11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Threats Addressed:
Control Statement
Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]
Subcontrols
11.1: Maintain Standard Security Configurations for Network Devices
Maintain documented security configuration standards for all authorized network devices.
11.2: Document Traffic Configuration Rules
All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual's name responsible for that business need, and an expected duration of the need.
11.3: Use Automated Tools to Verify Standard Device Configurations and Detect Changes
Compare all network device configuration against approved security configurations defined for each network device in use, and alert when any deviations are discovered.
11.4: Install the Latest Stable Version of Any Security-Related Updates on All Network Devices
Install the latest stable version of any security-related updates on all network devices.
11.5: Manage Network Devices Using Multi-Factor Authentication and Encrypted Sessions
Manage all network devices using multi-factor authentication and encrypted sessions.
11.6: Use Dedicated Machines For All Network Administrative Tasks
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be segmented from the organization's primary network and not be allowed Internet access. This machine shall not be used for reading email, composing documents, or surfing the Internet.
11.7: Manage Network Infrastructure Through a Dedicated Network
Manage the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices.