Network Device Security Policies

Having recently dipped my toes into the security world with the Security+ exam I’ve been far more conscious about the risks to confidentiality, integrity and availability in my day to day work designing and supporting network infrastructure. In addition to this I found a very small mention to network device security policies in the back of my CCNP Route 300-101 study book which got me thinking that it’d be nice to have some kind of checklist for myself and colleagues to run through against their clients network assets and evaluate if all best practices have been followed.

I eventually produced a document broken into three sections, Routers, Switches and Firewalls (although this can be used against any network connected asset) which included a table with headings of Section, Advice, Implemented?, Evidence. The idea was that the reader would run through the checklist and identify the current status and provide evidence in case of any future audit. While some rows repeat between devices due to their fundamental nature, others focus on specific threats around the piece of hardware such as VLANs for switches and ACL rules for routers.

Here is an example for a router – the additional items for a switch and firewall are below the table.

 Section Advice
 Passwords  Complex passwords used to secure device
 Passwords are appropriately documented
 Passwords are encrypted
 Passwords are regularly changed
Authentication Login banner with appropriate warning
Access is restricted to appropriate users/groups
Access SSH used in place of Telnet, HTTPS in place of HTTP
ACLs used to restrict source IPs for management of device
Services CDP disabled on WAN
NTP enabled for accounting and troubleshooting
Base filtering RFC1918 IPs are filtered inbound from WAN interfaces
Ping enabled only if required
IP directed broadcasts filtered
Additional ACL rules as per business requirements
Routing Protocols Protected by authentication
Backups & Configuration Configuration backups exist, are regularly taken and stored in appropriate location
Config changes alert appropriate person / team
Availability Thought is given to availability (HSRP / EtherChannel / Dual homed ISP)
UPS devices are used where required
Consideration given to location of failover devices to avoid both primary and secondary failure
Updates OS is update and patched regularly
Physical Security Device is secured from unauthorised access and console access is secured
Unused ports are disabled
Documentation The device is appropriately labelled, documented in any diagrams, IP spreadsheets etc
Documentation is periodically reviewed
Change management is in place
Additional Where required, a vulnerability scan is performed to verify integrity of above controls

Additional items for switch and firewall devices:

Switch Dynamic switch ports are disabled and all ports are explicitly set as either trunk or access depending on requirements
Ports with PortFast have BPDUGuard enabled
STP root bridge is appropriately set by adjusting priority levels
Firewall Site to site VPNs are documented
Client VPNs use SSTP / SSL and not PPTP
Authentication for VPN is secured against users AD credentials and 2FA
Only users with business reasons are granted access to the VPN
Outbound port 25 is filtered to only permitted mail servers

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s