Upload
isoam123
View
212
Download
0
Embed Size (px)
Citation preview
7/30/2019 Assessment Checklist.xlsx
1/7
Checklist
Assessment Area Assessment Technique
People
Does the password policy require
strong passwords and periodic
changes?
Review the password policy for
password complexity requirements,
password history, and passwordchange frequency.
Are secure management protocols
required by policy?
Infrastructure device policies should
prohibit management access
without using encrypted protocols
such as SSH and HTTPS.
Is least privilege access required for
access to infrastructure devices?
The policy should require least
privilege access be granted for all
network users and administrators.
Is a change management policy in
place?
Review the change management
policy.
Is a wireless access policy in place to
forbid unapproved and/or user
installed wireless devices?
Wireless access should have a
dedicated policy prohibiting
unauthorized installation of wireless
devices by employees as this
represents a significant risk.
Are polices and standards used
when configuring network devices?
Inspect policies and standards for
configuration of network devices todetermine whether they are
followed.
Process
Are all key computing assets
identified and documented?
Review documentation to
determine location of servers,
databases, and other critical
systems.
Is there sufficient network
documentation to identify physical
and logical configurations of
devices?
Review physical and logical
documentation for completeness.
Determine how often it is updated
and review update procedures.
Has a traffic flow analysis been
conducted?
Look for evidence that
administrators have conducted a
traffic flow analysis to determine
what protocols are used on the
network.
7/30/2019 Assessment Checklist.xlsx
2/7
Are administrator accounts unique
and assigned to a single individual?
All administrator accounts used to
connect to network infrastructure
devices should be unique for the
purposes of auditing and
nonrepudiation.
Is configuration management and
change control conducted?
Configuration backups should be
made of all network devices andkept electronically in a secure
manner, and a hardcopy stored in a
safe if possible. All configuration
changes should be reviewed with a
formal approval process and
rollback mechanism.
Is there a process in place to review
product security advisories?
Interview staff and determine
procedures used to identify new
vulnerabilities in network devices.
Staff should subscribe to PSIRT
reports.
Are vulnerability scans conducted
on network devices?
The organization should conduct
periodic vulnerability scans of
network devices and have a
software version inventory to
quickly determine whether
vulnerable software is installed on
infrastructure devices.
Is a network disaster recovery planin place?
Review the disaster recovery planfor good practices.
Are logs stored in a central
repository and reviewed on a
regular basis for security issues?
All infrastructure device logs should
be stored in a central database that
enables easy searching and review
of security and operational events.
Is wireless device management and
monitoring conducted?
Wireless management should be in
place to address wireless-specific
security issues, such as denial of
service, hacking, rogue APs, and RF
spectrum problems. Wireless should
be monitored on a regular basis to
quickly resolve security problems.
Technology
General Network Device Security
7/30/2019 Assessment Checklist.xlsx
3/7
Management Plane
Are unused management ports (aux,
console, and vty) disabled?
Unused management ports should
be disabled to prevent physical
access to the configuration if it is
not used for management. At a
minimum, all ports should require
authentication.
Are management login best
practices followed?
Ensure that failed login attempts are
limited, the maximum number of
concurrent sessions are limited, idle
timeouts are enforced, and all
commands entered are logged.
Are there access control
mechanisms in place to prevent
connectivity to management ports
from unauthorized subnets?
Review documentation and
configuration to determine whether
access lists are properly applied to
management interfaces.
Are network device terminal and
management ports not in use
disabled?
Review all terminal and
management ports for use.
Are secure access protocols such as
SSH or HTTPS being used prior to
device access?
Review configuration for
management access methods.
Are secure passwords required for
all network devices?
Review the password policy and
inspect against actual configuration.
Are local login accounts on network
devices used for fallback access
only?
Network devices should be
configured only to use local
authentication in the event of a
failure to reach a AAA server. If the
network is small (less than five
devices), then local authentication
can be used, but each user must
have his own credentials.
Are network device passwords in
configurations secured with
encryption?
Review configurations for service
password encryption.
Is AAA utilized with unique logins
and least privilege principles applied
to all network device access?
Review configurations to determine
authentication methods for network
devices.
7/30/2019 Assessment Checklist.xlsx
4/7
Are logging and accounting enabled
for network devices to track users
and system state?
Ensure that logging is enabled and
there is reporting to a central
logging system. Identify how often
logs are reviewed.
Are legal banners in place and
presented before login attempts?
