You can National Information Security & Safety Authority policies as pdf by clicking on this link
Router and Switch Security Policy
Introduction
Routers and smart switches provide important security functions within a network. Configured correctly, they are one of several hardware and software devices available that help manage and protect a private network from a public one. The Router and Switch Security Policy defines configuration requirements to meet security standards, change management requirements, and operational requirements.
Purpose
This document designed to protect the equipment and data of the (organization) and its business partners or any data the (organization) is in custody of by defining the minimum configuration standards for all routers and switches connecting to the organizational network.
Scope
All employees, contractors, consultants, temporary and other workers who use network devices such as Router and/or switch must adhere to this policy. All routers and switches connected to networks are affected.
Policy
Every router/switch must meet the following configuration standards:
- No local user accounts are configured on the router or switch. Routers and switches must use a dedicated AAA server (e.g. TACACS+) for all user authentication.
- The enable secret must be used instead of enable password.
- The enable secret on the router or switch must be kept in a secure encrypted form.
- The following services or features must be disabled:
- IP directed broadcasts (Enable IP directed broadcast when you want to perform remote management or administration services such as backups on hosts in a subnet that does not have a direct connection to the Internet).
- Incoming packets at the router/switch sourced with invalid addresses such as RFC1918 addresses.
- TCP small services
- UDP small services
- All web services running on router
- Auto-configuration.
- Layer 2 device discovery protocol (e.g. CDP and LLDP) and other discovery protocols.
5. Routers and switches and/or interfaces should disallow the following:
- Proxy-ARP.
- ICMP unreachable messages.
- Fast switching and autonomous switching.
- Multicast route caching.
- Maintenance Operation Protocol (MOP).
6. The following services must be configured:
- Password-encryption
- Time syncing (NTP). All network clocks should be synced to a common time source.
7. All routing updates shall be done using secure routing updates.
8. Use (organization) standardized SNMP community strings. Default strings, such as public or private must be removed. SNMP must be configured to use the most secure version of the protocol allowed for by the combination of the device and management systems.
9. Access control lists must be used to limit the source and type of traffic that can terminate on the device itself.
10. Each router must have a Login banners that useful to inform potential users that use of the login is only for authorized users. the following statement presented for all forms of login whether remote or local:
“UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action in accordance with regulation in force. There is no right to privacy on this device. Use of this system shall constitute consent to monitoring.”
11. Telnet may never be used across any network to manage a router, unless there is a secure tunnel protecting the entire communication path. SSH version 2 is the preferred management protocol.
12. Routers and switches should be placed in a location where physical access is limited to authorized persons only.
13. The switch should disable a port or group of ports if new or unregistered MAC addresses appear on a port if the feature is available.
14. The switch should generate an SNMP trap if the link drops and is re-established if the feature is available
15. Dynamic routing protocols must use authentication in routing updates sent to neighbors. (Password hashing for the authentication string must be enabled when supported).
16. The (organization) router configuration standard will define the category of sensitive routing and switching devices, and require additional services or configuration on sensitive devices including:
- IP access list accounting
- Device logging
- Incoming packets at the router sourced with invalid addresses, such as RFC1918 addresses, or those that could be used to spoof network traffic shall be dropped.
17. Network configurations and changes must be documented regularly to understand its structure. Network documentation should include:
- Network diagram
- System configurations
- Firewall rule set
- IP Addresses
- Access Control Lists
Wireless Communication Policy
Introduction
With the mass explosion of Smart Phones and Tablets, pervasive wireless connectivity is almost a given at any organization. Insecure wireless configuration can provide an easy open door for malicious threat actors.
A Wireless Communication Policy is necessary for computer security since there is demand for wireless equipment in every (organization) today. The Wireless Communication Policy may specify that no wireless equipment should be used but this would not be very good since that may cause some departments or individuals to violate the policy. It is best to set conditions and specify equipment that is approved for wireless use in order to minimize security risk associated with wireless.
Purpose
The purpose of this policy is to secure and protect the information assets owned by (Organization). (Organization) grants access to these resources as a privilege and must manage them responsibly to maintain the confidentiality, integrity, and availability of all information assets.
This policy specifies the conditions that wireless infrastructure devices must satisfy to connect to (Organization) network. Only those wireless infrastructure devices that meet the standards specified in this policy, or that granted an exception by the Information Security Department are approved for connectivity to a (Organization) network.
Scope
This policy applies to all wireless infrastructure devices that connect to a (Organization) network or reside on a (Organization) site that provide wireless connectivity to endpoint devices including, but not limited to, laptops, desktops, cellular phones, and tablets. This includes any form of wireless communication device capable of transmitting packet data .Therefore, all employees, contractors, consultants, temporary and other workers at (Organization), including all personnel affiliated with third parties that maintain a wireless infrastructure device on behalf of (Organization) must adhere to this policy.
