Today, I will be going over Control 11 from version 7 of the CIS top 20 Critical Security Controls – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches. I will go through the seven requirements and offer my thoughts on what I’ve found.

Key Takeaways for Control 11

  1. Leverage existing controls. If you already implemented control number 5 to monitor the configuration and change on your endpoints, then you probably already have the tools and expertise needed to address control 11. Only the final two requirements here would need additional overhead if you are implementing the controls in order.
  2. Network devices are computers too. These controls match exactly what you would do for any other computer in the enterprise. Don’t forget to give them attention, as well.

Requirement Listing for Control 11

1. Maintain Standard Security Configurations for Network Devices

Description: Maintain standard, documented security configuration standards for all authorized network devices.

Notes: As with control number 5, network devices also are candidates to be hardened. Both CIS and DISA have guidelines available to harden these types of devices. A tool such as Tripwire Enterprise will make this much easier.

2. Document Traffic Configuration Rules

Description: All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need.

Notes: Getting the rules documented is the easy part. Tying assets and applications on those assets back to an individual or business unit is the hard part, especially for businesses which are organic. The first step is to gather the configuration and leverage the next section to alert on changes.

3. Use Automated Tools (Read more...)