S 2.279 Drawing up a security policy for routers and switches

Initiation responsibility: IT Security Officer, Top Management

Implementation responsibility: IT Security Officer

Since routers and switches are central elements of a network, secure and proper operation is particularly important. This can only be ensured when the operational procedures are integrated into the existing security-related specifications.

The central security requirements (the target security level) follow from the organisation-wide security policy and should be formulated in a specific security policy for routers and switches in order to specify and apply the higher-level and generally formulated security policy in the present context

In this context, it must be examined whether there are any other overriding specifications, for example IT guidelines, password rules, and specifications for internet usage, that must be taken into account in addition to the organisation-wide security policy.

All persons and groups participating in the procurement and operation of routers and switches must be familiar with the security policy and follow it while working. Like all policies, its contents and implementation should be examined regularly within the framework of a general audit.

The security policy should first specify the overall security level to be reached and provide basic information on the operation of routers and switches. Some items which should be taken into account are listed below:

• general configuration strategy ("liberal" or "restrictive")
• rules for the work of the administrators and auditors:
  • over which access routes are the administrators and auditors allowed to access the systems (for example, only locally on the console, using a separate administration network, or using encrypted connections)?
  • which procedures must be documented? In what form will the documentation be produced and maintained?
  • does the "two-man principle" apply to certain changes?
  • according to which scheme are administration rights assigned?
• specifications regarding the procurement of equipment based on requirement profiles
• specifications for installation and basic configuration
  • initial installation procedure
  • check of the default settings in terms of the security threats entailed by them
  • rules regarding physical data access control
  • use and configuration of console and other types of access
  • rules for the administration of the users and roles, authorisation structures (procedures and methods of authentication and authorisation, authorisations for installation, updates, configuration changes, etc.). If possible, a role concept should be drawn up for administration.
  • rules for the configuration and use of VLANs and VPNs (for example: no VLANs with different protection requirements on the same switch)
  • rules for drawing up and maintaining documentation, form of documentation: documented procedures, instruction manuals
  • if there are general specifications: permitted and banned services, protocols, and networks
• specifications for secure operation
  • securing the administration (for example: access via secure connections only)
  • use of encryption (standards, key strengths, fields of application)
  • specifications for the use of passwords (password rules, areas to be protected by passwords, rules and situations for changing passwords, possible escrow of passwords)
  • tools for operation and maintenance, and integration into an existing network management system
  • authorisations and procedures for software updates and configuration changes
• logging
  • which events are logged?
  • where are the log files stored?
  • how and at which intervals are the logs evaluated?
• data backup and recovery (see also S 6.91 Data backup and recovery on routers and switches)
  • integration into the organisation-wide data backup policy
• fault management, error handling, incident handling
  • rules for how to react to operational disruptions and technical errors (local support, remote maintenance)
  • rules for security incidents
  • contingency planning (see also S 6.92 Contingency planning for routers and switches)
  • integration into the organisation-wide contingency planning concept
• review and audit (responsibilities, procedures, integration into a global audit concept)

The security management team is responsible for the security policy, changes to and deviations from which must only be performed upon consultation with the security management team.

When drawing up a security policy, it is recommended to proceed in such a way that the maximum requirements and specifications for the security of the systems are stated initially. These may then be adapted to the actual circumstances. Ideally, it will thereby be possible to take into account all aspects necessary. For every specification rejected or relaxed in the second step, the reasons for the rejection or relaxation of the specification should be documented.

Review questions:

• Does the security policy for routers and switches take into account the specifications of overriding security policies?
• Are the content and the implementations of the security policy for routers and switches checked regularly within the framework of an audit?