Router Security Policy Checklist

The checklist below is designed as an aid for creating router security policy. After drafting a policy, step down the list and check that each item is addressed in your policy.

Physical Security

  • Designates who is authorized to install, de-install, and move the router.
  • Designates who is authorized to perform hardware maintenance and to change the physical configuration of the router.
  • Designates who is authorized to make physical connections to the router.
  • Defines controls on placement and use of console and other direct access port connections.
  • Defines recovery procedures for the event of physical damage to the router, or evidence of tampering with the router.

Static Configuration Security

  • Designates who is authorized to log in directly to the router via the console or other direct access port connections.
  • Designates who is authorized to assume administrative privileges on the router.
  • Defines procedures and practices for making changes to the router static configuration (e.g. log book, change recording, review procedures)
  • Defines the password policy for user/login passwords, and for administrative or privilege passwords.
  • Designates who is authorized to log in to the router remotely.
  • Designates protocols, procedures, and networks permitted for logging in to the router remotely.
  • Defines the recovery procedures and identifies individuals responsible for recovery, in the case of compromise of the router’s static configuration.
  • Defines the audit log policy for the router, including outlining log management practices and procedures and log review responsibilities.
  • Designates procedures and limits on use of automated remote management and monitoring facilities (e.g. SNMP)
  • Outlines response procedures or guidelines for detection of an attack against the router itself.
  • Defines the key management policy for long-term cryptographic keys (if any).

Dynamic Configuration Security

  • Identifies the dynamic configuration services permitted on the router, and the networks permitted to access those services.
  • Identifies the routing protocols to be used, and the security features to be employed on each.
  • Designates mechanisms and policies for setting or automating maintenance of the router’s clock (e.g. manual setting, NTP)
  • Identifies key agreement and cryptographic algorithms authorized for use in establishing VPN tunnels with other networks (if any).

Network Service Security

  • Enumerates protocols, ports, and services to be permitted or filtered by the router, for each interface or connection (e.g. inbound and outbound), and identifies procedures and authorities for authorizing them.
  • Describes security procedures and roles for interactions with external service providers and maintenance technicians.

Compromise Response

  • Enumerates individuals or organizations to be notified in the event of a network compromise.
  • Defines response procedures, authorities, and objectives for response after a successful attack against the network, including provision for preserving evidence and for notification of law enforcement.