Router Security Policy

Routers are often used on the edge of our network where we use them for Internet access or connectivity to other sites. The Internet is a bad place so routers are vulnerable to a number of attacks.

To mitigate these attacks you should have a (formal) document that describes how you are going to deal with these attacks and how you will protect your routers. This document is called a router security policy. The advantage of using a security policy is that all your routers will have the same consistent configuration.

What you will find in the router security policy will depend on the organization and what the routers are used for. To give you an idea, here are some of the things you should consider if you want to create your own router security policy:

  • Passwords:
    • Do you allow plaintext passwords in the configuration or do you only allow encrypted passwords?
    • How complex should the passwords be?
    • How often should passwords be changed?
  • Authentication:
    • Do you allow local authentication on the router or should authentication be done through a remote RADIUS or TACACS+ server?
    • If you use remote authentication, should you log all login and logout events?
    • Do you show any banners to users who try to login to your routers?
  • Remote Access:
    • What protocols do you allow for remote access? telnet?
    • Do you allow any GUIs like CCP (Cisco Configuration Protocol)?
  • Services: are there any services running on your router that are not needed and should be disabled? I’m talking about things like CDP, HTTP, IP redirect, etc.
  • Filtering:
    • What should your access-lists look like on the “outside” interfaces? Do you block private IP addresses?
    • Do you use any other filtering mechanisms to prevent spoofing like uRPF?
  • Routing Protocols: do you use any authentication for routing protocols? Do you ever change the passwords?
  • Backups:
    • Are there any backups of your running-configuration?
    • Do you store these backups on the flash memory of your router or on a (TFTP) server?
    • Do you store backups on an offsite location?
    • Do you have any revisions of your configurations?
  • Redundancy:
    • Do you have a backup plan in case your router fails?
    • Do you use any redundancy protocols like HSRP, VRRP or GLBP?
    • Do you have any replacement hardware?
  • Documentation:
    • Are there any procedures to ensure that your documentation remains up-to-date?
  • Physical:
    • Who has physical access to your router(s)?
    • Has anything been implement to prevent access to the console port?
  • Monitoring:
    • Do you use any monitoring protocols like SNMP?
    • What do you monitor? CPU load? memory usage? interface statistics?
    • Do you use any access-lists for your SNMP communities?
  • Updates: Do you ever check for new IOS versions?

I hope this list gives you an idea of the things you should address in a router security policy. If you have any items that you think should be added to the list above, please let me know.

Forum Replies

  1. Hi Rene, i think there should be something about vulnerability scans added to the list.

  2. Hi Kam,

    Vulnerability scans are a good idea yes. It’s best to let an external company do a network penetration test once you configured everything 100%. This goes a bit further than just R&S though.

    Rene

Ask a question or join the discussion by visiting our Community Forum