HostedDB - Dedicated UNIX Servers
index_39
UNCLASSIFIED Router Security Principles and Goals  Version 1.0g  UNCLASSIFIED 39   dynamic information, such as interface status, ARP tables, and audit logs, are also very important.   If an attacker can compromise the dynamic configuration of a router, they can compromise the outermost layer as well.  Security policy for a router should include rules about access to this layer, although it is sometimes overlooked. The outer zone of the diagram represents the intra-network and inter-network traffic that the router manages.   The overall network security policy may include rules about this, identifying permitted protocols and services, access mechanisms, and administrative roles.  The high-level requirements of the network security policy must be reflected in the configuration of the router, and probably in the router security policy. 3.4.2.    Router Security Policy and Overall Network Security Policy Typically, the network that a router serves will have a security policy, defining roles, permissions, rules of conduct, and responsibilities.  The policy for a router must fit into the overall framework.  The role s defined in the router security policy will usually be a subset of those in the network policy.  The rules of conduct for administering the router should clarify the application of the network rules to the router.   For example, a network security policy might define three roles: administrator, operator, and user. The router security policy might include only two: administrator and operator.  Each of the roles would be granted privileges in the router policy that permit them to fulfill their responsibilitie s as outlined in the network policy.  The operator, for example, might be held responsible by the network security policy for periodic review of the audit logs.  The router security policy might grant the operator login privileges to the router so that they can access the router logs. In other regards, the router policy will involve far more detail than the network policy.  In some cases, the router enforces network policy, and the router policy must reflect this. For example, the network security policy might forbid administration of the router from anywhere but the local LAN.  The router policy might specify the particular rules to be enforced by the router to prevent remote administration. 3.4.3.    Creating a Security Policy for a Router There are several important tips to remember when creating the security policy for a router: § Specify security objectives, not particular commands or mechanisms –   When the policy specifies the security effect to achieve, rather than a particular command or mechanism, the policy is more portable across router software versions and between different kinds of routers.