The checklist below is designed as an aid for creating router security policy. After drafting a policy, step down the list and check that each item is addressed in your policy.
Physical Security
- Designates who is authorized to install, de-install, and move the router.
- Designates who is authorized to perform hardware maintenance and to change the physical configuration of the router.
- Designates who is authorized to make physical connections to the router.
- Defines controls on placement and use of console and other direct access port connections.
- Defines recovery procedures for the event of physical damage to the router, or evidence of tampering with the router.
Static Configuration Security
- Designates who is authorized to log in directly to the router via the console or other direct access port connections.
- Designates who is authorized to assume administrative privileges on the router.
- Defines procedures and practices for making changes to the router static configuration (e.g. log book, change recording, review procedures)
- Defines the password policy for user/login passwords, and for administrative or privilege passwords.
- Designates who is authorized to log in to the router remotely.
- Designates protocols, procedures, and networks permitted for logging in to the router remotely.
- Defines the recovery procedures and identifies individuals responsible for recovery, in the case of compromise of the router’s static configuration.
- Defines the audit log policy for the router, including outlining log management practices and procedures and log review responsibilities.
- Designates procedures and limits on use of automated remote management and monitoring facilities (e.g. SNMP)
- Outlines response procedures or guidelines for detection of an attack against the router itself.
- Defines the key management policy for long-term cryptographic keys (if any).
Dynamic Configuration Security
- Identifies the dynamic configuration services permitted on the router, and the networks permitted to access those services.
- Identifies the routing protocols to be used, and the security features to be employed on each.
- Designates mechanisms and policies for setting or automating maintenance of the router’s clock (e.g. manual setting, NTP)
- Identifies key agreement and cryptographic algorithms authorized for use in establishing VPN tunnels with other networks (if any).
Network Service Security
- Enumerates protocols, ports, and services to be permitted or filtered by the router, for each interface or connection (e.g. inbound and outbound), and identifies procedures and authorities for authorizing them.
- Describes security procedures and roles for interactions with external service providers and maintenance technicians.
Compromise Response
- Enumerates individuals or organizations to be notified in the event of a network compromise.
- Defines response procedures, authorities, and objectives for response after a successful attack against the network, including provision for preserving evidence and for notification of law enforcement.