Security Control 10:
Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Preclude electronic holes from forming at connection points with the Internet, other organizations, and internal network segments: Compare firewall, router, and switch configurations against standards for each type of network device. Ensure that any deviations from the standard configurations are documented and approved and that any temporary deviations are undone when the business need abates.

Key: REQ = Required, REC = Recommended, OPT = Optional

IDDetailsHighMedLow

10.1

Compare firewall, router, and switch configuration against standard secure configurations defined for each type of network device in use.

[additional details]

The security configuration of such devices should be documented, reviewed, and approved by a change management process. Any deviations from the standard configuration or updates to the standard configuration should be documented and approved in a change management process.

REQ REQ REQ

10.2

Network devices should be managed using two-factor authentication and encrypted sessions.

[additional details]

Only true two-factor authentication mechanisms should be used, such as a password and a hardware token, or a password and biometric device. Requiring two different passwords for accessing a system is not two-factor authentication.

REQ REQ REQ

10.3

The network infrastructure should be managed across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices.

REQ REQ REQ

10.4

Network filtering technologies employed between networks with different security levels (firewalls, network-based IPS tools, and routers with access controls lists) should be deployed with capabilities to filter Internet Protocol version 6 (IPv6) traffic.

REQ REQ REC

10.5

If IPv6 is not currently being used it should be disabled.

[additional details]

Since many operating systems today ship with IPv6 support activated, filtering technologies need to take it into account.

REQ REQ REC

10.6

The latest stable version of a network device's inter-network operating system (IOS) or firmware that contains critical security updates must be installed within 30 days of the update being released from the device vendor.

REQ REQ REC

10.7

At network interconnection points—such as Internet gateways, inter-organization connections, and internal network segments with different security controls—implement ingress and egress filtering to allow only those ports and protocols with an explicit and documented business need. All other ports and protocols should be blocked with default-deny rules by firewalls, NIPS, and/or routers.

REQ REC OPT

10.8

All new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through network security devices, such as firewalls and network-based IPS, should be documented and recorded in a configuration management system.

[additional details]

Document the specific business reason for each change, a specific individual's name responsible for that business need, and an expected duration of the need. At least once per quarter, these rules should be reviewed to determine whether they are still required from a business perspective. Expired rules should be removed.

REQ REC OPT

Additional Reading