Router Security Policy
|Version: 1.00||Issue Date: 12/8/2014|
This is an example Router Security Policy. A Router Security Policy is required to keep the internal organizational network secure and functional since routers are an important and necessary part of the network.
This Router Security Policy describes minimum configuration standards for all routers and switches connecting to the organizational network. It defines configuration requirements to meet security standards, change management requirements, and operational requirements.
DMZ - The term DMZ is an acronym for demilitarized zone. The DMZ is a part of a network where servers that may be accessed by the public are normally placed. The DMZ is normally between the internet and the "trusted network" and is separated by a firewall from the internet and from the trusted part of the network. The DMZ is considered to be a semi-trusted network and is more secure than the internet but less secure than the trusted part of the network since the servers accessed by the public have a higher risk with a greater chance of security incidents.
Untrusted network - Any network that is not trusted by your organization and a firewall must exist between it and your organization's semi-trusted or trusted network. Any network not managed by your organization should not be trusted since you cannot guarantee the security of that network.
Semi-trusted network - Another name for DMZ.
Trusted network - A part of the network protected from the internet and any untrusted network using a firewall. It is also protected from the semi-trusted network using a firewall. Normally workstations and servers that hold data are kept in the trusted network although there is good reason to keep the servers with sensitive data protected from the "trusted network" considering the state of security on many networks.
This Router Security Policy is designed to protect the equipment and data of the organization and its business partners or any data the organization is in custody of by defining the minimum configuration standards for all routers and switches connecting to the organizational network.
This Router Security Policy applies to any routers or switches connected to the organizational network or operating in the organizational network. This policy is effective as of the issue date and does not expire unless superceded by another policy.
4.0 Router Configuration
These requirements are specific for the routers.
All routers must be listed in the enterprise management system with appropriate contact information for administrators and owners according to section 4 of the Internet DMZ Equipment Policy.
All routers shall be configured to only accept route updates from authorized routers. Secure authentication methods to be sure any routers sending route updates are authentic shall be used if possible.
Source routing shall not be allowed. Source routing packets, shall be blocked at all firewalls with no exceptions. Source routing packets shall be blocked at all routers but may be allowed for network diagnostic reasons for short periods of time if the Chief Security Officer gives permission in writing. Source routing would allow a sender of a network packet to specify the route the packet should take to its destination. It is normally used to diagnose problems on a network but can be used by attackers to get data to a machine that would not normally be reachable such as on a private network.
Services considered to be "TCP small services" or "UDP small services" such as uucp, ntalk, echo, chargen, daytime, time and discard should not be allowed through routers unless specifically required.
IP broadcasts should not be allowed through routers.
Packets that have invalid source addresses at the firewall or router.
Web services are not allowed to run on routers and routers should be "hardened" with only essential services operating.
Management of the router shall only be done locally through the managed port or remotely over an encrypted connection.
The "enable password" routing function must not be used. The "enable secret" password function shall be used rather than "enable password" or the "service password-encryption" methods. This is because the "enable secret" method will allow the password to be stored unencrypted. The "service password-encryption" method will encrypt the password but uses weak encryption in Cisco equipment.
Since the use of "local user accounts" is an older less secure configuration mode and requires the "service password-encryption" method which uses weak encryption, the use of "local user accounts" is not allowed on Cisco equipment where newer more secure methods are available. Use of aaa new-model authentication shall be used where possible.
SNMP Community strings for writing shall not be used unless absolutely required for network functionality.
Any use of SNMP community strings must meet minimum complexity requirements. The minimum complexity requirements of the SNMP community string is a minimum of 12 characters and at least one lowercase character, at least one upper case character, at least one numeric character, and at least one special character such as !@#$%* or &.
If possible, the router management and updates should take place on a network that is not in the same band (out of band) with the network that the router provides service to.
5.0 Router Requirements
The below message shall be clearly attached to all routers and where possible, should be included in a banner statement displayed when anyone logs into the router.
"UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
Explicit permission to access or make any changes
to this device must be obtained prior to any access.
All activities on this device are logged.
No right to privacy exists when accessing this device.
Unauthorized or illegal use may be prosecuted"
7.0 Router and Switch Configurations
Routers and Switches should use extra security functions to control traffic where applicable such as Access Control Lists (ACLs) and Virtual LANs (VLANs).
All connections should be clearly labeled and documented according to the Network Documentation Policy.
Ports not required for use should be deactivated.
8.0 Device Requirements and Internet DMZ Equipment Policy
All devices in this policy must adhere to requirements listed in the Internet DMZ Equipment Policy which provides additional requirements specific to the platform and the maintenance of it.
Organizational members that do not adhere to this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.
10.0 Additional Requirements
Senior management must ensure that this policy is published and users agree to abide by the policy.
Auditors must periodically check to be sure this policy is being followed.
Routers must be covered by disaster recovery and business continuity plans.
Approved by:__________________________ Signature:_____________________ Date:_______________