Critical control 10: Secure configurations for network devices such as firewalls, routers, and switches
Preclude electronic holes from forming at connection points with the Internet, other organisations, and internal network segments: Compare firewall, router, and switch configurations against standards for each type of network device. Ensure that any deviations from the standard configurations are documented and approved and that any temporary deviations are undone when the business need abates.
How do attackers exploit the absence of this control?
Attackers take advantage of the fact that network devices may become less securely configured over time as users demand exceptions for specific and temporary business needs, as the exceptions are deployed, and as those exceptions are left in place when the business need is no longer applicable. Making matters worse, in some cases, the security risk of the exception is neither properly analysed nor measured against the associated business need. Attackers search for electronic holes in firewalls, routers, and switches and use those to penetrate defences. Attackers have exploited flaws in these network devices to gain access to target networks, redirect traffic on a network (to a malicious system masquerading as a trusted system), and intercept and alter information while in transmission. Through such actions, the attacker gains access to sensitive data, alters important information, or even uses one compromised machine to pose as another trusted system on the network.
How to implement, automate and measure the effectiveness of this control using the sub-controls below
10.1 - Quick wins: Compare firewall, router, and switch configuration against standard secure configurations defined for each type of network device in use in the organisation. The security configuration of such devices should be documented, reviewed, and approved by an organisation change control board. Any deviations from the standard configuration or updates to the standard configuration should be documented and approved in a change control system.
10.2 - Quick wins: At network interconnection points—such as Internet gateways, inter-organisation connections, and internal network segments with different security controls—implement ingress and egress filtering to allow only those ports and protocols with an explicit and documented business need. All other ports and protocols should be blocked with default-deny rules by firewalls, network-based IPS, and/or routers.
10.3 - Quick wins: Network devices that filter unneeded services or block attacks (including firewalls, network-based IPS, routers with access control lists, etc.) should be tested under laboratory conditions with each given organisation’s configuration to ensure that these devices exhibit failure behaviour in a closed/blocking fashion under significant loads with traffic including a mixture of legitimate, allowed traffic for that configuration intermixed with attacks at line speeds.
10.4 - Configuration/Hygiene: All new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through network security devices, such as firewalls and network-based IPS, should be documented and recorded in a configuration management system, with a specific business reason for each change, a specific individual’s name responsible for that business need, and an expected duration of the need. At least once per quarter, these rules should be reviewed to determine whether they are still required from a business perspective. Expired rules should be removed.
10.5 - Configuration/Hygiene: Network filtering technologies employed between networks with different security levels (firewalls, network-based IPS tools, and routers with access controls lists) should be deployed with capabilities to filter Internet Protocol version 6 (IPv6) traffic. However, if IPv6 is not currently being used it should be disabled. Since many operating systems today ship with IPv6 support activated, filtering technologies need to take it into account.
10.6 - Configuration/Hygiene: Network devices should be managed using two-factor authentication and encrypted sessions. Only true two-factor authentication mechanisms should be used, such as a password and a hardware token, or a password and biometric device. Requiring two different passwords for accessing a system is not two-factor authentication.
10.7 - Configuration/Hygiene: The latest stable version of a network device’s inter-network operating system (IOS) or firmware must be installed within 30 days of the update being released from the device vendor.
10.8 - Advanced: The network infrastructure should be managed across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices.
View CPNI advice and guidance on how to implement, automate and measure the effectiveness of this control.