S 2.281 Documentation of the system configuration of routers and switches

Initiation responsibility: IT Security Officer

Implementation responsibility: Administrator

Routers and switches are mostly configured with the help of configuration files stored to the device. Routers and switches are characterised by a host of configuration options important for secure operation. During initial installation and/or in the as-delivered condition, default values are used for these settings.

The configuration performed while commissioning the device must be documented in such a way that it can be understood by the administrator or his/her substitute at any time. In particular, a comment should be added to the configuration file explaining why the setting was selected if the configuration deviates from a default value.

Any changes to the configuration should be comprehensible for the administrator. It is recommended to document the following items as a minimum:

• Which change was performed?
• Why was the change performed (reason)?
• When was this change performed (time, date)?
• Who performed the change?

The changes may also be documented by means of comments in the configuration file. However, it usually makes sense to only store the most recent change to the file for every option.

Additionally, all security-relevant configuration changes should be stored to a protocol as a minimum that can be used to comprehend at any time how the device was configured at any given point in time. This protocol should not be stored to the device itself.

In order to make documentation and logging easier, a revision and version control system may be used, e.g. CVS. Such a system provides for the additional advantage of being able to easily restore a former configuration. Network management systems for central administration usually also offer an integrated documentation and logging function.

It is recommendable to design the documentation in such a way that it may also be understood by a qualified person not familiar with the specific circumstances of the system environment.

The configuration files should additionally be stored in a central manner to a designated server for contingency planning. Often, TFTP servers are used for centrally administering configuration files. However, TFTP servers should only be operated in a protected administration network, since the TFTP service is characterised by a host of vulnerabilities (see also T 2.87 Use of insecure protocols in public networks). Transmission using SCP is an alternative (see also S 5.64 Secure Shell).

Review questions:

• Are configuration changes regarding routers and switches documented comprehensibly?
• Are all security-relevant configurations stored to a separate protocol which is stored to the device concerned?
• Are the configuration files additionally stored in a central manner to a designated server for contingency planning?