2. Document Change History
Author Description of Change Version Date
Enterprise
Security
Baseline Security Guidelines ‐ Network
:: Submitted for internal review & feedback
1.0 1st
Feb 2007
Zakir Rizwe Information Security Guidelines ‐ Network 1.1 19 Mar 2015
3. Information Security Guidelines: Data Network Infrastructure Enterprise Security
[Organization Name]
[Organization Address]
3
Table of Contents
Document Change History ........................................................................................ 2
Table of Contents ................................................................................................... 3
Scope & Background ............................................................................................... 5
1. Network Infrastructure ............................................................................... 6
1.1. Network Design .......................................................................................... 6
1.1.1. Data communication circuits .................................................................... 6
1.2. Backdoor Connections ................................................................................. 6
1.3. Internet Connectivity .................................................................................. 6
1.3.1. Network Address Translation .................................................................... 7
1.4. IP Addressing ............................................................................................. 7
1.5. Device Management ................................................................................... 7
1.5.1. General Safety – Communication devices ................................................... 7
1.5.2. Operating Management ............................................................................ 7
1.6. Deterrent Measures .................................................................................... 7
1.6.1. Passwords .............................................................................................. 7
1.7. Routing Systems ......................................................................................... 8
1.7.1. Route Table ............................................................................................ 8
1.7.2. Routers Accounts & Passwords .................................................................. 8
1.7.3. Router Administrative Access ................................................................... 8
1.7.4. Router Management ................................................................................ 8
1.7.5. Router Operating System ......................................................................... 8
1.7.6. Configuration and Image Integrity ............................................................. 9
1.8. Routing System Services .............................................................................. 9
1.8.1. General Services ..................................................................................... 9
1.8.2. IP Source Routing .................................................................................... 9
1.8.3. Proxy and Gratuitous ARPs ....................................................................... 9
1.8.4. Directed Broadcasts ................................................................................ 9
1.8.5. ICMP Exploits ......................................................................................... 9
1.8.6. Logging Integrity – NTP ............................................................................ 9
1.8.7. SNMP Service ......................................................................................... 9
1.8.8. Packet Filtering and Logging ..................................................................... 9
1.8.9. ICMP Message Types & Trace‐route facility .............................................. 10
1.8.10. Logging ............................................................................................ 10
1.8.11. Configuration Management ................................................................. 10
1.9. Switches and VLAN ................................................................................... 11
1.9.1. Wiring Architecture ............................................................................... 11
1.9.2. Switch Accounts & Passwords ................................................................. 11
1.9.3. Switch Administrative Access .................................................................. 11
1.9.4. Virtual Local Area Network ..................................................................... 11
1.10. Remote User Access .................................................................................. 12
1.10.1. Administrative Access ........................................................................ 12
1.10.2. Logging Management ......................................................................... 12
1.10.3. Dial‐up Communication ...................................................................... 12
1.10.4. Remote Access Server ........................................................................ 13
1.11. Remote Client to VPN Gateway ................................................................... 13
1.12. Network Management and Support Services ................................................. 13
5. Information Security Guidelines: Data Network Infrastructure Enterprise Security
[Organization Name]
[Organization Address]
5
Scope & Background
The excerpt provides 'information security guidelines' for a TCP/IP based data‐network.
Content attempts to provide a ready assistance to the network management team managing
a TCP/IP network. It introduces them to secure practices and equip the team to implement
the guidelines at different levels of a data inter‐network.
It summarizes requirements for a 'device to operation driven' security framework focusing
on device administration, monitoring, maintenance, management for intranet & internet
based data access solutions running at access, distribution and core layers.
Developed by the Enterprise Security, the document supports IT department in furthering
information security as an integral part of continued operations.
Background: IT teams managing data networks often struggle to keep security &
operations in‐tact due to dual responsibilities that at time also greatly averse each other
when it comes to operations or delivering projects. This usually lead to IT operations team
forego embodying information security practices.
The concept is furthered by the general perception of security that largely hovers around
firewall, VPN and IPS boxes. However one needs to understand that these devices alongside
every component running operations has a security perspective as well and is in need of a
guideline that takes the team step‐by‐step towards building consistently improved levels of
security.
Information security guidelines document provides just that, security at all levels, layers
and devices and articulate security considerations providing an acceptable level of
information security risk for data on the network perimeter.
6. Information Security Guidelines: Data Network Infrastructure Enterprise Security
[Organization Name]
[Organization Address]
6
1. Network Infrastructure
1.1. Network Design
Changes to data network infrastructure to be regularly documented and integrity to be
met by continuous auditing, referring facility drawings and topology maps.
