Última modificación: 19 de marzo de 2025

Policy No. 4204 Router and Switch Security Procedure

Download Router and Switch Security Procedure Document

Propósito

The purpose of this procedure is to describe the minimal security configuration required for all routers and switches connecting to a production network or used in a production capacity at or on behalf of PCSD.

Alcance

All employees, contractors, consultants, temporary, and other workers at PCSD must adhere to this procedure. All routers and switches connected to PCSD production networks are affected.

Procedimiento

Configuration Standards

Only one local user account is configured on the router, used for backup if an external authentication source is not reachable. Routers and switches must use RADIUS for all user authentications.
The enable password on the router or switch must be kept in a secure encrypted form. The router or switch must have the enable password set to the current production router/switch password from the device’s support organization.
Only authorized tech support employees are allowed to log in to a router or switch. The Technology Director or Network Engineer can grant an employee rights.

Disabled Services or Features

IP directed broadcasts
Incoming packets at the router/switch sourced with invalid addresses such as RFC1918 addresses
TCP small services
UDP small services
All source routing and switching
All web services running on the router
Cisco discovery protocol on Internet-connected interfaces
Telnet, FTP, and HTTP services
Auto-configuration

Services That Should Be Disabled Unless Justified

Dynamic trunking
Scripting environments, such as the TCL shell

Required Configurations

Password encryption must be enabled.
NTP must be configured to a corporate standard source.
All routing updates shall be done using secure routing updates.
Use corporate standardized SNMP community strings. Default strings, such as public or private, must be removed.
SNMP must be configured to use the most secure version of the protocol allowed by the combination of the device and management systems, at least v2.
Access control lists must be used to limit the source and type of traffic that can terminate on the device itself.
Access control lists for transiting the device are to be added as business needs arise.

Login Disclaimer

Each router must have the following statement presented for all forms of login, whether remote or local:

, /\.__ _.-\

,/ /_\ _/ \ \ ,/~,_.~'”\ /_\_ /’

/\ /## \ / V#\/\ /~8# # ## V8 #\/8 8\

/~#'#"#""##V&#&# ##\/88#"#8# #" #\#&"##" ##\

j# ##### #"#\&&"####/###& #"#&## #&" #"#&#"#'\

/#"#"#####"###'\&##"/&#"####"### # #&#&##"#"### \

J#"###"#"#"#"####'\# #"##"#"##"#"#####&"## "#"&"##|\

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Provo City School District Networking  
AUTHORIZED USERS ONLY!  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Additional Security Controls

Telnet may never be used across any network to manage a router unless there is a secure tunnel protecting the entire communication path. SSH version 2 is the preferred management protocol.
Dynamic routing protocols must use authentication in routing updates sent to neighbors. Password hashing for the authentication string must be enabled when supported.
The corporate router configuration standard will define the category of sensitive routing and switching devices, and require additional services or configuration on sensitive devices, including:
- IP access list accounting
- Device logging
- Incoming packets at the destination router with invalid addresses, such as RFC1918 addresses, or those that could be used to spoof network traffic, shall be dropped
- Router console and modem access must be restricted by additional security controls

Último estado de actualización:

Actualizado en enero de 2015