Here are the elements of a router security policy that should be included in the official documentation:
- Password encryption and complexity settings – What is the complexity requirement, do we enable password encryption for configuration, and how often do we change passwords?
- Authentication settings – What banners do we use in configuration, do we use TACACS+ servers or local passwords for authentication, and do we employ AAA accounting?
- Management access settings – What protocols do we use, eg. telnet/ssh, http/https, snmp versions?
- Unneeded services settings – Which services are needed and how do we disable the remaining ones?
- Ingress/egress filtering settings – Do we filter sensitive addresses like RFC1918 private IP addresses, are anti-spoofing ACLs in place, do we enable uRPF filtering?
- Routing protocol security settings – Is router protocol message authentication enabled for your routing/FHRP protocols etc?
- Configuration maintenance – are device configurations backed up properly? What is the DR plan and how do we recover?
- Change management – How are changes to the configuration documented for compliance purposes etc?
- Router redundancy – do we have adequate redundancy and is it hot or cold standby?
- Monitoring and incident handling – Do we log login failures and other log information that may be needed for incident response? Is it properly timestamped etc?
- Security updates – Do we quickly patch devices and adhere to patch management standards for regular security or bug fixes?