Assessment Checklist.xlsx

7/30/2019 Assessment Checklist.xlsx

1/7

Checklist

Assessment Area Assessment Technique

People

Does the password policy require

strong passwords and periodic

changes?

Review the password policy for

password complexity requirements,

password history, and passwordchange frequency.

Are secure management protocols

required by policy?

Infrastructure device policies should

prohibit management access

without using encrypted protocols

such as SSH and HTTPS.

Is least privilege access required for

access to infrastructure devices?

The policy should require least

privilege access be granted for all

network users and administrators.

Is a change management policy in

place?

Review the change management

policy.

Is a wireless access policy in place to

forbid unapproved and/or user

installed wireless devices?

Wireless access should have a

dedicated policy prohibiting

unauthorized installation of wireless

devices by employees as this

represents a significant risk.

Are polices and standards used

when configuring network devices?

Inspect policies and standards for

configuration of network devices todetermine whether they are

followed.

Process

Are all key computing assets

identified and documented?

Review documentation to

determine location of servers,

databases, and other critical

systems.

Is there sufficient network

documentation to identify physical

and logical configurations of

devices?

Review physical and logical

documentation for completeness.

Determine how often it is updated

and review update procedures.

Has a traffic flow analysis been

conducted?

Look for evidence that

administrators have conducted a

traffic flow analysis to determine

what protocols are used on the

network.


2/7

Are administrator accounts unique

and assigned to a single individual?

All administrator accounts used to

connect to network infrastructure

devices should be unique for the

purposes of auditing and

nonrepudiation.

Is configuration management and

change control conducted?

Configuration backups should be

made of all network devices andkept electronically in a secure

manner, and a hardcopy stored in a

safe if possible. All configuration

changes should be reviewed with a

formal approval process and

rollback mechanism.

Is there a process in place to review

product security advisories?

Interview staff and determine

procedures used to identify new

vulnerabilities in network devices.

Staff should subscribe to PSIRT

reports.

Are vulnerability scans conducted

on network devices?

The organization should conduct

periodic vulnerability scans of

network devices and have a

software version inventory to

quickly determine whether

vulnerable software is installed on

infrastructure devices.

Is a network disaster recovery planin place?

Review the disaster recovery planfor good practices.

Are logs stored in a central

repository and reviewed on a

regular basis for security issues?

All infrastructure device logs should

be stored in a central database that

enables easy searching and review

of security and operational events.

Is wireless device management and

monitoring conducted?

Wireless management should be in

place to address wireless-specific

security issues, such as denial of

service, hacking, rogue APs, and RF

spectrum problems. Wireless should

be monitored on a regular basis to

quickly resolve security problems.

Technology

General Network Device Security


3/7

Management Plane

Are unused management ports (aux,

console, and vty) disabled?

Unused management ports should

be disabled to prevent physical

access to the configuration if it is

not used for management. At a

minimum, all ports should require

authentication.

Are management login best

practices followed?

Ensure that failed login attempts are

limited, the maximum number of

concurrent sessions are limited, idle

timeouts are enforced, and all

commands entered are logged.

Are there access control

mechanisms in place to prevent

connectivity to management ports

from unauthorized subnets?

Review documentation and

configuration to determine whether

access lists are properly applied to

management interfaces.

Are network device terminal and

management ports not in use

disabled?

Review all terminal and

management ports for use.

Are secure access protocols such as

SSH or HTTPS being used prior to

device access?

Review configuration for

management access methods.

Are secure passwords required for

all network devices?

Review the password policy and

inspect against actual configuration.

Are local login accounts on network

devices used for fallback access

only?

Network devices should be

configured only to use local

authentication in the event of a

failure to reach a AAA server. If the

network is small (less than five

devices), then local authentication

can be used, but each user must

have his own credentials.

Are network device passwords in

configurations secured with

encryption?

Review configurations for service

password encryption.

Is AAA utilized with unique logins

and least privilege principles applied

to all network device access?

Review configurations to determine

authentication methods for network

devices.


4/7

Are logging and accounting enabled

for network devices to track users

and system state?

Ensure that logging is enabled and

there is reporting to a central

logging system. Identify how often

logs are reviewed.

Are legal banners in place and

presented before login attempts?

