CIS Control 11

CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

11.1: Maintain Standard Security Configurations for Network Devices

  • Maintain documented security configuration standards for all authorized network devices.

11.2: Document Traffic Configuration Rules

  • All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need.

11.3: Use Automated Tools to Verify Standard Device Configurations and Detect Changes

  • Compare all network device configurations against approved security configurations defined for each network device in use, and alert when any deviations are discovered.

11.4: Install the Latest Stable Version of Any Security-Related Updates on All Network Devices

  • Install the latest stable version of any security-related updates on all network devices.

11.5: Manage Network Devices Using Multi-Factor Authentication and Encrypted Sessions

  • Manage all network devices using multi-factor authentication and encrypted sessions.

11.6: Use Dedicated Workstations for All Network Administrative Tasks

  • Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be segmented from the organization’s primary network and not be allowed Internet access. This machine shall not be used for reading email, composing documents, or surfing the Internet.

11.7: Manage Network Infrastructure Through a Dedicated Network

  • Manage the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices.

Figure: System Entity Relationship Diagram

CIS Control 11

Contact Us

USA Offices

New Net Technologies LLC
Suite #10115, 9128 Strada Place
Naples, Florida, 34108

New Net Technologies LLC
1175 Peachtree St NE
Atlanta, Georgia, 30361.

Tel: (844) 898-8358
[email protected]


UK Office

New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire

Tel: 01582 287310
 [email protected]

SC Magazine Cybersecurity 500 Infosec Security Winners 2018 CIS benchmarking SEWP Sans Institute Now Certified IBM Security
Copyright 2020, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.