Policy
All wireless infrastructure devices that reside at a (Organization) site and connect to a (Organization) network, or provide access to information classified as (Organization) Confidential, or above must:
- Abide by the standards specified in the Wireless Communication Standard.
- Use (Organization) approved authentication protocols and infrastructure.
- Use (Organization) approved encryption protocols.
- Maintain a hardware address (MAC address) that can be registered and tracked.
To stop the possible abuse of wireless network:
- There should be proper user authentication ensured along with the appropriate replacement of WEP and anomaly tracking mechanism on wireless LAN.
- At the same time, there is the following list of suspicious events on wireless LAN which should always consider for intrusion detection as;
- Beacon frames from unsolicited access point
- Flood of unauthenticated frames (MITM attack)
- Frames with duplicated MAC address.
- Randomly changing MAC address
Wireless encryption protocols
- WAP2 (Wi-Fi Protected Access version 2) is preferred as a wireless encryption protocol instead of WEP (Wired Equivalent Privacy) and WAP (Wi-Fi Protected Access ), because WAP2 It offered a much stronger security algorithm and advanced level encryption with message authenticity and integrity validation while WEP and WPA protocols are considered vulnerable.
Network configurations and changes must be documented regularly to understand its structure. Network documentation should include:
- Network diagram
- System configurations
- Firewall rule set
- IP Addresses
- Access Control Lists
Virtual Private Network (VPN) Policy
Introduction
A Virtual Private Network (VPN) is a secured private network connection that provide a convenient way to access internal network resources remotely over the public network (Internet). VPN offers secure access by providing a means to protect data while it travels over an untrusted network.
Purpose
The purpose of this policy is to provide guidelines for Remote Access IPsec or L2TP Virtual Private Network (VPN) connections to the (Organization) corporate network.
Scope
This policy applies to all (Organization) employees, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties utilizing VPNs to access the (Organization) network. This policy applies to implementations of VPN that are directed through an IPsec Concentrator.
Policy
- It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to (Organization) internal networks through their VPN connection.
- VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong passphrase.
- When actively connected to the corporate network, VPNs will force all traffic to and from the PC used by the remote user over the VPN tunnel: all other traffic will be dropped.
- Dual (split) tunneling is NOT permitted; only one network connection is allowed. [Dual (split) tunneling allows two simultaneous, active connections to a secure network (via VPN) and a non-secure network, without having to disconnect the VPN connection. This security vulnerability allows a direct connection from the non-secured Internet to the VPN secured network.]
- VPN gateways will be set up and managed by (Organization) network operational groups.
- All computers connected to (Organization) internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software); this includes personal computers.
- VPN users will be automatically disconnected from (Organization)‘s network after thirty minutes of inactivity. The user must then logon again to reconnect to the network. (Pings or other artificial network processes are not to be used to keep the connection open.)
- The VPN concentrator must be limited to an absolute connection time of 24 hours.
- Users of computers that are not (Organization)-owned equipment must configure the equipment to comply with (Organization)‘s VPN and Network policies.
- By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of (Organization)‘s network, and as such are subject to the same rules and regulations that apply to (Organization)-owned equipment.
- Network configurations and changes must be documented regularly to understand its structure. Network documentation should include:
-
- Network diagram
- System configurations
- Firewall rule set
- IP Addresses
- Access Control Lists
Firewall Policy
Introduction
When a user connects to an insecure, open network, such as the Internet, he opens a large doorway for potential attacks. One of the best ways to defense against exploitation from the insecure network is to employ firewalls at the connection point end, as it is a necessity to safeguard the (Organization)’s private networks and communication facilities.
Purpose
Firewalls are defined as security systems that control and restrict network connectivity and network services. Firewalls establish a control point where access controls may be enforced. This document seeks to assist (Organization) in understanding the capabilities of firewall technologies and firewall policies.
Scope
This policy defines the essential rules regarding the management and maintenance of firewalls, and it applies to all firewalls owned, rented, leased, or otherwise controlled by (Organization).
- Review the rulesets to ensure that they follow the order as follows:
-
- anti-spoofing filters (blocked private addresses, internal addresses appearing from the outside)
- User permit rules (e.g. allow HTTP to public webserver)
- Management permit rules (e.g. SNMP traps to network management server)
- Deny and Alert (alert systems administrator about traffic that is suspicious)
- Deny and log (log remaining traffic for analysis)
- Application based firewall:
-
- In the case of dedicated server access, an application proxy firewall must be placed between the remote user and dedicated server to hide the identity of the server.
- Ensure that the administrators monitor any attempts to violate the security policy using the audit logs generated by the application level firewall.
