信息安全策略之六：Router Security Policy

[b]摘要：此为国外某大型企业的信息安全策略规范，涉及企业信息安全的各方面，共数十个策略，我将陆续翻译整理出来。这是第六篇：路由器安全策略。

欢迎转载，但请注明出处及译者。请不要用于商业用途。

[/b]
原文：

[align=center]Router Security Policy[/align]

1.0 Purpose
This document describes a required minimal security configuration for all routers and switches connecting to a production network or used in a production capacity at or on behalf of <Company Name>.

2.0 Scope
All routers and switches connected to <Company Name> production networks are affected. Routers and switches within internal, secured labs are not affected. Routers and switches within DMZ areas fall under the Internet DMZ Equipment Policy.

3.0 Policy
Every router must meet the following configuration standards:

1. No local user accounts are configured on the router. Routers must use TACACS+ for all user authentication.
2. The enable password on the router must be kept in a secure encrypted form. The router must have the enable password set to the current production router password from the router's support organization.
3. Disallow the following:
a. IP directed broadcasts
b. Incoming packets at the router sourced with invalid addresses such as RFC1918 address
c. TCP small services
d. UDP small services
e. All source routing
f. All web services running on router
4. Use corporate standardized SNMP community strings.
5. Access rules are to be added as business needs arise.
6. The router must be included in the corporate enterprise management system with a designated point of contact.
7. Each router must have the following statement posted in clear view:

"UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device."

4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions
Terms Definitions
Production Network The "production network" is the network used in the daily business of <Company Name>. Any network connected to the corporate backbone, either directly or indirectly, which lacks an intervening firewall device. Any network whose impairment would result in direct loss of functionality to <Company Name> employees or impact their ability to do work.

Lab Network A "lab network" is defined as any network used for the purposes of testing, demonstrations, training, etc. Any network that is stand-alone or firewalled off from the production network(s) and whose impairment will not cause direct loss to <Company Name> nor affect the production network.

6.0 Revision History

译文：

路由器安全策略
1.0 目的
此文档阐述了连接到企业生产网络或用于企业生产的所有路由器和交换机的最小安全配置要求。
2.0 范围
此文档适用于连接到企业生产网络的所有路由器和交换机。不适用企业内部或安全实验室中的路由器和交换机。对于DMZ区之内的路由器和交换机应遵循“Internet DMZ 设备策略”。
3.0 策略
所有路由器必须符合以下配置标准：
1. 路由器上不应配置本地用户账户。路由器必须使用TACACS+ 模型对所有用户进行认证。
2. 路由器的授权口令必须以安全的加密形式存放。路由器支持部门必须使用授权口令来设置当前工作路由器的口令。
3. 不允许下列行为：
1) IP定向广播
2) 路由器接受的IP包具有不合法的源地址，如RFC1918地址。
3) TCP的少量服务
4) UDP的少量服务
5) 所有的源路由
6) 运行在路由器上的所有web服务
4. 使用标准化的SNMP共同体字符串
5. 当业务需求增加时，需要增加访问规则。
6. 路由器必须包含在企业整体管理系统中，并指定特定的联系人（POC）
7. 每台路由器必须在显要位置贴有以下声明：
“禁止对该网络设备的非授权访问。必须有明确的许可才能访问或配置本设备。在本设备上执行任何操作必须首先登录。违反安全策略将会导致纪律处分，甚至诉诸法律。本设备没有保密权限。”
4.0 执行
所有违反此策略的员工都会面临纪律处分，直至中止雇佣合同。
5.0 定义
术语和定义

Production Network 生产网络
生产网络指用于企业日常业务的网络。所有的生产网络都应直接或间接的连接到企业骨干网络上。任何生产网络的故障都可能导致企业生产、员工利益或工作效率的直接损害。
Lab Network 实验室网络
实验室网络指任何用于测试、检验、培训等目的的网络。所有的实验室网络都应该是独立的，或者通过防火墙与生产网络相隔离。其网络故障不会直接影响企业生产，因而不会造成企业利益的直接损失。
6.0 修订历史