Inspect configurations for

appropriate legal notification.

Is SNMP configured in a secure

manner?


whether default settings are

removed and secure practices are

followed for using SNMP.

Is syslog configured for network-

device reporting and is it archived?

Syslog should be configured to

report to a central syslog server and

record device status, logins,

management activities, and other

pertinent security information.

Is NTP configured for all network

devices in the organization?


whether NTP is enabled along with

appropriate authentication.

Control Plane

Are unused IOS services disabled as

outlined in hardening best

practices?

Inspect configurations to ensure

that services disabled by default

have not been re-enabled.

Is routing protocol peeringconfigured for authentication and

encryption?

Review configuration for routingprotocol passwords and that MD5

hashing is used to encrypt updates.

Is control Plane Policing enabled to

protect the IOS device from DoS

attacks?

Review configurations to identify

control plane protection

mechanisms in place.

Are iACLs deployed to reduce the

risk of spoofing and prevent

unapproved control plane traffic

from being received by the IOS

device

Review configuration for iACLs and

check the access lists to ensure

effectiveness.

Is Netflow configured to improve

network visibility?

Netflow should be configured where

appropriate to give insight into

traffic patters and protocol usage.

Data Plane


5/7

Are access lists configured to

prevent unnecessary or prohibited

network protocols and access?

Access Lists should be configured in

accordance with approved traffic

flow requirements. Prohibited

network protocols and services

should be blocked.

Is uRPF enabled to reduce spoofingof internal addresses?

Review configurations for thepresence of anti-spoofing access

lists or technologies like uRPF.

Is the Committed Access Rate and

QOS flooding protection enabled to

prevent DoS attacks?

Committed Access Rate and QOS

should be configured to prevent

flooding attacks on the network.

Layer 2 Security

Is VTP protected with a password or

disabled?

VTP should be disabled if it is not

used to manage switch VLANs. If

configured, a VTP domain and

password should be configured to

prevent unauthorized modification

or access to VLANs.

Is port security configured to

prevent MAC flooding attacks?

Review configuration for port

security features, minimizing the

number of MAC addresses a switch

port can learn. No more than three

should be configured for a normal

user port.

Is DHCP snooping enabled to

protect DHCP servers?

Review configuration for DHCP

server protection through DHCP

snooping.

Is dynamic ARP inspection enabled

to prevent ARP poisoning attacks?

Dynamic ARP inspection should be

enabled to prevent ARP attacks that

can be used to hijack user sessions.

Is IP Source Guard enabled to

prevent IP address spoofing?

IP Source Guard should be

configured to prevent IP address

spoofing on local VLANs.

Is dynamic trunking disabled on

nontrunk ports?

Inspect switch configurations to

determine whether access ports are

configured for no trunking.


6/7

Are spanning tree security best

practices utilized?

Inspect configuration for

appropriate spanning tree

protection features. BPDU Guard

and Root Guard should be present.

Are VLAN ACLs used to enforce

VLAN traffic policies?

VACLS are present in switch

configurations to provide policycontrol at the switch port or VLAN

level. Review configurations for

appropriate access control.

Are unused switch ports disabled

and/or placed in a nonroutable

VLAN?

Review configuration to ensure

unused ports are protected from

unauthorized access.

Wireless

Are WEP or WPA configured on any

APs?

Review the configuration to ensure

that WEP and WPA pre-shared keys

are not used for wireless networks.

Are wireless protection policies or

wIPS enabled?

If using a control-based

architecture, wireless protection

policies should be enabled to

prevent common wireless attacks.

For higher security requirements

and better visibility into wireless

attacks, wIPS is recommended.

Are rogue AP detection featuresenabled?

Rogue AP detection features shouldbe enabled if available to automate

detection and containment of

unauthorized APs.

Are pres-hared keys used for

encryption?

Pre-shared keys for wireless are not

recommended, but if used, should

follow good complexity

requirements to increase the time

for brute-force cracking. Just like

passwords, these keys should also

be changed on a regular basis.

Are weak encryption keys used? Audit the network for weak

encryption keys.


7/7

Is 802.1x used for authentication? 802.1x provides strong

authentication and key

management for wireless networks

and is recommended for secure

wireless connectivity.

Documents

Assessment Checklist.xlsx