[ORG_IT_SB_NET_1]: An up to date data network design view should be maintained
including network topology [links (external & internal)], end‐user data point location,
IP subnets and the actual models of the networking (switching, routing and access)
equipments carrying the traffic.
[ORG_IT_SB_NET_2]: In‐house backup, redundant provisions as per the prevailing
business exposure should be recorded with a relevant description.
1.1.1. Data communication circuits
Data connection to internal networks be secured & focus on continued availability.
Premise router ingress packet filter for any interface is configured to only permit packets
with a destination address belonging to the respective site IP address block.
[ORG_IT_SB_NET_3]: All external links / communication services should be validated
and approved prior to operations
[ORG_IT_SB_NET_4]: Requirements for all communication links / services should
be vetted on a semi‐annual basis
[ORG_IT_SB_NET_5]: Connection between the CSU/DSU and the local exchange (data
service jack) should be appropriately connected and maintained in a physically secure
within the organization office
[ORG_IT_SB_NET_6]: Modems connected to all CSU/DSU should be disabled or
disconnected when not in use
1.2. Backdoor Connections
Backdoor connection means a connection between [ORG‐corporate‐network] & the
customer sites that does not traverse provider’s network.
[ORG_IT_SB_NET_7]: No backdoor connections allowed between [ORG‐private‐network]
and external service provider unless approved by the management.
1.3. Internet Connectivity
[ORG_IT_SB_NET_8]: Approval from IT operations & ESS should prior to establishing an
Internet connection from an internet service provider
[ORG_IT_SB_NET_9]: Internet connectivity should be managed on a logically separate IP
network. The traffic should be driven thru a proxy server embodied in a proficient
firewall with IPS features and should be equipped with latest service signatures.
[ORG_IT_SB_NET_10]: All requests arriving at the proxy server should be re‐packaged
with the PS NAT address & inter‐exchanged accordingly.
[ORG_IT_SB_NET_11]: Premise router interface connecting the ISP should be configured
with ingress ACL permitting only packets with destination addresses within the site’s
internal address space
[ORG_IT_SB_NET_12]: IP routing should be primarily kept to static routes. However if
need of a dynamic routing protocol is used, premise router should not be involved in
an inter‐routing process with the peer service provider router
[ORG_IT_SB_NET_13]: IP addresses from service provider should not be redistributed or
advertised in to the corporate network.
7. Information Security Guidelines: Data Network Infrastructure Enterprise Security
[Organization Name]
[Organization Address]
7
1.3.1. Network Address Translation
[ORG_IT_SB_NET_14]: Workstations/clients service IP addresses should not be revealed
to Internet. NAT services should be used at the proxy server, firewall or the router
level to create efficacy and transparency.
1.4. IP Addressing
[ORG_IT_SB_NET_15]: All network IP address ranges (for Internet use) should be
properly registered with the Network Information Center (NIC).
[ORG_IT_SB_NET_16]: Private class IP addressing scheme (registered and provided for
the corporate and development setups by IANA) should be used for data
communication services.
[ORG_IT_SB_NET_17]: BOGON* / Martian (unassigned / reserved by IANA*) along with
the address range (RFC 1918) and private IP address class from traversing in to the IP
WAN should be blocked at the premise router level.
1.5. Device Management
1.5.1. General Safety – Communication devices
[ORG_IT_SB_NET_18]: data network & communication devices (routers, switches, RAS,
NAS, firewalls, IPS, CSU / DSU, DTE etc.) to be installed in a secure data facility with
limited access allowed on a need to know basis
1.5.2. Operating Management
[ORG_IT_SB_NET_19]: Documented procedure to validate loaded image files on a
designated network share backed up on daily basis.
[ORG_IT_SB_NET_20]: Network ports and services except those needed to support
operational commitments of the site should be kept in a disabled state.
[ORG_IT_SB_NET_21]: Warning banners on all interfaces of a network device (Telnet,
File Transfer Protocol (FTP) or Hyper‐Text Transfer etc.)
[ORG_IT_SB_NET_22]: Device access limited to authorized administrators. Apart from
AAA authentication processes, the attempts to be logged for auditing.
[ORG_IT_SB_NET_23]: Management of communication equipments should be done thru
limited number of authorized stations with respective IP addresses. The number of IP
addresses & stations must be equal to or less than the number of managing
administrators.
