Routers and smart switches provide important security functions within a network. Configured correctly, they are one of several hardware and software devices available that help manage and protect a private network from a public one. The Router and Switch Security Policy defines configuration requirements to meet security standards, change management requirements, and operational requirements.
This document designed to protect the equipment and data of the (organization) and its business partners or any data the (organization) is in custody of by defining the minimum configuration standards for all routers and switches connecting to the organizational network.
All employees, contractors, consultants, temporary and other workers who use network devices such as Router and/or switch must adhere to this policy. All routers and switches connected to networks are affected.
Every router/switch must meet the following configuration standards:
5. Routers and switches and/or interfaces should disallow the following:
6. The following services must be configured:
7. All routing updates shall be done using secure routing updates.
8. Use (organization) standardized SNMP community strings. Default strings, such as public or private must be removed. SNMP must be configured to use the most secure version of the protocol allowed for by the combination of the device and management systems.
9. Access control lists must be used to limit the source and type of traffic that can terminate on the device itself.
10. Each router must have a Login banners that useful to inform potential users that use of the login is only for authorized users. the following statement presented for all forms of login whether remote or local:
“UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action in accordance with regulation in force. There is no right to privacy on this device. Use of this system shall constitute consent to monitoring.”
11. Telnet may never be used across any network to manage a router, unless there is a secure tunnel protecting the entire communication path. SSH version 2 is the preferred management protocol.
12. Routers and switches should be placed in a location where physical access is limited to authorized persons only.
13. The switch should disable a port or group of ports if new or unregistered MAC addresses appear on a port if the feature is available.
14. The switch should generate an SNMP trap if the link drops and is re-established if the feature is available
15. Dynamic routing protocols must use authentication in routing updates sent to neighbors. (Password hashing for the authentication string must be enabled when supported).
16. The (organization) router configuration standard will define the category of sensitive routing and switching devices, and require additional services or configuration on sensitive devices including:
17. Network configurations and changes must be documented regularly to understand its structure. Network documentation should include:
With the mass explosion of Smart Phones and Tablets, pervasive wireless connectivity is almost a given at any organization. Insecure wireless configuration can provide an easy open door for malicious threat actors.
A Wireless Communication Policy is necessary for computer security since there is demand for wireless equipment in every (organization) today. The Wireless Communication Policy may specify that no wireless equipment should be used but this would not be very good since that may cause some departments or individuals to violate the policy. It is best to set conditions and specify equipment that is approved for wireless use in order to minimize security risk associated with wireless.
The purpose of this policy is to secure and protect the information assets owned by (Organization). (Organization) grants access to these resources as a privilege and must manage them responsibly to maintain the confidentiality, integrity, and availability of all information assets.
This policy specifies the conditions that wireless infrastructure devices must satisfy to connect to (Organization) network. Only those wireless infrastructure devices that meet the standards specified in this policy, or that granted an exception by the Information Security Department are approved for connectivity to a (Organization) network.
This policy applies to all wireless infrastructure devices that connect to a (Organization) network or reside on a (Organization) site that provide wireless connectivity to endpoint devices including, but not limited to, laptops, desktops, cellular phones, and tablets. This includes any form of wireless communication device capable of transmitting packet data .Therefore, all employees, contractors, consultants, temporary and other workers at (Organization), including all personnel affiliated with third parties that maintain a wireless infrastructure device on behalf of (Organization) must adhere to this policy.
All wireless infrastructure devices that reside at a (Organization) site and connect to a (Organization) network, or provide access to information classified as (Organization) Confidential, or above must:
To stop the possible abuse of wireless network:
Wireless encryption protocols
Network configurations and changes must be documented regularly to understand its structure. Network documentation should include:
A Virtual Private Network (VPN) is a secured private network connection that provide a convenient way to access internal network resources remotely over the public network (Internet). VPN offers secure access by providing a means to protect data while it travels over an untrusted network.
The purpose of this policy is to provide guidelines for Remote Access IPsec or L2TP Virtual Private Network (VPN) connections to the (Organization) corporate network.
This policy applies to all (Organization) employees, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties utilizing VPNs to access the (Organization) network. This policy applies to implementations of VPN that are directed through an IPsec Concentrator.
When a user connects to an insecure, open network, such as the Internet, he opens a large doorway for potential attacks. One of the best ways to defense against exploitation from the insecure network is to employ firewalls at the connection point end, as it is a necessity to safeguard the (Organization)’s private networks and communication facilities.
Firewalls are defined as security systems that control and restrict network connectivity and network services. Firewalls establish a control point where access controls may be enforced. This document seeks to assist (Organization) in understanding the capabilities of firewall technologies and firewall policies.
This policy defines the essential rules regarding the management and maintenance of firewalls, and it applies to all firewalls owned, rented, leased, or otherwise controlled by (Organization).
For URL’s
10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
240.0.0.0
0.0.0.0
Alternatively, most tools provide the option of transferring automatic updates via the internet. In such instances ensure that updates are received from trusted sites.
Again IPsec can be used for authentication with cryptographic certificates.
Authority Membership