Information Security Best Practices: 205 Basic Rules

Section 8: Network Hardware Security

This section addresses best practices for dealing with security of the network hardware, including screening routers/firewall computers, switches, printers, adapter cards, and modems.

8.1 Firewall Computers

By definition, a firewall is a network security device, a combination of hardware and software, that prevents unauthorized users from accessing an intranet or LAN. There are numerous types of firewall schemes: packet filtering routers, screening routers, embedded firewall, etc., all at various levels of cost and complexity.

No matter what firewall scheme is employed, there are specific security measures that apply in all cases.

INFOSEC Best Practice #48

Standardize on screening router hardware and software.

Screening routers must be the same throughout a site so that the network administrator can easily configure the machines without an increased chance of making a mistake when defining rules. Also, in order for sites to communicate using encryption, such as during an encrypted VPN connection, routers at both ends of the communication link must have the same encryption hardware or algorithm. Software revisions can take place on all routers at the same time rather than piecemeal. Also, having the same software revision level on router hardware will reduce the chance of unexpected incompatibilities.

INFOSEC Best Practice #49

All routers must have operating systems with at least C2 level security.

Commercial routers run a small kernel operating system usually derived from UNIX and designed to be secure. However, PCs can be turned into routers using software that can be purchased. These PCs must have operating systems that have...