ch03lev1sec4.html

Device Security Checklist

A security checklist is an important document containing a summary of various guidelines and instructions for secure implementations. Device security checklists can be viewed as templates for device lockdown and security implementation guidelines. You can use the following checklist as a quick summary and working guide to the device security configuration topics discussed in this chapter.

check mark Device security policy written, approved, distributed, and reviewed on regular basis.
Facilities (room, building, area) housing the devices secured—physical security.
Password policies to ensure that good passwords are created that cannot be easily guessed or hacked.
Password encryption used so that passwords are not visible when device configuration is viewed.
check mark Access methods such as Console, VTY, AUX using ACLs, and authentication mechanisms secured.
Access methods such as SSH with AAA authentication chosen wisely.
Unneeded services and protocols to be disabled.
Unused interfaces shut down or disabled.
Configuration hardened for network services and protocols in use (for example, HTTP and SNMP).
check mark Port and protocol needs of the network and use access lists to limit traffic flow identified.
Access list for anti-spoofing and infrastructure protection and for blocking reserved and private addresses considered.
Routing protocols established that use authentication mechanisms for integrity.
check mark Appropriate logging enabled with proper time information.
Device's time of day set accurately, maintained with NTP.

	Device security policy written, approved, distributed, and reviewed on regular basis.
	Facilities (room, building, area) housing the devices secured—physical security.
	Password policies to ensure that good passwords are created that cannot be easily guessed or hacked.
	Password encryption used so that passwords are not visible when device configuration is viewed.
	Access methods such as Console, VTY, AUX using ACLs, and authentication mechanisms secured.
	Access methods such as SSH with AAA authentication chosen wisely.
	Unneeded services and protocols to be disabled.
	Unused interfaces shut down or disabled.
	Configuration hardened for network services and protocols in use (for example, HTTP and SNMP).
	Port and protocol needs of the network and use access lists to limit traffic flow identified.
	Access list for anti-spoofing and infrastructure protection and for blocking reserved and private addresses considered.
	Routing protocols established that use authentication mechanisms for integrity.
	Appropriate logging enabled with proper time information.
	Device's time of day set accurately, maintained with NTP.