CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
This article breaks down CIS Control 11 and the seven sub-controls associated with the fifth Foundational CIS Control.
Network devices such as firewalls, routers and switches play a critical role in an organization’s security posture. How well they succeed all depends on the amount of attention that is given to their configuration settings, software and firmware. CIS Control 11 highlights the need to configure network devices properly and avoid leaving any weak spots that could allow intruders into the network. The goal is to harden these devices against compromise, and to establish and maintain visibility into any changes that occur on them, be they planned, legitimate changes or unplanned, potentially dangerous changes.
Fortunately, if your organization has already properly implemented CIS Control 5 then you most likely already have the right tools in place to address CIS Control 11. Let’s get started and take a look at the seven sub controls that make up CIS Control 11.
11.1: Maintain Standard Security Configurations for Network Devices
- Maintain documented security configuration standards for all authorized network devices.
Just like hardware and software, network devices also need to be hardened. It’s recommended that organizations leverage frameworks like the CIS Benchmarks or the DISA STIGs to harden these types of devices. NNT is a long-standing CIS Certified Vendor and as such, has access to a library of automated CIS Benchmarks that can be used to help audit enterprise networks and monitor for any drift from your secure baseline.
Using a tool such as NNT Change Tracker Gen7 R2 would allow your organization to configure device scanning and reporting against the CIS Benchmarks and report on any settings that may be out of compliance.
11.2: Document Traffic Configuration Rules
- All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need.
This critical sub-control deals with Change Management – the tickets detailing the who, what, when, where, why and how of change details. It should always be possible to find out what device configurations are, what’s been changed, and by who and why. It’s great to know that changes have been made, but knowing what to do as a result of those changes is a different story. Having all of this information to hand will allow your organization to ‘roll back the clock’ if you will, and determine if any intentional or unintentional change has caused an issue in your operations.
11.3: Use Automated Tools to Verify Standard Device Configurations and Detect Changes
- Compare all network device configurations against approved security configurations defined for each network device in use, and alert when any deviations are discovered.
This sub-control is all about change detection. Change Control and Configuration Management are two of the most critical processes with respect to deploying and operating secure network devices. Attackers can wreak havoc on a network by modifying network device configurations to allow for connections in and out of the environment. Using tools like Change Tracker allows your organization to detect any changes made from any previous configurations and can be reconciled against a change management system. This gives your organization a detection control against potential attackers or malicious insiders by alerting you to any added accounts or altered configurations with detailed remediation steps to follow in order to get back into compliance.
11.4: Install the Latest Stable Version of Any Security-Related Updates on All Network Devices
- Install the latest stable version of any security-related updates on all network devices.
It should go without saying that it’s absolutely critical that all network devices have the latest security patches applied. But this is undoubtedly easier said than done. Patching a router or firewall normally requires some downtime, and there’s always a chance that it won’t come back up properly. This leaves many security professionals with the mentality of ‘if it ain’t broke don’t fix it’ when it comes to applying patches. With that being said, every available patch should be reviewed and evaluated for its importance and its impact on your network. Patches that include fixes to serious vulnerabilities should always be installed as quickly as possible to help minimize risk avoid any potential security incidents. NNT Vulnerability Tracker is continually updated with knowledge of new software vulnerabilities and patch intelligence and best of all, will automatically assess devices, just reporting on where intervention is needed.
11.5: Manage Network Devices Using Multi-Factor Authentication and Encrypted Sessions
- Manage all network devices using multi-factor authentication and encrypted sessions.
In this sub-control, organizations are encouraged to use multi-factor authentication and encrypt sessions. Fortunately, today, many network devices can integrate directly with multi-factor authentication solutions. But the second part on encrypting sessions is especially important to note. It’s recommended that organizations use SSH instead of Telnet once you’ve tested SSH v2 to avoid any potential security mishaps.
CIS Benchmark secure configuration guidance provides a suitable hardened build standard which includes the use of strong passwords, multi-factor authentication, and secure encrypted communications between network devices.
11.6: Use Dedicated Workstations for All Network Administrative Tasks
- Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be segmented from the organization’s primary network and not be allowed Internet access. This machine shall not be used for reading email, composing documents, or surfing the Internet.
This subcontrol is designed to help limit the chances of an attacker compromising an ‘everyday use machine’ and bypassing either the firewall, router or switch through an admin channel. By using a secured, very limited functionality machine, you make it that much harder for an attacker to pass through undetected. Using tools like File Integrity Monitoring (FIM) and properly hardening workstations can help strengthen this significantly.
Learn more about FIM and what to look for when selecting the right FIM tool for your organization by downloading our new FIM Buyers Guide.
11.7: Manage Network Infrastructure Through a Dedicated Network
- Manage the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices.
For many of the same reasons addressed in the previous sub control, having a dedicated network will helps significantly reduce your risk of credential stealing malware from gaining a larger foothold into your network. By having a segmented network, this will ensure that any other machines cannot access the administrative computer. A VLAN within the network will allow the administrative machine to communicate with the network devices, but will not allow any connections with the business side of the network.
The default configurations for network devices are generally designed for ease of use – not for security. Attackers are constantly on the lookout for devices using vulnerable default settings, riddled with gaps or inconsistencies and use these holes to penetrate defenses. Each of these devices presents an opportunity for attackers to exploit if left in their default state. For this reason, the configurations of all your network devices must be regularly reviewed and evaluated against approved security configurations like the CIS Benchmarks and continuously monitored for any deviations using Closed-Loop Intelligent Change Control.
With Closed-Loop Intelligent Change Control, changes can be promoted to your secure baseline so that other incidences of the same change, including past changes, are pre-approved and not flagged as security incidents. This means that changes can be automatically reviewed and approved across your entire IT estate, even for thousands of changes and devices. Pre-Approved patches can also be deployed over a prolonged period of time and continue to be recognized automatically as known, safe changes. This means that change control is not only easier to manage, but also more precise, making it a much more effective breach detection tool.
Get started today by requesting a free trial of NNT Change Tracker Gen7 R2.
You can also learn more about the CIS controls here.
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License.
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises