Securing Routers, Switches and Firewalls
Overview

Routers, switches and firewalls join and protect networks, here are main controls that need to be implemented to ensure the security regardless of what layer they operate on and where they are located.

1. Configuration and Change Management (PCI Data Security Standard 2.2)

Having a strong configuration standard is critical to a secure network. Network equipment, including routers, switches, and firewalls, have many configuration options that affect security and are rarely secure out of the box. Taking the time to understand these options and how to configure them to your environment is fundamental to maintaining a sound and secure network.

A sound change-management policy needs to ensure that

    Security mailing lists are monitored.
    The latest patches are applied in a routine patch cycle under the guidance of written and agreed-on policies and procedures.
    A configuration guideline exists for the equipment in the environment and is strictly followed. Exceptions are carefully documented and maintained.
    Regular vulnerability scanning from both internal and external perspectives is conducted to discover new risks quickly and to test planned changes to the environment.
    Regular internal reviews of the configuration are conducted to compare the existing infrastructure with the configuration guide.
    Regular status reports are issued to upper management documenting the overall security posture of the network.

2. Software and Configuration Update Policies

It isn't necessary to to install each and every update, but you generally should keep your network equipment current, as vulnerabilities become known to the security community, they are documented in various databases such as NVD located at http://nvd.nist.gov. Those lists should be check, and if the version of code being used is found to have some know vulnerabilities, the device should be patched or have other mitigating controls employed to protect the network. PCI SSC required that all critical patches to be installed within 30 days of release.

General Secure Configuration Guidelines

Following this guidelines will help you to maintain a more secure network environment. Most of them apply to any device in your network.

1. Verify that all unnecessary services are disabled.(PCI DSS 2.2.2)

Running unnecessary services can leave you susceptible to performance and security related risks. This is true to any host or device and adds to the attack surface available to potential attackers.

2. Ensure that good SNMP management practices are followed.

SNMP represents an often overlook way to obtain full administrative access to a network device.

3. Implement strong password policies.

Weak and unencrypted password allow attackers to guess or read passwords easily in plain text. Strong password controls are essential to protecting network equipment. Use complex password and store them with MD5 hashes or similar encryption where possible and change them with appropriate periodicity ( PCI Security Standards Council requires that user passwords changed every 90 days).

4. Enable logging and send it to a centralized system.

Failure to keep logs may prevent administrators from properly diagnosing a network issue or malicious behavior.

5. Use NTP protocol to synchronize time across all devices.

Use the NTP provides time synchronization for the time stamp on all logged events. These time stamps are invaluable in reporting and troubleshooting. PCI DSS 10.4