromising gives the attacker control of the switch from the start - it can be difficult to detect that this has occurred, and may require physical access to gain control back.

Solution

To disable POAP, use the command:

switch(config)# no boot poap enable

Default Value:

POAP is not enabled by default. The 'boot poap' configuration line does not show in the running or startup configuration if it is disabled, only if it is enabled.

See Also

https://workbench.cisecurity.org/files/3102

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Cisco

Control ID: f9e6a2eb3ef1976a1828cddef164026b592ff6656b8880194695e0248a59c2fb