- Ensure that there is a process to update the application level firewall’s vulnerabilities checked to the most current vulnerabilities.
- Ensure that there is a process to update the software with the latest attack signatures.
- In the event of the signatures being downloaded from the vendors’ site, ensure that it is a trusted site.
- In the event of the signature being e-mailed to the systems administrator, ensure that digital signatures are used to verify the vendor and that the information transmitted has not been modified en-route.
- The following commands should be blocked for SMTP at the application level firewall:
- EXPN (expand)
- VRFY (verify)
- DEBUG
- WIZARD
-
- The following command should be blocked for FTP:
-
-
- PUT
-
-
- Review the denied URL’s and ensure that they are appropriate for e.g. any URL’s to hacker sites should be blocked.
- Ensure that only authorized users are authenticated by the application level firewall.
- Stateful inspection
-
- Review the state tables to ensure that appropriate rules are set up in terms of source and destination IP’s, source and destination ports and timeouts.
- Ensure that the timeouts are appropriate so as not to give the hacker too much time to launch a successful attack.
For URL’s
-
- If a URL filtering server is used, ensure that it is appropriately defined in the firewall software. (If the filtering server is external to the (Organization) ensure that it is a trusted source).
- If filtering on MAC addresses is allowed, review the filters to ensure that it is restricted to the appropriate MAC’s at (Organization).
- Logging
-
- Ensure that logging is enabled and that the logs are reviewed to identify any potential patterns that could indicate an attack.
- Network Firewall administration logs (administrative activities) and event logs (traffic activity) should:
-
- Be written to alternate storage (not on the same device)
- Be reviewed at least daily, with logs retained for ninety (90) days.
- Patches and updates
-
- Ensure that the latest patches and updates relating to your firewall product is tested and installed.
- If patches and updates are automatically downloaded from the vendors’ websites, ensure that the update is received from a trusted site.
- In the event that patches and updates are e-mailed to the systems administrator ensure that digital signatures are used to verify the vendor and ensure that the information has not been modified en-route.
- Vulnerability assessments/ Testing
-
- Ascertain if there is a procedure to test for open ports using (NMAP) and whether unnecessary ports are closed.
- Ensure that there is a procedure to test the rulesets when established or changed so as not to create a denial of service on the (organization) or allow any weaknesses to continue undetected.
-
- Compliance with security policy
-
- Ensure that the ruleset complies with the (organization) security policy.
- Ensure that the following spoofed, private (RFC 1918) and illegal addresses are blocked:
- Private (RFC 1918) addresses
10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
- Reserved addresses
240.0.0.0
- Illegal addresses
-
-
0.0.0.0
- UDP echo
- ICMP broadcast (RFC 2644)
-
-
- Remote access
- If remote access is to be used, ensure that the SSH protocol (port 22) is used instead of Telnet.
- File Transfers
- If FTP is a requirement, ensure that the server, which supports FTP, is placed in a different subnet than the internal protected network.
- Mail Traffic
- Ascertain which protocol is used for mail and ensure that there is a rule to block incoming mail traffic except to internal mail.
- Block Unwanted ICMP Traffic (ICMP 8, 11, 3)
- Ensure that there is a rule blocking ICMP echo requests and replies.
- Ensure that there is a rule blocking outgoing time exceeded and unreachable messages.
- Critical servers
- Ensure that there is a deny rule for traffic destined to critical internal addresses from external sources. This rule is based on the organizational requirements, since some (organizations) may allow traffic via a web application to be routed via a DMZ.
- Personal firewalls
- Ensure that laptop users are given appropriate training regarding the threats, types of elements blocked by the firewall and guidelines for operation of the personal firewall. This element is essential, since often times personal firewalls rely on user prompt to respond to attacks e.g. whether to accept/deny a request from a specific address.
- Review the security settings of the personal firewall to ensure that it restricts access to specific ports, protects against known attacks, and that there is adequate logging and user alerts in the event of an intrusion.
- Ensure that there is a procedure to update the software for any new attacks that become known.
Alternatively, most tools provide the option of transferring automatic updates via the internet. In such instances ensure that updates are received from trusted sites.
- Distributed firewalls
- Ensure that the security policy is consistently distributed to all hosts especially when there are changes to the policy.
- Ensure that there are adequate controls to ensure the integrity of the policy during transfer, e.g. IPsec to encrypt the policy when in transfer.
- Ensure that there are adequate controls to authenticate the appropriate host.
Again IPsec can be used for authentication with cryptographic certificates.
- Continued availability of Firewalls
- Ensure that there is a hot standby for the primary firewall
- Network configurations and changes must be documented regularly to understand its structure. Network documentation should include:
- Network diagram
- System configurations
- Firewall rule set
- IP Addresses
- Access Control Lists