Router and Switch Security Policy
This document describes a required minimal security configuration for all routers and switches connecting to a production network or used in a production capacity at or on behalf of Tuxis.
All employees, contractors, consultants, temporary and other workers at Tuxis and its subsidiaries must adhere to this policy. All routers and switches connected to Tuxis production networks are affected.
Every router must meet the following configuration standards:
- The enable password on the router or switch must be kept in a secure encrypted form. The router or switch must have the enable password set to the current production router/switch password from the device’s support organization.
- The following services or features must be disabled:
- IP directed broadcasts
- Incoming packets at the router/switch sourced with invalid addresses such as RFC1918 addresses
- TCP small services
- UDP small services
- All source routing and switching
- All web services running on router
- Telnet, FTP, and HTTP services
- The following services should be disabled unless a business justification is provided:
- Discovery protocols
- Dynamic trunking
- Scripting environments, such as the TCL shell
- The following services must be configured:
- NTP configured to a corporate standard source
- Access control lists must be used to limit the source and type of traffic that can terminate on the device itself.
- Access control lists for transiting the device are to be added as business needs arise.
- The router must be included in the corporate enterprise management system with a designated point of contact.
- Telnet may never be used across any network to manage a router, unless there is a secure tunnel protecting the entire communication path. SSH version 2 is the preferred management protocol.
- The corporate router configuration standard will define the category of sensitive routing and switching devices, and require additional services or configuration on sensitive devices including:
- IP access list accounting
- Device logging
- Incoming packets at the router sourced with invalid addresses, such as RFC1918 addresses, or those that could be used to spoof network traffic shall be dropped
- Router console and modem access must be restricted by additional security controls