Router & Switch Security Standard
Scope
This standard describes a required minimal security configuration for all routers and switches connecting to a production network or used in a production capacity at or on behalf of Loyola University Chicago.
Purpose
All routers and switches connected to Loyola University Chicago production networks are affected. This document contains two sections; baseline standards for routers and switches, and standards for perimeter routers and switches. All routers and switches will be configured to the baseline standard, perimeter devices have additional required controls.
Standard
Baseline Standards for Routers and Switches:
- No local user accounts are configured on the router. Routers must use RADIUS for all user authentication.
- The enable password on the router must be kept in a secure encrypted form. The router must have the enable password set to the current production router password from the router's support organization.
- Disallow the following:
a. IP directed broadcasts
b. TCP small services
c. UDP small services
d. All web services running on router
e. Switch interfaces set with “dynamic” port negotiation
g. FTP services
- Use SNMPv3 and MD5 hashing.
- All routing updates shall be done using secure routing updates.
- Access control lists are to be added and modified as business needs arise.
- A primary and backup point of contact must be provided for each router and switch on the University’s networks.
- Each router must have the following statement posted in clear view:
"This computer and network are provided for use by authorized members of the Loyola community. Use of this computer and network are subject to all applicable Loyola policies, including Information Technology Services policies (http://www.luc.edu/its/policies.shtml), andany applicable Loyola Handbooks. Any use of this computer or network constitutes acknowledgment that the user is subject to all applicable policies. Any other use is prohibited.
Users of any networked system, including this computer, should be aware that due to the nature of electronic communications, any information conveyed via a computer or a network may not be private. Sensitive communications should be encrypted or communicated via an alternative method."
- Telnet may never be used across any network to manage a router. SSH is the preferred management protocol.
- Synchronize all clocks through the use of NTP.
- An audit and logging strategy, based on the ITS Log Management Standard, must be utilized.
Perimeter
- Disallow the following:
a. Incoming packets at the router sourced with invalid addresses, such as RFC1918 addresses or the Loyola public IP space
b. Block IP packets that have the same source and destination
c. Outgoing packets at the router sourced with invalid addresses, such as RFC1918 addresses
d. All source routing
e. CDP on Internet connected interfaces
f. IP directed-broadcast
g. Telnet, FTP, and HTTP services
- Implement black hole routing, or null routing
- Disable network auto-loading via TFTP
Policy adherence
Failure to follow this policy can result in disciplinary action as provided in the Employee Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.
Exceptions
Exceptions to this policy will be handled in accordance with the ITS Security Policy.
Review
This policy will be maintained in accordance with the ITS Security Policy.
Emergencies
In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Handbook. These actions may include rendering systems inaccessible.
Appendix
References
http://www.nsa.gov/snac/switches/switch-guide-version1_01.pdf
(http://www.cisecurity.org/benchmarks.html) CIS_Cisco_IOS _Benchmark_v2.2.pdf CIS_FreeRADIUS_Benchmark_v1.0.pdf
HISTORY
September 12, 2011: Initial Policy
October 6, 2011: Revised
October 29, 2012: Annual Review for PCI Compliance
Author: UISO
Version: 1.1