index_40
Router Security Configuration Guide
UNCLASSIFIED
40
UNCLASSIFIED
Version 1.0g
§ Specify policy for all the zones identified in the figure above
Begin with physical security, and work outwards to security for the static
configuration, the dynamic configuration, and for traffic flow.
§ Services and protocols that are not explicitly permitted should be denied
When representing the network policy in the router policy, concentrate on
services and protocols that have been identified as explicitly needed for
network operation; explicitly permit those, and deny everything else.
In some cases, it may not be practical to identify and list all the services and
protocols that the router will explicitly permit. A backbone router that must route
traffic to many other networks cannot always enforce highly tailored policies on the
traffic flowing through it, due to performance concerns or differences in the security
policies of the different networks served. In these kinds of cases, the policy should
clearly state any limitations or restrictions that can be enforced. When drafting a
policy, keep most of the directives and objectives high-level; avoid specifying the
particular mechanisms in the policy.
A security policy must be a living document. Make it part of the security practices of
the network to regularly review the network security policy and the router security
policy. Update the router policy to reflect changes in the network policy, or
whenever the security objectives for the router change. It may be necessary to revise
the router security policy whenever there is a major change in the network
architecture or organizational structure of network administration. In particular,
examine the router security policy and revise it as needed whenever any of the
following events occur.
§ New connections made between the local network and outside networks
§ Major changes to administrative practices, procedures, or staff
§ Major changes to the overall network security policy
§ Deployment of substantial new capabilities (e.g. a new VPN) or new
network components (e.g. a new firewall)
§ Detection of an attack or serious compromise
When the router security policy undergoes a revision, notify all individuals
authorized to administer the router and all individuals authorized for physical access
to it. Maintaining policy awareness is crucial for policy compliance.
3.4.4. Router Security Policy Checklist
The checklist below is designed as an aid for creating router security policy. After
drafting a policy, step down the list and check that each item is addressed in your
policy.