Network infrastructure devices do not create or store data. This document provides standards for management access and configuration of the network infrastructure hardware that transports data and adjacent systems that may be employed in support of that infrastructure.
This general guide is based on the Some benchmarks have been generalized to allow for differences between hardware platforms and software versions. An effort was made to look at multiple platforms from the CIS-benchmarks to include some coverage of the differences between platforms as well. DCL 4 infrastructure has some referenced Required settings, but the definitive resource for that configuration should be the DCL 4 and PCI Guidelines. Products that no longer receive security updates from the vendor are not authorized for use on UM networks.
|
Network Device Hardening Standard |
DCL |
|---|---|
| 1.1 Authentication | Ìý |
| 1.1.1ÌýUse Radius/TACACS+/LDAP for centralized administrative user authentication. |
Level 1-4 Recommended |
| Ìý | Ìý |
| 1.2 Management Access | Ìý |
| 1.2.1 Use encrypted mechanisms for management access (ssh/https) | Level 1-4 Required |
| 1.2.1.1ÌýUse SSH2 for ssh and TLS>=1.2 for https | Level 1-4 Recommended |
| 1.2.1.2ÌýUse a modulus >= 2048 for ssh key | Level 1-3ÌýRecommended;Ìý Level 4 Required |
| 1.2.2ÌýSet idle timeout of 10 minutes or less | Level 1-4 Recommended |
| 1.2.3ÌýSet access-list to restrict management access | Level 1-4 Recommended |
| 1.2.4ÌýRequire Use of jump system for access | Level 4 Required |
| Ìý | Ìý |
| 1.3 Banner | Ìý |
| 1.3.1 Set an appropriate/consistent system banner | Level 1-4 Recommended |
| Ìý | Ìý |
| 1.4 Passwords | Ìý |
| 1.4.1ÌýUse secure encryption for local usernames/passwords stored within local config | Level 1-4 Required |
| Ìý | Ìý |
| 1.5 SNMP | Ìý |
| 1.5.1ÌýDisable SNMP when unused | Level 1-4 Recommended |
| 1.5.2ÌýDisable default communities | Level 1-4 Required |
| 1.5.3ÌýDo not use RW communities | Level 1-3ÌýRecommended;Ìý Level 4 Required |
| 1.5.4ÌýPrefer use of SNMPv3 | Level 1-4 Recommended |
| 1.5.5ÌýSet an ACL for SNMP Access | Level 1-4 Recommended |
| Ìý | Ìý |
| 2.1 General Settings | Ìý |
| 2.1.1ÌýDisable unnecessary services/features | Level 1-4 Recommended |
| Ìý | Ìý |
| 2.2 Logging | Ìý |
| 2.2.1ÌýSet a centralized logging host | Level 1-4 Recommended |
| 2.2.2ÌýÌýEnsure device logins and configuration changes are logged | Level 1-4 Recommended |
| Ìý | Ìý |
| 2.3 NTP | Ìý |
| 2.3.1ÌýUtilize University NTP servers for time synch | Level 1-4 Recommended |
| Ìý | Ìý |
| 2.4 Source Interfaces | Ìý |
| 2.4.1ÌýIf multiple interfaces, source logs/ntp/tftp from Management vrf or Loopback | Level 1-4 Recommended |
| Ìý | Ìý |
| 3.1 Network Operations | Ìý |
| 3.1.1ÌýDisable source-routing | Level 1-4 Recommended |
| 3.1.2ÌýDisable proxy arp | Level 1-4 Recommended |
| 3.1.3ÌýUse authentication on routing protocols | Level 1-4 Recommended |
| 3.1.4ÌýUse ACLs to protect exposed external interfaces | Level 1-4 Recommended |
| 3.1.5ÌýUse DHCP Snooping | Level 1-4 Recommended |
| 3.1.6ÌýBackup configurations to a central repository | Level 1-4 Recommended |
Reviewed 2023-06-12