Checklist

Assessment Area People Does the password policy require strong passwords and periodic changes? Assessment Technique Review the password policy for password complexity requirements, password history, and password change frequency. Infrastructure device policies should prohibit management access without using encrypted protocols such as SSH and HTTPS.

Are secure management protocols required by policy?

Is least privilege access required for The policy should require least access to infrastructure devices? privilege access be granted for all network users and administrators. Is a change management policy in place? Is a wireless access policy in place to forbid unapproved and/or user installed wireless devices? Review the change management policy. Wireless access should have a dedicated policy prohibiting unauthorized installation of wireless devices by employees as this represents a significant risk.

Are polices and standards used Inspect policies and standards for when configuring network devices? configuration of network devices to determine whether they are followed. Process Are all key computing assets Review documentation to identified and documented? determine location of servers, databases, and other critical systems. Is there sufficient network Review physical and logical documentation to identify physical documentation for completeness. and logical configurations of Determine how often it is updated devices? and review update procedures. Has a traffic flow analysis been conducted? Look for evidence that administrators have conducted a traffic flow analysis to determine what protocols are used on the network.

Are administrator accounts unique and assigned to a single individual?

Is configuration management and change control conducted?

All administrator accounts used to connect to network infrastructure devices should be unique for the purposes of auditing and nonrepudiation. Configuration backups should be made of all network devices and kept electronically in a secure manner, and a hardcopy stored in a safe if possible. All configuration changes should be reviewed with a formal approval process and rollback mechanism.

Is there a process in place to review Interview staff and determine product security advisories? procedures used to identify new vulnerabilities in network devices. Staff should subscribe to PSIRT reports. Are vulnerability scans conducted The organization should conduct on network devices? periodic vulnerability scans of network devices and have a software version inventory to quickly determine whether vulnerable software is installed on infrastructure devices. Is a network disaster recovery plan in place? Are logs stored in a central repository and reviewed on a regular basis for security issues? Review the disaster recovery plan for good practices. All infrastructure device logs should be stored in a central database that enables easy searching and review of security and operational events.

Is wireless device management and Wireless management should be in monitoring conducted? place to address wireless-specific security issues, such as denial of service, hacking, rogue APs, and RF spectrum problems. Wireless should be monitored on a regular basis to quickly resolve security problems.

Technology General Network Device Security

Management Plane Are unused management ports (aux, Unused management ports should console, and vty) disabled? be disabled to prevent physical access to the configuration if it is not used for management. At a minimum, all ports should require authentication. Are management login best practices followed? Ensure that failed login attempts are limited, the maximum number of concurrent sessions are limited, idle timeouts are enforced, and all commands entered are logged.

Are there access control mechanisms in place to prevent connectivity to management ports from unauthorized subnets? Are network device terminal and management ports not in use disabled? Are secure access protocols such as SSH or HTTPS being used prior to device access? Are secure passwords required for all network devices?

Review documentation and configuration to determine whether access lists are properly applied to management interfaces. Review all terminal and management ports for use. Review configuration for management access methods. Review the password policy and inspect against actual configuration.

Are local login accounts on network Network devices should be devices used for fallback access configured only to use local only? authentication in the event of a failure to reach a AAA server. If the network is small (less than five devices), then local authentication can be used, but each user must have his own credentials. Are network device passwords in configurations secured with encryption? Is AAA utilized with unique logins and least privilege principles applied to all network device access? Review configurations for service password encryption. Review configurations to determine authentication methods for network devices.

Are logging and accounting enabled Ensure that logging is enabled and for network devices to track users there is reporting to a central and system state? logging system. Identify how often logs are reviewed. Are legal banners in place and Inspect configurations for presented before login attempts? appropriate legal notification. Is SNMP configured in a secure manner? Review configurations to determine whether default settings are removed and secure practices are followed for using SNMP. Syslog should be configured to report to a central syslog server and record device status, logins, management activities, and other pertinent security information. Review configurations to determine whether NTP is enabled along with appropriate authentication.

Is syslog configured for networkdevice reporting and is it archived?

Is NTP configured for all network devices in the organization?

Control Plane Are unused IOS services disabled as Inspect configurations to ensure outlined in hardening best that services disabled by default practices? have not been re-enabled. Is routing protocol peering configured for authentication and encryption? Is control Plane Policing enabled to protect the IOS device from DoS attacks? Are iACLs deployed to reduce the risk of spoofing and prevent unapproved control plane traffic from being received by the IOS device Is Netflow configured to improve network visibility? Review configuration for routing protocol passwords and that MD5 hashing is used to encrypt updates. Review configurations to identify control plane protection mechanisms in place. Review configuration for iACLs and check the access lists to ensure effectiveness.

Netflow should be configured where appropriate to give insight into traffic patters and protocol usage.

Data Plane

Are access lists configured to prevent unnecessary or prohibited network protocols and access?

Access Lists should be configured in accordance with approved traffic flow requirements. Prohibited network protocols and services should be blocked.

Is uRPF enabled to reduce spoofing Review configurations for the of internal addresses? presence of anti-spoofing access lists or technologies like uRPF. Is the Committed Access Rate and Committed Access Rate and QOS QOS flooding protection enabled to should be configured to prevent prevent DoS attacks? flooding attacks on the network. Layer 2 Security Is VTP protected with a password or VTP should be disabled if it is not disabled? used to manage switch VLANs. If configured, a VTP domain and password should be configured to prevent unauthorized modification or access to VLANs. Is port security configured to prevent MAC flooding attacks? Review configuration for port security features, minimizing the number of MAC addresses a switch port can learn. No more than three should be configured for a normal user port. Review configuration for DHCP server protection through DHCP snooping. Dynamic ARP inspection should be enabled to prevent ARP attacks that can be used to hijack user sessions. IP Source Guard should be configured to prevent IP address spoofing on local VLANs. Inspect switch configurations to determine whether access ports are configured for no trunking.

Is DHCP snooping enabled to protect DHCP servers? Is dynamic ARP inspection enabled to prevent ARP poisoning attacks?

Is IP Source Guard enabled to prevent IP address spoofing?

Is dynamic trunking disabled on nontrunk ports?

Are spanning tree security best practices utilized?

Inspect configuration for appropriate spanning tree protection features. BPDU Guard and Root Guard should be present. VACLS are present in switch configurations to provide policy control at the switch port or VLAN level. Review configurations for appropriate access control. Review configuration to ensure unused ports are protected from unauthorized access. Review the configuration to ensure that WEP and WPA pre-shared keys are not used for wireless networks. If using a control-based architecture, wireless protection policies should be enabled to prevent common wireless attacks. For higher security requirements and better visibility into wireless attacks, wIPS is recommended. Rogue AP detection features should be enabled if available to automate detection and containment of unauthorized APs. Pre-shared keys for wireless are not recommended, but if used, should follow good complexity requirements to increase the time for brute-force cracking. Just like passwords, these keys should also be changed on a regular basis.

Are VLAN ACLs used to enforce VLAN traffic policies?

Are unused switch ports disabled and/or placed in a nonroutable VLAN? Wireless Are WEP or WPA configured on any APs?

Are wireless protection policies or wIPS enabled?

Are rogue AP detection features enabled?

Are pres-hared keys used for encryption?

Are weak encryption keys used?

Audit the network for weak encryption keys.

Is 802.1x used for authentication?

802.1x provides strong authentication and key management for wireless networks and is recommended for secure wireless connectivity.