Router Security Policy
Revised: 06/30/2009
1. Purpose.
This document describes a required minimal Security configuration for all Routers and switches connected to the TCCC-RYSS Information Technology Network or used in a production capacity on behalf of the TCCC-RYSS.
2. Scope.
All Network infrastructure devices connected to the TCCC-RYSS Information Technology Network are subject to this policy.
3. Policy.
Every Router must meet the following configuration standards:
1. The Router must have no local user accounts configured. Routers must use the Terminal Access Controller Access Control System (TACACS+) Protocol for User Authentication.
2. The “enable” and “secret” passwords on the Router must be kept in a secure encrypted form. The Router must have the “enable” and “secret” passwords set to the current production Router passwords provided by the Information Technology Services department.
3. The following are prohibited:
a. IP directed broadcasts
b. Incoming packets at the Router sourced with invalid addresses (e.g. RFC1918 addresses)
c. TCP small Services
d. UDP small Services
e. All source Routing
f. All web Services running on Router
4. TCCC-RYSS standardized Simple Network Messaging Protocol (SNMP) community strings must be used.
5. Information Technology Services has the authority to, and will add, rules to the Access Control List as business needs arise.
6. The Router must be included in the TCCC-RYSS Security Management System with a designated point of contact.
7. Each Router must have the following statement posted in clear view:
"UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. Users must have explicit permission from TCCC-RYSS’s Information Security to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, including expulsion from the TCCC-RYSS (if a student) or termination of employment (if an employee), and may be reported to law enforcement. Authorized Users who utilize this device have no right to privacy.
4. Enforcement.
Any Authorized User found to be in violation of this policy will be considered an Unauthorized User, and as such are subject to disciplinary action pursuant with the Enforcement section of the Unauthorized Use Policy.
