• Patches and Updates (Component)
    – Router operating system is patched with up-to-date software
  • Protocols
    – Unused protocols and ports are blocked
    – Ingress and egress filtering is implemented
    – ICMP traffic is screened from the internal network
    – TTL expired messages with values of 1 or 0 are blocked (route tracing is disabled)
    – Directed broadcast traffic is not forwarded
    – Large ping packets are screened
    – Routing Information Protocol (RIP) packets, if used, are blocked at the outermost router
  • Administrative access
    – Unused management interfaces on the router are disabled
    – A strong administration password policy is enforced
    – Static routing is used
    – Web-facing administration is disabled
  • Services
    – Unused services are disabled (for example bootps and finger)
  • Auditing and logging
    – Logging is enabled for all denied traffic
    – Logs are centrally stored and secured
    – Auditing against the logs for unusual patterns is in place
  • Intrusion detection
    – IDS is in place to identify and notify an active attack

Network Level Security: Firewall

  • Patches and Updates (Component)
    – Firewall software and OS are patched with latest security updates
  • Filters
    – Packet filtering policy blocks all but required traffic in both directions
    – Application-specific filters are in place to restrict unnecessary traffic
  • Logging and Auditing
    – All permitted traffic is logged
    – Denied traffic is logged
    – Logs are cycled with a frequency that allows quick data analysis
    – All devices on the network are synchronized to a common time source
  • Perimeter networks
    – Perimeter network is in place if multiple networks require access to the server
    – Firewall is placed between untrusted networks

Network Level Security: Switch

  • Patches and Updates (Component)
    – Latest security patches are tested and installed, or the threat from known vulnerabilities is mitigated
  • VLANs
    – Make sure VLANs are not overused or overly trusted
  • Insecure defaults
    – All factory passwords are changed
    – Minimal administrative interfaces are available
    – Access controls are configured to secure SNMP community strings
  • Services
    – Unused services are disabled
  • Encryption
    – Switched traffic is encrypted