Network infrastructure devices do not create or store data. This document provides standards for management access and configuration of the network infrastructure hardware that transports data and adjacent systems that may be employed in support of that infrastructure.
This general guide is based on the Some benchmarks have been generalized to allow for differences between hardware platforms and software versions. An effort was made to look at multiple platforms from the CIS-benchmarks to include some coverage of the differences between platforms as well. DCL 4 infrastructure has some referenced Required settings, but the definitive resource for that configuration should be the DCL 4 and PCI Guidelines. Products that no longer receive security updates from the vendor are not authorized for use on UM networks.
Network Device Hardening Standard |
DCL |
---|---|
1.1 Authentication | |
1.1.1 Use Radius/TACACS+/LDAP for centralized administrative user authentication. |
Level 1-4 Recommended |
1.2 Management Access | |
1.2.1 Use encrypted mechanisms for management access (ssh/https) | Level 1-4 Required |
1.2.1.1 Use SSH2 for ssh and TLS>=1.2 for https | Level 1-4 Recommended |
1.2.1.2 Use a modulus >= 2048 for ssh key | Level 1-3 Recommended; Level 4 Required |
1.2.2 Set idle timeout of 10 minutes or less | Level 1-4 Recommended |
1.2.3 Set access-list to restrict management access | Level 1-4 Recommended |
1.2.4 Require Use of jump system for access | Level 4 Required |
1.3 Banner | |
1.3.1 Set an appropriate/consistent system banner | Level 1-4 Recommended |
1.4 Passwords | |
1.4.1 Use secure encryption for local usernames/passwords stored within local config | Level 1-4 Required |
1.5 SNMP | |
1.5.1 Disable SNMP when unused | Level 1-4 Recommended |
1.5.2 Disable default communities | Level 1-4 Required |
1.5.3 Do not use RW communities | Level 1-3 Recommended; Level 4 Required |
1.5.4 Prefer use of SNMPv3 | Level 1-4 Recommended |
1.5.5 Set an ACL for SNMP Access | Level 1-4 Recommended |
2.1 General Settings | |
2.1.1 Disable unnecessary services/features | Level 1-4 Recommended |
2.2 Logging | |
2.2.1 Set a centralized logging host | Level 1-4 Recommended |
2.2.2 Ensure device logins and configuration changes are logged | Level 1-4 Recommended |
2.3 NTP | |
2.3.1 Utilize Å·ÃÀ¿Ú±¬ÊÓƵ NTP servers for time synch | Level 1-4 Recommended |
2.4 Source Interfaces | |
2.4.1 If multiple interfaces, source logs/ntp/tftp from Management vrf or Loopback | Level 1-4 Recommended |
3.1 Network Operations | |
3.1.1 Disable source-routing | Level 1-4 Recommended |
3.1.2 Disable proxy arp | Level 1-4 Recommended |
3.1.3 Use authentication on routing protocols | Level 1-4 Recommended |
3.1.4 Use ACLs to protect exposed external interfaces | Level 1-4 Recommended |
3.1.5 Use DHCP Snooping | Level 1-4 Recommended |
3.1.6 Backup configurations to a central repository | Level 1-4 Recommended |
Reviewed 2023-06-12