Critical Control #10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches.
Each month we review one of the SANS Critical Controls and give our advice for addressing it in the typical enterprise organization.
This month, Ken Smith, Senior Solution Architect, addresses Critical Control #10, Secure Configurations for Network Devices such as Firewalls, Routers and Switches. Find more information on the control on SANS website. http://www.sans.org/critical-security-controls/control/10
Critical Control 10 aims to address a number of issues related to the integrity of critical system configuration. It may surprise some that this is a control that still needs to be addressed. But, even today, companies are using the default "out-of-the-box" configurations for firewalls, IPS's, routers, switches, and other critical systems. This happens most often when a third party software vendor installs and integrates a solution into an organization. Unfortunately, many software vendors do not leverage common security practices as part of their implementation process. The worst offenses occur when a vendor is implementing one of these critical technologies (firewalls, IPS, routers, switches, etc) as part of an entire solution. In these cases, the vendor may be an expert in their specific software but they often lack proper know-how to implement a firewall.
There are precautions a company can take to ensure proper configuration of critical systems. Once you configure the device to a baseline that meets common practices and compliance requirements you need to minimize opportunities for drift from that configuration. Unmanaged drift can be your enemy. Be sure that all firewalls, IPS's, routers, and switches are fully integrated into your organization’s change management program. This includes regularly validating that unauthorized changes have not occurred.
Next, be sure that only authorized individuals have access to these critical systems. Take pains to ensure that any access they do have is via secure means. We recommend two-factor authentication, even for connections to these devices from inside your network. There are also quite a few benefits to having an "out-of-band" method to manage these devices, usually accomplished by setting up a separate management network.
More details about CSC 10 can be found here http://www.sans.org/critical-security-controls/control/10
Subscribe
Stay up to date with cyber security trends and more