Pereiti prie turinio Pereiti į vertimo meniu
Search Icon

Last modified: 14 kovo, 2025

Policy No. 4204 Router and Switch Security Procedure

Tikslas

The purpose of this procedure is to describe the minimal security configuration required for all routers and switches connecting to a production network or used in a production capacity at or on behalf of PCSD.

Apimtis

All employees, contractors, consultants, temporary, and other workers at PCSD must adhere to this procedure. All routers and switches connected to PCSD production networks are affected.

Procedūra

Configuration Standards

  • Only one local user account is configured on the router, used for backup if an external authentication source is not reachable. Routers and switches must use RADIUS for all user authentications.
  • The enable password on the router or switch must be kept in a secure encrypted form. The router or switch must have the enable password set to the current production router/switch password from the device’s support organization.
  • Only authorized tech support employees are allowed to log in to a router or switch. The Technology Director or Network Engineer can grant an employee rights.

Disabled Services or Features

  • IP directed broadcasts
  • Incoming packets at the router/switch sourced with invalid addresses such as RFC1918 addresses
  • TCP small services
  • UDP small services
  • All source routing and switching
  • All web services running on the router
  • Cisco discovery protocol on Internet-connected interfaces
  • Telnet, FTP, and HTTP services
  • Auto-configuration

Services That Should Be Disabled Unless Justified

  • Dynamic trunking
  • Scripting environments, such as the TCL shell

Required Configurations

  • Password encryption must be enabled.
  • NTP must be configured to a corporate standard source.
  • All routing updates shall be done using secure routing updates.
  • Use corporate standardized SNMP community strings. Default strings, such as public or private, must be removed.
  • SNMP must be configured to use the most secure version of the protocol allowed by the combination of the device and management systems, at least v2.
  • Access control lists must be used to limit the source and type of traffic that can terminate on the device itself.
  • Access control lists for transiting the device are to be added as business needs arise.

Login Disclaimer

Each router must have the following statement presented for all forms of login, whether remote or local:

, /\.__ _.-\

,/ /_\ _/ \ \ ,/~,_.~'”\ /_\_ /’

/\ /## \ / V#\/\ /~8# # ## V8 #\/8 8\
/~#'#"#""##V&#&# ##\/88#"#8# #" #\#&"##" ##\ 
j# ##### #"#\&&"####/###& #"#&## #&" #"#&#"#'\ 
/#"#"#####"###'\&##"/&#"####"### # #&#&##"#"### \ 
J#"###"#"#"#"####'\# #"##"#"##"#"#####&"## "#"&"##|\
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Provo City School District Networking  
AUTHORIZED USERS ONLY!  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Additional Security Controls

  • Telnet may never be used across any network to manage a router unless there is a secure tunnel protecting the entire communication path. SSH version 2 is the preferred management protocol.
  • Dynamic routing protocols must use authentication in routing updates sent to neighbors. Password hashing for the authentication string must be enabled when supported.
  • The corporate router configuration standard will define the category of sensitive routing and switching devices, and require additional services or configuration on sensitive devices, including:
    • IP access list accounting
    • Device logging
    • Incoming packets at the destination router with invalid addresses, such as RFC1918 addresses, or those that could be used to spoof network traffic, shall be dropped
    • Router console and modem access must be restricted by additional security controls

Last Update Status:

Updated January 2015

Related Policies and Procedures

lt_LTLietuvių kalba