KEMBAR78
Network Security Documentation Checklist (2009) | PDF | Transport Layer Security | Computer Network
100% found this document useful (2 votes)
319 views3 pages

Network Security Documentation Checklist (2009)

This document is a network security checklist used to document and review security controls for network devices at an organization. It contains over 40 control categories grouped into sections on physical security, authentication and access controls, network management, intrusion detection, change control, logging and monitoring, passwords, backups, VPN usage, vulnerability scanning, wireless security, and device registration. For each control, there is a reference to the relevant standard and a field to initial to indicate the control has been verified.

Uploaded by

Dushyant Tyagi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
100% found this document useful (2 votes)
319 views3 pages

Network Security Documentation Checklist (2009)

This document is a network security checklist used to document and review security controls for network devices at an organization. It contains over 40 control categories grouped into sections on physical security, authentication and access controls, network management, intrusion detection, change control, logging and monitoring, passwords, backups, VPN usage, vulnerability scanning, wireless security, and device registration. For each control, there is a reference to the relevant standard and a field to initial to indicate the control has been verified.

Uploaded by

Dushyant Tyagi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Network Security Documentation Checklist (2009)

Network Device identification and location: ________________________________________


Completed by (please print): ___________________________

Date: _________________

Signature: ___________________________

Next scheduled review date: _________________

Managers signature: ___________________________

Date: _________________

Type of Control

Initials

Physical Security

1. The network device is secured in an area with physical access control.


2. Is the network device considered a Core network device as defined by the standard?
(Y/N) ____________

(5.3.1)
(4.0)

If No, skip to item 5.

3. The core network device is located in an alarmed area.

(5.3.2)

4. The core network device is attached to an appropriately designed UPS and generator system.

(5.3.3)

Authentication & Access Lists

5. Access lists are configured to limit the number of locations the device may be accessed from.
6. Access to configuration backups is restricted to authorized personnel.

(5.4.1)
(5.4.1.1)

7. The device is protected from Layer-3 IP address spoofing.

(5.4.2)

8. All external connections to RIT are protected in accordance with the ITS-maintained

(5.4.3)

access list.

9. Centralized user-level authentication is used to authenticate all interactive users making

(5.4.4)

changes to the network device.

10. If possible, the network device displays a trespassing banner at login that does not reveal

(5.4.5)

underlying characteristics of the network.


Network Management

11. If the network device utilizes a 802.1q trunk, the native VLAN is not VLAN 1.

(5.5.1)

12. Plain-text protocols are not utilized for management of the device.

(5.5.2)

13. Management traffic is separated from user traffic.

(5.5.3)

14. Management interfaces for the device are located on a management network.

(5.5.4)

15. Any console ports used for device management are secured by a username/password or other

(5.5.5)

ISO approved method.

16. The network device has transitioned to SNMPv3 or another option that does not use plaintext

(5.5.6)

community strings for network management services.

17. Default SNMP community strings have been changed.

(5.5.7)

18. The device does not use LDAP without SSLv3 or TLS, FTP, telnet, remote host protocols,
SSHv1, SSLv1, SSLv2, and SSLv3. A list of prohibited protocols can be found at
http://www.rit.edu/security/content/network-security-standard . (5.5.8)
Creative Commons Share Alike License
Network Checklist final b.doc

1 of 3

revised 5/18/09

Intrusion Detection System

19. An IDS service is deployed on the links to/from the Institute network and the public Internet/Internet2. (5.6.1)
20. Hosts that are detected via the rule set are automatically blocked from further network access until

(5.6.1)

the cause of the detection is understood and remediated.


Anti ARP-spoofing

21. Is the network device a user-edge network device?


(Y/N) ____________

(5.7)

If No, skip to item 23.

22. DHCP/ARP Snooping support is enabled on the device.

(5.7.1.1)

Change Control

23. Will the addition of, or changes to this device involve significant risk to the Institute Network?
(Y/N) ____________

(5.8)

If No, skip to item 25.

24. A change control process for the device exists, including a problem statement, supporting data,

(5.8.1)

potential solutions, potential impact/risks, and management approval.


Who has approved this process? __________________________________
Logging and Monitoring

25. The network device logs to a logging/management system.

(5.9.1)

Where is the logging process documented? __________________________________

26. The network device is regularly monitored for its ability to be reached by the central network

(5.9.2)

management system.
Passwords

27. The process to change the password on the device is in accordance with the password standard.

(5.10.1)

28. All manufacturers default passwords have been disabled or changed.

(5.10.2)

Configuration Backups

29. The configuration of the device is backed up regularly.

(5.11.1)

30. The device configuration is subject to managed revision control, and changes in configuration

(5.11.2)

result in the automatic notification of the network administrator.


VPN

31. Does this network device provide or assist with providing VPN service for use at RIT?
(Y/N) ____________

(5.12)

If No, skip to item 34.

32. The VPN service only allows connection to the Internet through RIT.

(5.12.1)

33. The VPN service has undergone a security review.

(5.12.2)

Where are the results of the security review documented? _________________________________


Vulnerability Scanning & Quarantine

34. The network device is regularly scanned for hosts that are vulnerable to remote exploits.

(5.13.1)

35. Vulnerable hosts are moved to a quarantine network where they have the capability to access

(5.13.3)

services necessary to patch and remediate infections.

36. The network device is not configured to explicitly blacklist or permanently whitelist the ISO

(5.13.5)

vulnerability scanner.
Creative Commons Share Alike License
Network Checklist final b.doc

2 of 3

revised 12/5/14

Wireless Security

37. Is this network device a wireless network device?


(Y/N) ____________

(5.14)

If No, skip to item 40.

38. The wireless device supports ISO-approved encryption methods.

(5.14.1)

39. The wireless device adheres to minimum levels of security developed by the ISO.

(5.14.2)

Device Registration

40. Does the network device have an IP address?


(Y/N) ____________

(5.15.1)

If No, you mean skip the remaining items.

41. The IP and all MAC addresses are registered in an ISO-approved registration system.

(5.15.1.1)

Where is the device registered? __________________________________

42. Any guest access on the device is registered with appropriate contact information.

(5.15.1.2)

RIT Information Security


infosec@rit.edu
https://www.rit.edu/security/

Creative Commons Share Alike License


Network Checklist final b.doc

3 of 3

revised 12/5/14

You might also like