Effective date Month / Day / Year
Implement by Month / Day / Year
This document describes a required minimal security configuration for all routers and switches connecting to a production network or used in a production capacity at or on behalf of ABC Inc.
All routers and switches connected to ABC Inc. production networks are affected. Routers and switches within the internal networks are not affected. Routers and switches within DMZ areas fall under the DMZ Policy.
Every router must meet the following configuration standards:
No local user accounts are configured on the router. Routers must use TACACS+ for all user authentication.
The enable password on the router must be kept in a secure encrypted form. The router must have the enable password set to the current production router password from the router's support organization.
Disallow the following:
IP directed broadcasts
Incoming packets at the router sourced with invalid addresses such as RFC1918 address
TCP small services
UDP small services
All source routing
All web services running on router
Use corporate standardized SNMP community strings.
Access rules are to be added as business needs arise.
The router must document router configurations and point of contact(s).
Each router must have the following statement posted in clear view:
"UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device."
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Production Network: The "production network" is the network used in the daily business of ABC Inc. Any network connected to the corporate backbone, either directly or indirectly, which lacks an intervening firewall device. Any network whose impairment would result in direct loss of functionality to ABC Inc. employees or impact their ability to do work.
Lab Network: A "lab network" is defined as any network used for the purposes of testing, demonstrations , training, etc. Any network that is stand-alone or firewalled off from the production network(s) and whose impairment will not cause direct loss to ABC Inc. nor affect the production network.
Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).
Date ___/____/_____
Version:_______________________
Author:____________________________________
Summary:__________________________________