Details
PowerOn Auto Provisioning (POAP) allows the switch to be auto-provisioned at the time of power-on. This can be extremely useful in a tightly controlled environment, with a solid ‘network as code’ mindset and dev-ops procedures in place for network operations.
Rationale:
Impact:
Without solid procedures and a well-controlled environment, POAP provides a malicious actor the ability to compromise a switch as it is being deployed out of the box. This ‘day 0’ approach to compromising gives the attacker control of the switch from the start – it can be difficult to detect that this has occurred, and may require physical access to gain control back.
Solution
To disable POAP, use the command:
switch(config)# no boot poap enable
Default Value:
POAP is not enabled by default. The ‘boot poap’ configuration line does not show in the running or startup configuration if it is disabled, only if it is enabled.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Cisco.