S 2.282 Regular checking of routers and switches

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

In order to ensure proper operation of the active network components and the correctness of all configuration parameters, a regular control process that is as automated as possible must be established. For example, this includes regular functional tests, the instigation of changes and checking their implementation, as well as analysis of the log files and alarms.

In order to be able to efficiently process the large amount of relevant data accruing during live operations, it is usually necessary to use suitable tools in order to achieve controls that are as automated as possible. For example, this may be performed by integration into a network management system (NMS).

Checklist for the control

The checklist in S 4.203 Configuration checklist for routers and switches may be used for the control. The security policy drawn up for routers and switches should be used as a basis (see S 2.279 Drawing up a security policy for routers and switches). Additionally, the following items should be taken into consideration during configuration:

What is being tested and/or checked?

• The general functionality of devices is normally checked regularly by the administrator during live operations.
• The integrity of configuration files should be checked at regular intervals. The security policy for routers and switches should define a regular review, including definition of the responsibilities.
• The data backup status (centrally stored configuration files) should be checked regularly by the administrator.
• The system documentation should be updated continuously by the administrator. The up-to-dateness may be checked during audits.

For this, S 2.31 Documentation of authorised users and rights profiles and S 2.64 Checking the log files must be taken into consideration.

How are the tests performed?

• Regular checking can be ensured by integrating the components into a network management system. Security violations, failures, and malfunctions can be detected promptly with the help of alarming functions of the NMS.
• Within the framework of audits, components are mostly subjected to random checks. The security policy drawn up for routers and switches is used as the basis for an audit. The up-to-dateness of the system's documentation, the data backup status, password changes, etc. are important parts of such a test. With the help of the checklist from S 4.203 Configuration checklist for routers and switches the majority of the security-relevant settings may be queried.
• There is a host of freely available security tools (e.g. Nessus) that are able to check the security settings on routers and switches. Such tools may be installed to one computer in the network. If possible, the most recent version should be used. Unix and/or Linux are often the required operating systems. The administrator may use these systems in order to scan the corresponding routers and switches and to check numerous settings of these devices this way. Commercial tools sometimes offer relatively convenient analyses and options for historical tracking of the performed scans.
• Numerous security companies offer regular checks of routers and switches. Regular reports and evaluations provide the operator with an overview of the condition of the components.

When are the tests performed?

• The administrator continuously and usually automatically checks the function of the devices with the help of an NMS system. The administrator must continuously keep the system documentation up-to-date.
• The data backup status, the integrity of the configuration files, and further configuration-related data should be checked regularly (at weekly intervals) by the administrator.
• Scans with the help of security tools should be performed regularly (at monthly intervals) by the administrator upon installation. The results must be analysed and archived.
• The security policies must be checked for compliance regularly (e.g. annually within the framework of security and basic protection audits).

Who performs the tests?

• The administrator should continuously perform tests (function of the components, data backup status, integrity of the configuration files, scans, etc.).
• The compliance with security policies and/or security safeguards within the framework of security and/or basic protection audits must not be checked by the administrator, but must be checked by an auditor or an IT Security Officer depending on the established security management process.

Which information are the tests based on?

• Security policy for routers and switches
• Log files of routers and switches
• System documentation (see S 2.281 Documentation of the system configuration of routers and switches)
• Security concept
• IT-Grundschutz Catalogues
• Results of performed scans

Reviewing the configuration

When configuring the routers and switches, all default settings must be checked and modified, if required. Here, unneeded services are disabled and presettings are adapted to the operational and security-related requirements, for example. An explanation of the steps required for this can be found in S 4.201 Secure basic local configuration of routers and switches and S 4.202 Secure basic network configuration of routers and switches.

The implementation of the specifications on how to handle default settings must be checked within the framework of regular audits. This way, accidental or deliberate changes can be detected and the implementation of current manufacturer recommendations can be verified. This may be performed on the basis of the installation instructions to be drawn up for every device type and/or for every operating system version and should be verified on the respective device. Here, it must be taken into consideration that operating system commands do not display all default settings with some manufacturers. For this reason, it is recommendable to use separate software tools in order to perform a complete analysis.

For comprehensively testing all devices, software products allowing for automated testing with configurable parameters may be used.

Mirror port

In order to analyse the data traffic, it is possible to configure one port of the router or switch as "mirror port". Here, the entire data traffic of any port is replicated to the mirror port and can be analysed using the corresponding analysis programs. As opposed to other analysis methods, the data traffic is not interrupted or impaired in so doing.

The mechanism offers two analysis methods: mirroring of the entire data traffic for a defined port or mirroring of the data traffic for a MAC address. In the second case, the entire data volume passing through the device with a defined source and/or destination address is mirrored to the mirror port.

The mirror port must not belong to any productive LAN or spanning tree group (STG). By default, "port mirroring" must be switched off. Access to the "port mirroring" configuration must be protected. After having used the mirror port, the port must be disabled. It must be checked regularly whether the port mirroring function is disabled during normal operations.

Review questions:

• Has a control process been established in order to ensure proper operation of the active network components?
• Have security and/or basic protection audits been performed by an auditor or IT Security Officer and not by the responsible administrators?