This document describes a required minimal security configuration for all routers and switches connecting to a production network or used in a production capacity at or on behalf of Cyberfusion.
All employees, contractors, consultants, temporary and other workers at Cyberfusion and its subsidiaries must adhere to this policy. All routers and switches connected to Cyberfusion production networks are affected.
Every router must meet the following configuration standards:
- The enable password on the router or switch must be kept in a secure encrypted form. The router or switch must have the enable password set to the current production router/switch password from the device’s support organization.
- The following services or features must be disabled:
- IP directed broadcasts
- Incoming packets at the router/switch sourced with invalid addresses such as RFC1918 addresses
- TCP small services
- UDP small services
- All source routing and switching
- Telnet, FTP, and HTTP services
- The following services must be configured:
- NTP configured to a corporate standard source
- Access control lists must be used to limit the source and type of traffic that can terminate on the device itself.
- Access control lists for transiting the device are to be added as business needs arise.
- The router must be included in the corporate enterprise management system with a designated point of contact.
- Telnet may never be used across any network to manage a router, unless there is a secure tunnel protecting the entire communication path. SSH version 2 is the preferred management protocol.
- The corporate router configuration standard will define the category of sensitive routing and switching devices, and require additional services or configuration on sensitive devices including:
- IP access list accounting
- Device logging
- Incoming packets at the router sourced with invalid addresses, such as RFC1918 addresses, or those that could be used to spoof network traffic shall be dropped
- Router console and modem access must be restricted by additional security controls
- Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Infosec team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.