S 4.203 Configuration checklist for routers and switches
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Administrator
In summary, the following configuration checklist can be used in order to check the most important security-relevant settings on routers and switches. However, it must be stated that the secure configuration of routers and switches strongly depends on the operational purpose. For example, the configuration of ACLs, anti-spoofing configuration, etc. must be taken into consideration for border routers. Therefore, the following table should only be used as a general guideline. Security safeguards to be applied to routers are also applicable to switches, if these support routing functions and insofar as these functions are being used.
| Configuration checklist for routers and switches | |
|---|---|
| Drawing up a security policy for routers and switches | |
Check and possibly update of the operating system |
|
| Offline storage, backup, and protection against unauthorised access of the router and switch configurations (use of a TFTP server only in connection with out-of-band management (separate administration network)) | |
| Documentation and commenting of the configuration | |
| Configuration of password protection for all accesses (console, VTY, etc.) | |
| Configuration of a session timeout | |
| Do not use any trivial passwords | |
| Encrypted storage of the passwords | |
| Configuration of physical access protection for the console connection | |
| Replace ELNET by SSH as far as possible for administration purposes. | |
| If possible, use RADIUS or TACACS+ for authentication | |
| Limitation of the administration accesses (e.g. SSH, SNMP, TELNET) by ACLs, use of SNMP and TELNET only in connection with out-of-band management (separate administration network), for SNMP, change of the community strings | |
| Disabling of unneeded network services | |
| Switching off of unneeded interfaces on routers, also disabling of unneeded ports or assignment of unneeded ports to "Unassigned VLAN" for switches | |
| Blocking of critical interface services and protocols | |
| Enabling of the logging function | |
| Integration of the time information during logging | |
| Analysis, auditing, and archiving of the log files according to the security policy | |
| Disabling of SNMP, if possible, use only in connection with out-of-band management (administration network) or use of SNMPv3Disabling of SNMP, if possible, use only in connection with out-of-band management (administration network) or use of SNMPv3 | |
Auditing of the default settings |
|
| Configuration of a login banner | |
| Disabling of CDP on terminal ports | |
| Specifically for switches:: | |
| When using VTP: Use of authentication | |
| Disabling of trunk negotiation on terminal ports | |
| The default VLAN must not be used | |
| Configuration of a separate VLAN for all trunk ports | |
| Configuration of an Unassigned VLAN for all ports used | |
| Disabling of STP (Spanning Tree) on terminal ports | |
| Determination of a root bridge | |
| Specifically for routers: | |
| Configuration checklist for routers and switches | |
| Configuration of a communication matrix for cross-network data traffic | |
| Limitation of cross-network data traffic when comparing to communication matrix with the help of access lists | |
| Blocking of unknown addresses with the help of access lists (ACLs) | |
| If required (particularly in the DMZ): Configuration of static routes | |
| Configuration of integrity mechanisms of the routing protocols used | |
Review questions:
- Are security-relevant settings on routers and switches checked based on a configuration checklist?
- Does the configuration checklist take into consideration the different requirements of the routers and switches?