Prince Sultan University PSU
Policy Management System
Router Security Policy
Policy Code: | IT0008 |
Policy Title: | Router Security Policy |
Owner: | Information Technology Center |
Responsible Office/Department: | Vice President for Academic Affairs |
Approved by: | University Council |
Date Created: | February 02, 2017 |
Recent Review: | December 2023 |
Effective date: |
POLICY STATEMENT
Every Router must meet the following configuration standards:
- The Router must have no local user accounts configured. Routers must use the Terminal Access Controller Access Control System (TACACS+) Protocol for User Authentication.
- The “enable” and “secret” passwords on the Router must be kept in a secure encrypted form.
- Standardized Simple Network Messaging Protocol (SNMP) community strings must be used.
- ITC has the authority to, and will add, rules to the Access Control List as business needs arise.
BACKGROUND AND JUSTIFICATION
In an age of escalating cyber threats, unprotected routers can become gateways for unauthorized access and breaches. A compromised router doesn't only risk data loss but also damages our reputation and trustworthiness. Given our growing reliance on digital solutions and the increasing emphasis on cybersecurity regulations, a clear router security policy is essential. This policy aims to bolster our network defenses, meet industry standards, and uphold our commitment to data protection.
SCOPE AND PURPOSE
All Network and Infrastructure devices connected to the PSU IT network are subject to this policy.
This document describes a required minimal Security configuration for all Routers and switches connected to the PSU or used in production environment
PRINCIPLES OF THE POLICY
- Layers of Defense: Utilize multiple layers of security controls and measures, ensuring that a breach at one level does not compromise the entire network.
- Least Privilege: Only grant necessary access rights to router configurations, minimizing potential vulnerabilities from unintentional or malicious changes.
- Regular Updates: Ensure that router firmware and software are regularly updated to protect against known vulnerabilities.
- Access Control: Implement strong authentication mechanisms for router access, eliminating unauthorized changes and potential breaches.
- Monitoring and Logging: Continuously monitor router activity and maintain logs to detect and respond to suspicious activities promptly.
- Encryption: Utilize strong encryption standards for data passing through the router, ensuring data integrity and confidentiality.
- Physical Security: Ensure that routers and related hardware are protected from physical tampering or unauthorized access.
- Configuration Management: Maintain standard secure configurations for routers and periodically review and update them based on evolving threats and business needs.
- Incident Response: Develop and maintain a procedure for addressing security incidents related to routers, ensuring timely action and mitigation.
- Stakeholder Awareness: Educate all relevant personnel about the importance of router security and their role in maintaining it.
DEFINITIONS
- Router: A device that forwards data packets between computer networks, directing incoming data from the internet to the appropriate device on a network.
- Firmware: Permanent software programmed into a read-only memory. For routers, it's the software that governs the device's functionality.
- Configuration: The arrangement and settings of a router's software to ensure proper communication with other devices and networks.
- Access Control: Mechanisms to grant or deny specific actions on the router based on the rights of a user or a program.
- Authentication: The process of verifying the identity of a person or system trying to access the router.
- Encryption: The process of converting information into code to prevent unauthorized access.
- Physical Security: Measures taken to protect the router and its associated equipment from physical threats like tampering, theft, or damage.
- Monitoring: The ongoing observation and recording of router activities to ensure proper operation and to detect any anomalies.
- Logging: The process of recording events in the router, such as access attempts, changes made, or failures, which can be reviewed for security and operational analysis.
- Incident: An event that results in, or has the potential to result in, harm to IT system security or the data it holds.
- 11. Least Privilege: A security principle that mandates a user is given the minimum levels of access necessary to perform their job functions.
RESPONSIBILITIES AND IMPLEMENTATION STRATEGIES
- Standard Configurations:
- Responsibility: IT Network Team
- Strategy: Maintain a template of standard, secure configurations for routers, ensuring they align with industry best practices.
- Firmware Updates:
- Responsibility: IT Network Team
- Strategy: Regularly check for and apply firmware updates, ensuring routers are protected from known vulnerabilities.
- Access Management:
- Responsibility: IT Security Team
- Strategy: Implement and maintain strong access control lists (ACLs) for routers, restricting access based on job function and need.
- Monitoring and Logging:
- Responsibility: IT Security Team
- Strategy: Continuously monitor router traffic and maintain logs for a predefined duration. Utilize intrusion detection systems (IDS) to spot suspicious activities.
- Incident Response:
- Responsibility: IT Security Team
- Strategy: Establish a procedure for addressing router-related security incidents, ensuring timely identification, mitigation, and communication.
- Physical Security:
- Responsibility: Facility Management Team
- Strategy: Ensure routers are housed in secure areas with restricted access, such as locked server rooms or cabinets.
- Backup and Recovery:
- Responsibility: IT Network Team
- Strategy: Regularly backup router configurations and have a recovery plan in place to restore settings in case of failures.
- Training and Awareness:
- Responsibility: Human Resources and IT Training Teams
- Strategy: Regularly educate IT staff about router security best practices, potential threats, and their role in safeguarding network infrastructure.
- Encryption Implementation:
- Responsibility: IT Network Team
- Strategy: Ensure encryption standards are applied for data in transit through the router, particularly for remote administrative access.
- Periodic Audits:
- Responsibility: Internal Audit Team
- Strategy: Conduct routine audits of router configurations, access logs, and security measures to ensure compliance with the policy and detect areas of improvement.
PROCEDURES FOR HANDLING POLICY VIOLATION
Any violation of this policy will make the subject susceptible disciplinary actions. with the Enforcement section of the ITC Unauthorized Use Policy.
https://www.psu.edu.sa/en/IT0002-unauthorized-use-policy