The checklist below is designed as an aid for creating router security policy. After drafting a policy, step down the list and check that each item is addressed in your policy.

Physical Security

• Designates who is authorized to install, de-install, and move the router.
• Designates who is authorized to perform hardware maintenance and to change the physical configuration of the router.
• Designates who is authorized to make physical connections to the router.
• Defines controls on placement and use of console and other direct access port connections.
• Defines recovery procedures for the event of physical damage to the router, or evidence of tampering with the router.

Static Configuration Security

• Designates who is authorized to log in directly to the router via the console or other direct access port connections.
• Designates who is authorized to assume administrative privileges on the router.
• Defines procedures and practices for making changes to the router static configuration (e.g. log book, change recording, review procedures)
• Defines the password policy for user/login passwords, and for administrative or privilege passwords.
• Designates who is authorized to log in to the router remotely.
• Designates protocols, procedures, and networks permitted for logging in to the router remotely.
• Defines the recovery procedures and identifies individuals responsible for recovery, in the case of compromise of the router’s static configuration.
• Defines the audit log policy for the router, including outlining log management practices and procedures and log review responsibilities.
• Designates procedures and limits on use of automated remote management and monitoring facilities (e.g. SNMP)
• Outlines response procedures or guidelines for detection of an attack against the router itself.
• Defines the key management policy for long-term cryptographic keys (if any).

Dynamic Configuration Security

• Identifies the dynamic configuration services permitted on the router, and the networks permitted to access those services.
• Identifies the routing protocols to be used, and the security features to be employed on each.
• Designates mechanisms and policies for setting or automating maintenance of the router’s clock (e.g. manual setting, NTP)
• Identifies key agreement and cryptographic algorithms authorized for use in establishing VPN tunnels with other networks (if any).

Network Service Security

• Enumerates protocols, ports, and services to be permitted or filtered by the router, for each interface or connection (e.g. inbound and outbound), and identifies procedures and authorities for authorizing them.
• Describes security procedures and roles for interactions with external service providers and maintenance technicians.

Compromise Response

• Enumerates individuals or organizations to be notified in the event of a network compromise.
• Defines response procedures, authorities, and objectives for response after a successful attack against the network, including provision for preserving evidence and for notification of law enforcement.