Inspect configurations for
appropriate legal notification.
Is SNMP configured in a secure
manner?
Review configurations to determine
whether default settings are
removed and secure practices are
followed for using SNMP.
Is syslog configured for network-
device reporting and is it archived?
Syslog should be configured to
report to a central syslog server and
record device status, logins,
management activities, and other
pertinent security information.
Is NTP configured for all network
devices in the organization?
Review configurations to determine
whether NTP is enabled along with
appropriate authentication.
Control Plane
Are unused IOS services disabled as
outlined in hardening best
practices?
Inspect configurations to ensure
that services disabled by default
have not been re-enabled.
Is routing protocol peeringconfigured for authentication and
encryption?
Review configuration for routingprotocol passwords and that MD5
hashing is used to encrypt updates.
Is control Plane Policing enabled to
protect the IOS device from DoS
attacks?
Review configurations to identify
control plane protection
mechanisms in place.
Are iACLs deployed to reduce the
risk of spoofing and prevent
unapproved control plane traffic
from being received by the IOS
device
Review configuration for iACLs and
check the access lists to ensure
effectiveness.
Is Netflow configured to improve
network visibility?
Netflow should be configured where
appropriate to give insight into
traffic patters and protocol usage.
Data Plane
7/30/2019 Assessment Checklist.xlsx
5/7
Are access lists configured to
prevent unnecessary or prohibited
network protocols and access?
Access Lists should be configured in
accordance with approved traffic
flow requirements. Prohibited
network protocols and services
should be blocked.
Is uRPF enabled to reduce spoofingof internal addresses?
Review configurations for thepresence of anti-spoofing access
lists or technologies like uRPF.
Is the Committed Access Rate and
QOS flooding protection enabled to
prevent DoS attacks?
Committed Access Rate and QOS
should be configured to prevent
flooding attacks on the network.
Layer 2 Security
Is VTP protected with a password or
disabled?
VTP should be disabled if it is not
used to manage switch VLANs. If
configured, a VTP domain and
password should be configured to
prevent unauthorized modification
or access to VLANs.
Is port security configured to
prevent MAC flooding attacks?
Review configuration for port
security features, minimizing the
number of MAC addresses a switch
port can learn. No more than three
should be configured for a normal
user port.
Is DHCP snooping enabled to
protect DHCP servers?
Review configuration for DHCP
server protection through DHCP
snooping.
Is dynamic ARP inspection enabled
to prevent ARP poisoning attacks?
Dynamic ARP inspection should be
enabled to prevent ARP attacks that
can be used to hijack user sessions.
Is IP Source Guard enabled to
prevent IP address spoofing?
IP Source Guard should be
configured to prevent IP address
spoofing on local VLANs.
Is dynamic trunking disabled on
nontrunk ports?
Inspect switch configurations to
determine whether access ports are
configured for no trunking.
7/30/2019 Assessment Checklist.xlsx
6/7
Are spanning tree security best
practices utilized?
Inspect configuration for
appropriate spanning tree
protection features. BPDU Guard
and Root Guard should be present.
Are VLAN ACLs used to enforce
VLAN traffic policies?
VACLS are present in switch
configurations to provide policycontrol at the switch port or VLAN
level. Review configurations for
appropriate access control.
Are unused switch ports disabled
and/or placed in a nonroutable
VLAN?
Review configuration to ensure
unused ports are protected from
unauthorized access.
Wireless
Are WEP or WPA configured on any
APs?
Review the configuration to ensure
that WEP and WPA pre-shared keys
are not used for wireless networks.
Are wireless protection policies or
wIPS enabled?
If using a control-based
architecture, wireless protection
policies should be enabled to
prevent common wireless attacks.
For higher security requirements
and better visibility into wireless
attacks, wIPS is recommended.
Are rogue AP detection featuresenabled?
Rogue AP detection features shouldbe enabled if available to automate
detection and containment of
unauthorized APs.
Are pres-hared keys used for
encryption?
Pre-shared keys for wireless are not
recommended, but if used, should
follow good complexity
requirements to increase the time
for brute-force cracking. Just like
passwords, these keys should also
be changed on a regular basis.
Are weak encryption keys used? Audit the network for weak
encryption keys.
7/30/2019 Assessment Checklist.xlsx
7/7
Is 802.1x used for authentication? 802.1x provides strong
authentication and key
management for wireless networks
and is recommended for secure
wireless connectivity.