The most trusted source for computer security training, certification and research.

Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

20 Critical Security Controls << previous controlnext control >>

How do attackers exploit the lack of this control?

Attackers take advantage of the fact that network devices may become less securely configured over time as users demand exceptions for specific and temporary business needs, the exceptions are deployed, and those exceptions are not undone when the business need is no longer applicable. Making matters worse, in some cases, the security risk of the exception is never properly analyzed, nor is this risk measured against the associated business need. Attackers search for electronic holes in firewalls, routers, and switches and use those to penetrate defenses. Attackers have exploited flaws in these network devices to gain access to target networks, redirect traffic on a network (to a malicious system masquerading as a trusted system), and to intercept and alter information while in transmission. Through such actions, the attacker gains access to sensitive data, alters important information, or even uses one compromised machine to pose as another trusted system on the network.

How can this control be implemented, automated, and its effectiveness measured?

  1. QW: Compare firewall, router, and switch configuration against standard secure configurations defined for each type of network device in use in the organization. The security configuration of such devices should be documented, reviewed, and approved by an agency change control board. Any deviations from the standard configuration or updates to the standard configuration should be documented and approved in a change control system.
  2. QW: At network interconnection points, such as Internet gateways, inter-agency connections, and internal network segments with different security controls, implement ingress and egress filtering to allow only those ports and protocols with a documented business need. All other ports and protocols besides those with an explicit need should be blocked with default-deny rules by firewalls, network-based IPSs, and/or routers.
  3. QW: Network devices that filter unneeded services or block attacks (including firewalls, network-based Intrusion Prevention Systems, routers with access control lists, etc.) should be tested under laboratory conditions with each given organization's configuration to ensure that these devices exhibit failure behavior in a closed/blocking fashion under significant loads with traffic including a mixture of legitimate, allowed traffic for that configuration intermixed with attacks at line speeds.
  4. Config/Hygiene: All new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through network security devices, such as firewalls and network-based IPSs, should be documented and recorded in a configuration management system, with a specific business reason for each change, a specific individual's name responsible for that business need, and an expected duration of the need. At least once per quarter, these rules should be reviewed to determine whether they are still required from a business perspective. Expired rules should be removed.
  5. Config/Hygiene: Network filtering technologies employed between networks with different security levels (firewalls, network-based IPS tools, and routers with ACLs) should be deployed with capabilities to filter IPv6 traffic. Even if IPv6 is not explicitly used on the network, many operating systems today ship with IPv6 support activated, and therefore filtering technologies need to take it into account.
  6. Config/Hygiene: Network devices should be managed using two-factor authentication and encrypted sessions. Only true two-factor authentication mechanisms should be used, such as a password and a hardware token, or a password and biometric device. Requiring two different passwords for accessing a system is not two-factor authentication.
  7. Advanced: The network infrastructure should be managed across network connections that are separated from the business use of that network, relying on separate VLANs or preferably relying on entirely different physical connectivity for management sessions for network devices.
Associated NIST SP 800-53 Rev 3 Priority 1 Controls:

AC-4 (7, 10, 11, 16), CM-1, CM-2 (1), CM-3 (2), CM-5 (1, 2, 5), CM-6 (4), CM-7 (1, 3), IA-2 (1, 6), IA-5, IA-8, RA-5, SC-7 (2, 4, 5, 6, 8, 11, 13, 14, 18), SC-9

Procedures and tools for implementing and automating this control:

Some organizations use commercial tools that evaluate the rule set of network filtering devices to determine whether they are consistent or in conflict, providing an automated sanity check of network filters and search for errors in rule sets or ACLs that may allow unintended services through the device. Such tools should be run each time significant changes are made to firewall rule sets, router ACLs, or other filtering technologies.

Control 4 Metric:

The system must be capable of identifying any changes to network devices including routers, switches, firewalls, IDS and IPS systems. These changes include any modifications to key files, services, ports, configuration files or any software installed on the device. Modifications include deletions, changes or additions of new software to any part of the device configuration. The configuration of each system must be checked against the official master image database to verify any changes to secure configurations that would impact security. This includes both operating system and configuration files. Any of these changes to a device must be detected within 24 hours and notification performed by alerting or sending email notification to a list of enterprise personnel. If possible, devices must prevent changes to the system and send an e-mail indicating the change was not successful. Every 24 hours after that point, the system must alert or send e-mail about the status of the system until it is investigated and/or remediated.

Control 4 Test:

To evaluate the implementation of Control 4 on a periodic basis, an evaluation team must make a change to each type of network device plugged into the network. At a minimum, routers, switches, and firewalls need to be tested. If they exist, IPS, IDS, and other network devices must be included. Backups must be made prior to making any changes to critical network devices. It is critical that changes do not impact or weaken the security of the device. Acceptable changes include but are not limited to making a comment or adding a duplicate entry in the configuration. The change must be performed twice for each critical device. The evaluation team must then verify that the systems generate an alert or e-mail notice regarding the changes to the device within 24 hours. It is important that the evaluation team verify that all unauthorized changes have been detected and have resulted in an alert or e-mail notification. The evaluation team must verify that the system provides details of the location of each device, including information about the asset owner. While the 24 hour timeframe represents the current metric to help organizations improve their current state of security, in the future, organizations should strive for even more rapid alerting and isolation, with notification about unauthorized configuration changes in network devices being sent within two minutes.

If appropriate an additional test must be performed on a daily basis to ensure that other protocols such as IPv6 are properly being filtered.

20 Critical Security Controls << previous controlnext control >>

List Of Controls

Additional Security Controls

The following sections identify additional controls that are important but cannot be fully automatically or continuously monitored to the same degree as the controls covered earlier in this document.


20 Critical Security Controls Summit

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT