6 Days Left to Save $200 on SANS South Florida 2015

Critical Security Control: 10

Critical Security Control: 10

Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

Why Is This Control Critical?

As delivered from manufacturers and resellers, the default configurations for network infrastructure devices are geared for ease-of-deployment and ease-of-use - not security. Open services and ports, default accounts (including service accounts) or passwords, support for older (vulnerable) protocols, pre-installation of unneeded software; all can be exploitable in their default state.

Attackers take advantage of network devices becoming less securely configured over time as users demand exceptions for specific business needs. Sometimes the exceptions are deployed and then left undone when they are no longer applicable to the business needs. In some cases, the security risk of the exception is neither properly analyzed nor measured against the associated business need and can change over time. Attackers search for vulnerable default settings, electronic holes in firewalls, routers, and switches and use those to penetrate defenses. They exploit flaws in these devices to gain access to networks, redirect traffic on a network, and intercept information while in transmission. Through such actions, the attacker gains access to sensitive data, alters important information, or even uses a compromised machine to pose as another trusted system on the network.

How to Implement This Control

ID # Description Category
CSC 10-1 Compare firewall, router, and switch configuration against standard secure configurations defined for each type of network device in use in the organization. The security configuration of such devices should be documented, reviewed, and approved by an organization change control board. Any deviations from the standard configuration or updates to the standard configuration should be documented and approved in a change control system. Quick win
CSC 10-2 All new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through network security devices, such as firewalls and network-based IPS, should be documented and recorded in a configuration management system, with a specific business reason for each change, a specific individual's name responsible for that business need, and an expected duration of the need. Configuration/Hygiene
CSC 10-3 Use automated tools to verify standard device configurations and detect changes. All alterations to such files should be automatically reported to security personnel. Configuration/Hygiene
CSC 10-4 Manage network devices using two-factor authentication and encrypted sessions. Configuration/Hygiene
CSC 10-5 Install the latest stable version of any security-related updates. Configuration/Hygiene
CSC 10-6 Manage the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices. Advanced

CSC 10 Procedures and Tools

Some organizations use commercial tools that evaluate the rule set of network filtering devices to determine whether they are consistent or in conflict, providing an automated sanity check of network filters and search for errors in rule sets or access controls lists (ACLs) that may allow unintended services through the device. Such tools should be run each time significant changes are made to firewall rule sets, router ACLs, or other filtering technologies.

CSC 10 Effectiveness Metrics

In order to test the effectiveness of the automated implementation of this control, organizations should measure the following:

1. How long does it take to detect configuration changes to a network system (time in minutes)?

2. How long does it take the scanners to alert the organization's administrators that an unauthorized configuration change has occurred (time in minutes)?

3. How long does it take to block/quarantine unauthorized changes on network systems (time in minutes)?

4. Are the scanners able to identify the location, department, and other critical details about the systems where unauthorized changes occurred (yes or no)?

CSC 10 Automation Metrics

In order to automate the collection of relevant data from these systems, organizations should gather the following information with automated technical sensors:

1. What is the percentage of network devices that are not currently configured with a security configuration that matches the organization's approved configuration standard (by business unit)?

2. What is the percentage of network devices whose security configuration is not enforced by the organization's technical configuration management applications (by business unit)?

3. What is the percentage of network devices that are not up to date with the latest available operating system software security patches (by business unit)?

4. What is the percentage of network devices do not require two-factor authentication to administer the device (by business unit)?

CSC 10 Effectiveness Test

To evaluate the implementation of Control 10 on a periodic basis, an evaluation team must make a change to each type of network device plugged into the network. At a minimum, routers, switches, and firewalls need to be tested. If they exist, IPS, IDS, and other network devices must be included. Backups must be made prior to making any changes to critical network devices. It is critical that changes not impact or weaken the security of the device. Acceptable changes include but are not limited to making a comment or adding a duplicate entry in the configuration. The change must be performed twice for each critical device. The evaluation team must then verify that the systems generate an alert or e-mail notice regarding the changes to the device within 24 hours. It is important that the evaluation team verify that all unauthorized changes have been detected, the account making the changes has been recorded, and the changes have resulted in an alert or e-mail notification. The evaluation team must verify that the system provides details of the location of each device, including information about the asset owner. While the 24-hour timeframe represents the current metric to help organizations improve their state of security, in the future organizations should strive for even more rapid alerting and isolation, with notification about unauthorized configuration changes in network devices sent within two minutes.

If appropriate, an additional test must be performed on a daily basis to ensure that other protocols such as IPv6 are being filtered properly.

CSC 10 System Entity Relationship Diagram

Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to implement them, test the controls, and identify where potential failures in the system might occur.

A control system is a device or set of devices used to manage, command, direct, or regulate the behavior of other devices or systems. In this case we are examining the network devices, test lab network devices, configuration systems, and configuration management devices. The following list of the steps in the diagram above shows how the entities work together to meet the business goal defined in this control. The list also delineates each of the process steps in order to help identify potential failure points in the overall control.

Step 1: Hardened device configurations applied to production devices

Step 2: Hardened device configuration stored in a secure configuration management system

Step 3: Management network system validates configurations on production network devices

Step 4: Patch management system applies tested software updates to production network devices

Step 5: Two-factor authentication system required for administrative access to production devices

Step 6: Proxy/firewall/network monitoring systems analyze all connections to production network devices.

Creative Commons - Attribution-NoDerivs 3.0 Unported (CC BY-ND 3.0)

This work is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

To further clarify the Creative Commons license related to the 20 Critical Controls content, (i) All persons are authorized to use the content as a framework in their organization or to sell professional services related to the content (e.g. a consulting engagement to implement the 20 Critical Controls), and (ii) sale of the contents as a framework model is not authorized. Users of the 20 Critical Controls framework are also required to refer to http://www.sans.org/critical-security-controls/ when referring to the 20 Critical Controls in order to ensure that users are employing the most up to date guidance.