1.7.1 Disable Power on Auto Provisioning (POAP)

Information

PowerOn Auto Provisioning (POAP) allows the switch to be auto-provisioned at the time of power-on. This can be extremely useful in a tightly controlled environment, with a solid "network as code" mindset and dev-ops procedures in place for network operations.

Solution

To disable POAP, use the command:

switch(config)# no boot poap enable

Impact:

Without solid procedures and a well-controlled environment, POAP provides a malicious actor the ability to compromise a switch as it is being deployed out of the box. This "day 0" approach to compromising gives the attacker control of the switch from the start - it can be difficult to detect that this has occurred, and may require physical access to gain control back.

See Also

https://workbench.cisecurity.org/benchmarks/16139

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|11.1

Plugin: Cisco

Control ID: 59ce9693cd8b9ea148b77baa9a1a01a721880436fc189e7a58f83457f6152bf5