NSLGROUPROUTERSECURITYPOLICY PURPOSE: AllroutersatNSLshouldfollowtheConfigurationstandardsasmentionedinthisdocument,and changemadetotheconfigurationofanyroutersshouldbedocumented. Scope: AllroutersconnectedtoNSLsProductionNetworkareaffected. Policy: EveryRouteratNSLshouldbeconfiguredaspertheConfigurationstandardsmentionedbelow a) ThereshouldnotbeanyLocaluseraccountconfiguredontherouter,ifconfiguredshouldbe givenminimalprivileges. b) TheEnablepasswordshouldbeinencryptedform. c) Disallowunusedservices. d) AccessRulesasperbusinessNeeds.

e) NSLRouterSecurityConfigurationStandardsasperthebelowmentionedTable
Questions NSL GROUP YES YES STANDARD INFORMATION

ROUTER POLICY DISABLE UNUSED INTERFACES

Router Policy YES YES a whole bunch of services come enabled by default on the router, should ensure that all the unused services/interfaces are disabled to secure the router. dns lookups - if we wish to use ping or traceroute commands with a hostname rather than an ip address. used for router diagnostics, enabling these services would open up path for fraggle attack. cdp which is used to obtain information such as ip address, platform type of the neighboring cisco devices should be disabled on the router if not used by any application.

DNS LOOKUPS TURNED OFF

NO

YES

TCP SMALL SERVERS/UDP SMALL SERVERS ENABLED CISCO DISCOVERY PROTOCOL ENABLED

NO

NO

NO

NO

NOTE:Thisdocumentisintendedforinternaluseonly.Duplicationisprohibitedwithoutwritten permissionfromNSLGROUP.


FINGER SERVICE ENABLED NO NO finger service can be used to gain the information of the router, a special dos attack called finger of death uses the finger service to start a reconnaissance attacks. The Bootp server service which is enabled by default allows other routers to boot from this router. Directed broadcasts permit a host on one LAN segment to initiate a physical broadcast on a different LAN segment. This feature should be disabled on the router as it could be used in denial-of-service attacks. The following command is used to disable the service. Source routing is a feature that allows individual packets to specify routes. This is used in various attacks. Proxy ARP helps in extending a LAN at layer 2 across multiple segments thereby breaking the LAN security perimeter. The three ICMP messages that are commonly used by attackers for network mapping and diagnosis are: Host unreachable, 'Redirect' and 'Mask Reply'. Automatic generation of these messages should be disabled on all interfaces, especially those connected to untrusted networks.

BOOTP SERVICE DISABLED

YES

YES

DIRECTED BROADCAST DISABLED

YES

YES

SOURCE ROUTING ENABLED

NO

NO

PROXY ARP ENABLED

NO

NO

ICMP REDIRECTS DISABLED

YES

YES

Password Encryption PASSWORD ENCRYPTION ENABLED "ENABLE SECRET" ENABLED FOR "EN" UNIQUE PASSWORDS FOR ALL ROUTERS YES YES YES YES Passwords should appear encrypted when viewed through the configuration file. The enable secret command should be enabled to implement MD5 hashed password on enable mode. The enable secret password should be unique across each router. If the routers are too many, instead of keeping a single enable secret password for all, the password could be different for routers in different zones. Login banners should be used as a preventive measure against unauthorized access to the routers. These parameters should be defined on the console port to reduce the chance of an unauthorized access on the console port. The aux port should be disabled if there is no business need for the same.

YES

YES

MOTD BANNER DEFINED

NO

YES

PASSWORD DEFINED FOR THE CONSOLE PORT

YES

YES

AUX PORT DISABLED

YES

YES

NOTE:Thisdocumentisintendedforinternaluseonly.Duplicationisprohibitedwithoutwritten permissionfromNSLGROUP.


PASSWORD DEFINED ON VTY LINES YES YES The VTY lines are the Virtual Terminal lines of the router, used solely to control inbound Telnet connections. They are virtual, in the sense that they are a funtion of software - there is no hardware associated with them. They appear in the configuration as line vty 0 4. If the vty lines use telnet as the transport protocol, it is advisable to restrict access to certain IP Addresses only since telnet transmits data in clear text. Router passwords need to be changed periodically, typically once every 4-6 months depending on the functionality of the router. All password defined on the router should meet the following criteria: SSH is a preferred protocol over Telnet for vty access since it encrypts the data while in transit on the network. The Telnet protocol transfers data in clear text thereby allowing an intruder to sniff valuable data such as passwords.

VTY LINES RESTRICTED TO CERTAIN IP ADDRESSES

NO

YES

ROUTERS PASSWORD CHANGE POLICY

EVERY 6-7 MONTHS NO NO

YES

ROUTER PASSWORDS MEET COMPLEXITY STANDARDS SSH USED

YES YES

TELNET FOR MANAGEMENT OF ROUTERS Administrator Authentication ROUTER AUTHENTICATION THRU LOCAL USERS DOCUMENT FOR CREATION OF USERS UNIQUE ACCOUNT FOR EACH ADMINISTRATOR LOGGING OF USERS ENABLED

NO

NO

YES NO YES YES YES Only 3 users created for Router Management Each router administrator should have a unique account for him/her to maintain accountability. A detailed log of every command typed on the router as well as when an administrator logged in or out can be recorded for audit purposes. All user accounts should be assigned the lowest privilege level that allows them to perform their duties. This service allows the router to be monitored or have its configuration modified from the web browser. SHOULD BE DISABLED IF NOT IN USE Router configurations should be backed up periodically depending on importance and frequency of changes made to the configuration.

NO

YES

USER PRIVILEDGES DEFINED

YES

YES

Management Access HTTP/HTTPS USED FOR ROUTER MANAGEMENT NTP SERVICE USED Configuration Maintenance BACKUP SCHEDULE 6 MONTHS NO NO

NO

NO

NOTE:Thisdocumentisintendedforinternaluseonly.Duplicationisprohibitedwithoutwritten permissionfromNSLGROUP.


BACKUP TO DR SITE TFTP PROTOCOL USED NO NO YES NO Backup copies should be maintained offsite for quick recovery during a disaster. The TFTP protocol which is disabled by default transfers files in clear text and hence is unsafe to use.

CHANGES DOCUMENTED ROUTER REDUNDANCY AWARENESS OF LATEST VULNERABILITIES

YES NO YES

YES YES YES The network engineer should receive periodic updates on the vulnerabilities and patches affecting the router.

f) Eachroutermusthavethefollowingstatementpostedinclearview: "UNAUTHORIZEDACCESSTOTHISNETWORKDEVICEISPROHIBITED.Youmusthaveexplicit permissiontoaccessorconfigurethisdevice.Allactivitiesperformedonthisdevicemaybe logged,andviolationsofthispolicymayresultindisciplinaryaction,andmaybereportedto lawenforcement.Thereisnorighttoprivacyonthisdevice." Documentedby:InformationTechnology Company:NSLGroup [FORINFORMATIONTECHNOLOGY]

NOTE:Thisdocumentisintendedforinternaluseonly.Duplicationisprohibitedwithoutwritten permissionfromNSLGROUP.