IT Security Checklist

Back to INSYS docs overview

Back to IT Security - Overview

Function	Note
User management	only provide users with the required rights and set up a strong password; use different passwords for each router/user
RADIUS server	authentication via RADIUS server increases IT security
Access protection for user interface	deactivate access via unencrypted HTTP connection, if possible; deactivate access via encrypted HTTPS connection, if not required; an authentication with certificates is recommended
Automatic session timeout for user interface	as brief as possible to close the configuration channel as quickly as possible after leaving the configuration PC without logging off beforehand
Access to command line (CLI)	only via encrypted SSH connection, if required
VPN connections	use VPN connections if possible (don’t use PPTP with this)
NTP synchronisation	provide for regular synchronisation of the internal clock to be able to check the validity of certificates, for example
Auto update	provide for automatic update of the router firmware to avoid security vulnerabilities in an outdated firmware
DHCP server	deactivate, if not required
DNS relay	deactivate, if not required
IP filter	activate and make rules as precise as possible (permit only those packets that are absolutely necessary); verify existing rules with regard to IT security; restrict existing rules to IPv4 or IPv6, if only one IP version is used
MAC filter	activate if all connected devices are known; don’t forget in this case to enter the MAC address of the configuration PC
SNMP	use only v3 with authentication and encryption if required
SLAAC	deactivate, if not required or IPv6 is not used
Switch	only activate necessary ports to restrict physical access to the network
Messages upon IT security-relevant events	add messages (via SMS, E-Mail, SNMP trap or MCIP) upon IT security-relevant events like login attempts, configuration changes, changes at the switch, etc. to alert users in due time
Log files	check regularly for irregularities to recognise these early
Profile (configuration)	store, secure and protect against unauthorised access router configuration as profile offline as well as document and comment it if required to impede tampering
Installation location	Set up the router in a location protected from access to make physical access to it more difficult

Function

Note

User management

only provide users with the required rights and set up a strong password; use different passwords for each router/user

RADIUS server

authentication via RADIUS server increases IT security

Access protection for user interface

deactivate access via unencrypted HTTP connection, if possible; deactivate access via encrypted HTTPS connection, if not required; an authentication with certificates is recommended

Automatic session timeout for user interface

as brief as possible to close the configuration channel as quickly as possible after leaving the configuration PC without logging off beforehand

Access to command line (CLI)

only via encrypted SSH connection, if required

VPN connections

use VPN connections if possible (don’t use PPTP with this)

NTP synchronisation

provide for regular synchronisation of the internal clock to be able to check the validity of certificates, for example

Auto update

provide for automatic update of the router firmware to avoid security vulnerabilities in an outdated firmware

DHCP server

deactivate, if not required

DNS relay

deactivate, if not required

IP filter

activate and make rules as precise as possible (permit only those packets that are absolutely necessary); verify existing rules with regard to IT security; restrict existing rules to IPv4 or IPv6, if only one IP version is used

MAC filter

activate if all connected devices are known; don’t forget in this case to enter the MAC address of the configuration PC

SNMP

use only v3 with authentication and encryption if required

SLAAC

deactivate, if not required or IPv6 is not used

Switch

only activate necessary ports to restrict physical access to the network

Messages upon IT security-relevant events

add messages (via SMS, E-Mail, SNMP trap or MCIP) upon IT security-relevant events like login attempts, configuration changes, changes at the switch, etc. to alert users in due time

Log files

check regularly for irregularities to recognise these early

Profile (configuration)

store, secure and protect against unauthorised access router configuration as profile offline as well as document and comment it if required to impede tampering

Installation location

Set up the router in a location protected from access to make physical access to it more difficult

The check list makes no claim to be complete and has a general nature only.