Router and Switch Security Policy

1.0 Purpose

Routers and switches form the backbone of the organization's network infrastructure. Their secure configuration is paramount to maintaining network integrity, availability, and protecting data traversing the network. This documentstandard describesestablishes athe minimum required minimal security configuration for all routers and switches connectingconnected to aor operating within the organization's production network orenvironment usedto inmitigate arisks productionassociated capacitywith atmisconfiguration orand onunauthorized behalf of <Company Name>.access.

2.0 Scope

AllThis standard applies to all employees, contractors, consultants, temporary staff, vendors, and other workerspersonnel atresponsible <Companyfor Name>the andconfiguration, itsmanagement, subsidiariesor mustoperation adhere to this policy. Allof routers and switches connected to <Companythe Name>organization's production networksnetworks. areIt affected.covers all such devices owned or managed by the organization.

Every3.0 routerStandard Requirements

All routers and switches within the scope of this standard must meetadhere to the following minimum security configuration standards:requirements:

3.1 Authentication and Access Control

No*   local**Centralized Authentication:** Local user accounts aremust configuredbe ondisabled. theAll router.administrative Routersauthentication to routers and switches must useutilize the organization's approved centralized authentication system (e.g., TACACS+, forRADIUS) allintegrated userwith authentication.

central

identity stores.
*   **Enable/Privileged Mode Security:** Access to privileged ('enable') mode must be secured. The enable passwordpassword/secret must be stored in a secure, encrypted format on the routerdevice orand switchmust comply with the organization's password complexity and management policies. Enable passwords should be managed centrally where possible and rotated regularly.
*   **Management Access Protocols:** Secure protocols must be keptused infor administrative access. SSH version 2 is the required protocol for remote command-line access. Telnet is strictly prohibited unless tunnelled over a securesecure, encrypted form.connection The(e.g., routerIPsec orVPN).
*   switch**Access Control Lists (ACLs):** Infrastructure ACLs must havebe theimplemented enableto passwordrestrict setmanagement access (SSH, SNMP, NTP, TACACS+/RADIUS source IPs, etc.) to the currentdevice productionitself, router/switchpermitting passwordconnections only from theauthorized device’smanagement supportsubnets organization.or hosts.
*   **Console/Aux Port Security:** Physical console and auxiliary port access must be controlled through physical security measures and may require additional authentication controls.

3.2 Service Hardening

The following services orand features must be disabled:**disabled** unless a specific, documented, and approved business justification exists:

*   IP directedDirected broadcastsBroadcasts
*  

TCP

IncomingSmall packetsServices at(echo, thediscard, router/switchchargen, sourceddaytime)
*   UDP Small Services (echo, discard, chargen, daytime)
*   IP Source Routing
*   Proxy ARP (unless specifically required and approved)
*   HTTP/HTTPS server (web interface) for device management (unless specifically approved with invalidstrong addresses such as RFC1918 addresses

TCP small services

UDP small services

All source routingauthentication and switching

TLS)
*  

AllTelnet webserver
*   servicesFTP runningserver
*   Configuration Auto-loading features
*   Vendor-specific discovery protocols (e.g., CDP, LLDP) on router

interfaces

<Companyfacing Name>untrusted discoverynetworks protocol(e.g., onInternet, Internetexternal connectedpartners). interfaces

Telnet, FTP, and HTTP services

Auto-configuration

The following services shouldMay be disabled internally unless arequired businessfor justificationspecific isnetwork provided:functions (e.g., VoIP phone discovery).
*   Dynamic Trunking Protocol (DTP) on switch ports (configure ports statically as access or trunk).
*   Scripting environments (e.g., TCL shell) unless explicitly required for approved automation tasks.

<Company3.3 Name>Secure discoveryConfiguration protocol and other discovery protocolsSettings

Dynamic*   trunking

**Password

ScriptingEncryption:** environments,The suchservice asto encrypt passwords stored in the TCLdevice shell

configuration

The(e.g., following`service servicespassword-encryption` or equivalent) must be configured:

enabled.

Password-encryption

(Note:

NTPThis configuredprovides toonly aobfuscation; corporatestronger standardprotection source

relies

All routing updates shall be done usingon secure routingauthentication updates.

protocols

Useand corporaterestricted standardizedconfiguration SNMPaccess).
*   community**Network strings.Time Protocol Default(NTP):** strings, such as public or private must be removed.  SNMPDevices must be configured to usesynchronize thetheir mosttime securewith versionapproved, ofredundant theinternal protocolNTP allowedsources fortraceable byto thea combinationreliable ofexternal thestandard.
*   device**Simple andNetwork managementManagement systems.

Protocol

Access(SNMP):**
 control   lists*   If SNMP is used, default community strings (e.g., "public," "private") must be usedremoved or changed to limitstrong, thecomplex sourcevalues andcompliant typewith ofpassword trafficpolicies.
 that   can*   terminateSNMP on the device itself.

