Skip to main content

Network Device Hardening Standard

Network infrastructure devices do not create or store data. This document provides standards for management access and configuration of the network infrastructure hardware that transports data and adjacent systems that may be employed in support of that infrastructure.

This general guide is based on the CIS Benchmarks. Some benchmarks have been generalized to allow for differences between hardware platforms and software versions. An effort was made to look at multiple platforms from the CIS-benchmarks to include some coverage of the differences between platforms as well. DCL 4 infrastructure has some referenced Required settings, but the definitive resource for that configuration should be the DCL 4 and PCI Guidelines. Products that no longer receive security updates from the vendor are not authorized for use on UM networks.

Network Device Hardening Standard

DCL

1.1 Authentication  
1.1.1 Use Radius/TACACS+/LDAP for centralized administrative user authentication.

Level 1-4 Recommended

   
1.2 Management Access  
1.2.1 Use encrypted mechanisms for management access (ssh/https) Level 1-4 Required
1.2.1.1 Use SSH2 for ssh and TLS>=1.2 for https Level 1-4 Recommended
1.2.1.2 Use a modulus >= 2048 for ssh key Level 1-3 Recommended;  Level 4 Required
1.2.2 Set idle timeout of 10 minutes or less Level 1-4 Recommended
1.2.3 Set access-list to restrict management access Level 1-4 Recommended
1.2.4 Require Use of jump system for access Level 4 Required
   
1.3 Banner  
1.3.1 Set an appropriate/consistent system banner Level 1-4 Recommended
   
1.4 Passwords  
1.4.1 Use secure encryption for local usernames/passwords stored within local config Level 1-4 Required
   
1.5 SNMP  
1.5.1 Disable SNMP when unused Level 1-4 Recommended
1.5.2 Disable default communities Level 1-4 Required
1.5.3 Do not use RW communities Level 1-3 Recommended;  Level 4 Required
1.5.4 Prefer use of SNMPv3 Level 1-4 Recommended
1.5.5 Set an ACL for SNMP Access Level 1-4 Recommended
   
2.1 General Settings  
2.1.1 Disable unnecessary services/features Level 1-4 Recommended
   
2.2 Logging  
2.2.1 Set a centralized logging host Level 1-4 Recommended
2.2.2  Ensure device logins and configuration changes are logged Level 1-4 Recommended
   
2.3 NTP  
2.3.1 Utilize University NTP servers for time synch Level 1-4 Recommended
   
2.4 Source Interfaces  
2.4.1 If multiple interfaces, source logs/ntp/tftp from Management vrf or Loopback Level 1-4 Recommended
   
3.1 Network Operations  
3.1.1 Disable source-routing Level 1-4 Recommended
3.1.2 Disable proxy arp Level 1-4 Recommended
3.1.3 Use authentication on routing protocols Level 1-4 Recommended
3.1.4 Use ACLs to protect exposed external interfaces Level 1-4 Recommended
3.1.5 Use DHCP Snooping Level 1-4 Recommended
3.1.6 Backup configurations to a central repository Level 1-4 Recommended

Reviewed 2023-06-12