Routers are an important part of a network, and their security is a vital part of the overall security for the networks they serve. What does it mean for a router to be secure? One simple way to define the security of a router is this: does the operation, configuration, and management of the router satisfy your security policy?

Typically, the network that a router serves will have a security policy, defining roles, permissions, rules of conduct, and responsibilities. The policy for a router must fit into the overall framework. The roles defined in the router security policy will usually be a subset of those in the network policy. The rules of conduct for administering the router should clarify the application of the network rules to the router.

For example, a network security policy might define three roles: administrator, operator, and user. The router security policy might include only two: administrator and operator. Each of the roles would be granted privileges in the router policy that permit them to fulfill their responsibilities as outlined in the network policy.

The operator, for example, might be held responsible by the network security policy for periodic review of the audit logs. The router security policy might grant the operator login privileges to the router so that they can access the router logs.

In other regards, the router policy will involve far more detail than the network policy. In some cases, the router enforces network policy, and the router policy must reflect this.

For example, the network security policy might forbid administration of the router from anywhere but the local LAN. The router policy might specify the particular rules to be enforced by the router to prevent remote administration.

There are several important tips to remember when creating the security policy for a router:

• Specify security objectives, not particular commands or mechanisms – When the policy specifies the security results to be achieved, rather than a particular command or mechanism, the policy is more portable across router software versions and between different kinds of routers.

• Specify policy for all the zones identified in the figure above – Begin with physical security, and work outwards to security for the static configuration, the dynamic configuration, and for traffic flow.

• Services and protocols that are not explicitly permitted should be denied – When representing the network policy in the router policy, concentrate on services and protocols that have been identified as explicitly needed for network operation; explicitly permit those, and deny everything else.

In some cases, it may not be practical to identify and list all the services and protocols that the router will explicitly permit. A backbone router that must route traffic to many other networks cannot always enforce highly tailored policies on the traffic flowing through it, due to performance concerns or differences in the security policies of the different networks served. In these kinds of cases, the policy should clearly state any limitations or restrictions that can be enforced. When drafting a policy, keep most of the directives and objectives high-level; avoid specifying the particular mechanisms in the policy.

A security policy must be a living document. Make it part of the security practices of the network to regularly review the network security policy and the router security policy. Update the router policy to reflect changes in the network policy, or whenever the security objectives for the router change. It may be necessary to revise the router security policy whenever there is a major change in the network architecture or organizational structure of network administration. In particular, examine the router security policy and revise it as needed whenever any of the following events occur.

• New connections made between the local network and outside networks
• Major changes to administrative practices, procedures, or staff
• Major changes to the overall network security policy
• Deployment of substantial new capabilities (e.g. a new VPN) or new network components (e.g. a new firewall)
• Detection of an attack or serious compromise

When the router security policy undergoes a revision, notify all individuals authorized to administer the router and all individuals authorized for physical access to it. Maintaining policy awareness is crucial for policy compliance.