Access control lists for transiting the device are to be added as business needs arise.

The routeraccess must be includedrestricted inusing ACLs to authorized management stations only.
    *   SNMPv3, which provides encryption and authentication, is the corporaterequired enterpriseversion. managementUse of SNMPv1 or v2c requires a documented exception and strong justification.
*   **Logging:** Devices must be configured to log security-relevant events (logins, configuration changes, ACL denials) to the organization's centralized logging system with(SIEM) avia designatedsecure pointsyslog, ofadhering contact.to

the

EachAudit routerLogging Policy.
*   **Login Banner:** The following standard warning banner (or an organization-approved equivalent) must havebe theconfigured following statementand presented for all forms of login whetherattempts remote(console, orSSH):
 local:  

>

 

"UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device. Use of this system shall constitute consent to monitoring." 

3.4 Routing Security

Telnet*   may**Secure neverRouting beUpdates:** used across any network to manage a router, unless there is a secure tunnel protecting the entire communication path. SSH version 2 is the preferred management protocol.

Dynamic routing protocols (e.g., EIGRP, OSPF, BGP) must useutilize neighbor authentication in(e.g., using MD5 or SHA hashes with strong keys) for all routing updatesupdates. sent to neighbors.  Password hashing features for the authentication string must be enabled whenwhere supported.
*   **Route Filtering:** Appropriate route filtering must be implemented to prevent injection of inappropriate routes.
*   **Anti-Spoofing:** Ingress filtering (e.g., Unicast Reverse Path Forwarding - uRPF, or ACLs) must be implemented on interfaces, particularly edge interfaces, to drop packets sourced with invalid or illegitimate addresses (e.g., RFC1918 addresses from the Internet, bogons, internal addresses arriving on external interfaces).

The3.5 corporateSensitive routerDevice configurationRequirements

standard

Certain willcritical definerouters theand categoryswitches of(e.g., core devices, perimeter firewalls/routers, devices handling highly sensitive routingdata) andmay switchingbe devices,designated as "sensitive" and require additional servicessecurity orcontrols configurationas ondefined sensitiveby devicesthe including:designated IT authority (e.g., Precision Computer). These may include:

*   More detailed logging configurations (e.g., IP ACL accounting).
*   Enhanced monitoring.
*   Stricter access listcontrols accountingand change management procedures.

Device3.6 loggingNetwork Management Integration

Incoming*   packetsAll atproduction the router sourced with invalid addresses, such as RFC1918 addresses, or those that could be used to spoof network traffic shall be dropped

Router consolerouters and modem accessswitches must be restrictedregistered byin additionalthe securityorganization's controlsnetwork management and asset inventory systems with accurate configuration details and designated points of contact.

4.0 Compliance

4.1 Compliance Measurement

The designated IT authority (e.g., Precision Computer teamteam, Information Security, Internal Audit) will verify compliance towith this policystandard through various methods, including butautomated notconfiguration limitedaudits, to,vulnerability periodicscanning, walk-thrus,manual videoreviews, monitoring,penetration businesstesting, tool reports, internal and internal/external audits, and feedbackreview toof thenetwork policymonitoring owner. data.

4.2 Exceptions

Any exception to this standard requires formal, documented justification outlining the policytechnical necessity or constraint, risk assessment including compensating controls, and advance approval from the designated IT authority (e.g., Precision Computer Team or Information Security).

4.3 Enforcement

*   Devices found to be non-compliant with this standard must be approvedremediated within a defined timeframe or risk being isolated or removed from the production network.
*   Failure by thepersonnel Precisionresponsible Computerfor teamdevice in advance.

An employee foundmanagement to haveadhere violatedto this policystandard may beresult subject toin disciplinary action, up to and including termination of employment.employment or contract.

5.0 Definitions

*   **Production Network:** The primary operational network infrastructure supporting the organization's core business functions and services.
*   **TACACS+ (Terminal Access Controller Access-Control System Plus):** A protocol providing centralized authentication, authorization, and accounting (AAA) for network device administration.
*   **RADIUS (Remote Authentication Dial-In User Service):** Another common protocol for centralized AAA.
*   **ACL (Access Control List):** A set of rules applied to network interfaces to permit or deny traffic based on criteria like source/destination IP address, port numbers, and protocols.
*   **SNMP (Simple Network Management Protocol):** A protocol used for monitoring and managing network devices. SNMPv3 adds security features.
*   **SSH (Secure Shell):** A cryptographic network protocol for operating network services securely over an unsecured network.
*   **NTP (Network Time Protocol):** A protocol for synchronizing the clocks of computer systems over packet-switched networks.
*   **RFC1918 Addresses:** Private IPv4 address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) not routable on the public Internet.

6.0 Related Policies

*   Password Policy
*   Audit Logging Policy
*   Acceptable Use Policy
*   Change Management Policy
*   Vulnerability Management Policy
*   Information Security Policy (Overall)
*   Network Segmentation Policy / Architecture Documents