[ORG_IT_SB_NET_24]: Confidentiality for device remote management sessions to be
secured using FIPS 140‐2 validated encryption algorithms such as AES, 3DES etc.
1.6. Deterrent Measures
1.6.1. Passwords
[ORG_IT_SB_NET_25]: All devices to be password protected
[ORG_IT_SB_NET_26]: No equipment default passwords
[ORG_IT_SB_NET_27]: Passwords to be created & maintained following the relevant
information security policy
[ORG_IT_SB_NET_28]: Equipment administrative passwords should be enveloped with a
sign‐off from the relevant authorized and kept in a fire‐proof vault at primary and
disaster recovery site
[ORG_IT_SB_NET_29]: Administrative account password for critical equipments should
be managed in halves; with each portion kept and managed by the two administrators.
8. Information Security Guidelines: Data Network Infrastructure Enterprise Security
[Organization Name]
[Organization Address]
8
1.7. Routing Systems
1.7.1. Route Table
[ORG_IT_SB_NET_30]: Restrict routing protocol connections to known IP segments
[ORG_IT_SB_NET_31]: Route based authentication for routing protocols running under
the same or different autonomous systems
1.7.2. Routers Accounts & Passwords
[ORG_IT_SB_NET_32]: Administrative access to all routers through authentication
server.
[ORG_IT_SB_NET_33]: One account to be defined on the router for use in emergency
[ORG_IT_SB_NET_34]: Administrator to ensure user have an account (username &
password) for router access
[ORG_IT_SB_NET_35]: User accounts authority on least privilege
[ORG_IT_SB_NET_36]: Accounts from authentication server or router removed
immediately following requirement turns 'void'
[ORG_IT_SB_NET_37]: Enable secret password should not match to any other username,
password, enable password, or any other enable secret password
[ORG_IT_SB_NET_38]: Passwords not to be viewable in router configuration
1.7.3. Router Administrative Access
[ORG_IT_SB_NET_39]: All interfaces for router to be password protected.
[ORG_IT_SB_NET_40]: Console to be time out after an inactivity time of 10 minutes.
[ORG_IT_SB_NET_41]: Modems with or without telecommunication lines should not be
connected to the console or auxiliary ports.
[ORG_IT_SB_NET_42]: Auxiliary port should be kept 'disabled'
1.7.4. Router Management
[ORG_IT_SB_NET_43]: Done with restricted access. During contingent situations,
relaxation be given on a case‐to‐case basis.
[ORG_IT_SB_NET_44]: Management access to be password protected at all interfaces.
[ORG_IT_SB_NET_45]: Applied controls to ensure router is only accessed by the
relevant administrator through a two‐factor authentication process.
[ORG_IT_SB_NET_46]: In‐band management should only be allowed from authorized IP
addresses within the campus network.
[ORG_IT_SB_NET_47]: Remote administration to be centrally from head office and
disaster recovery office.
[ORG_IT_SB_NET_48]: Management sessions secured using FIPS 140‐2 validated
encryption algorithms including AES, 3DES, SSH etc
[ORG_IT_SB_NET_49]: Administrator to enforce user access lockout after approved
number of continuous unsuccessful login attempts
[ORG_IT_SB_NET_50]: Timeout for in‐band management access should be set to no
longer than 10 minutes
[ORG_IT_SB_NET_51]: access control to be bounded to VTY and log permitted as well as
denied access attempts.
1.7.5. Router Operating System
[ORG_IT_SB_NET_52]: Latest operating system image should be kept in affect at each
router.
9. Information Security Guidelines: Data Network Infrastructure Enterprise Security
[Organization Name]
[Organization Address]
9
1.7.6. Configuration and Image Integrity
[ORG_IT_SB_NET_53]: Bootp server services should be kept in a disabled state.
[ORG_IT_SB_NET_54]: Configuration auto‐loading should be disabled.
[ORG_IT_SB_NET_55]: operating system should be configured to boot from a FLASH or
an attached memory stick. Other sources (TFTP, or Network server) should not be
activated for routine operation even as a second option.
1.8. Routing System Services
1.8.1. General Services
[ORG_IT_SB_NET_56]: CDP should be kept 'disabled' on all external interfaces.
[ORG_IT_SB_NET_57]: TCP & UDP small server services should be kept 'disabled'
[ORG_IT_SB_NET_58]: PAD services should be kept in a disabled state.
[ORG_IT_SB_NET_59]: TCP Keep‐Alive parameter should be kept for Telnet Session.
[ORG_IT_SB_NET_60]: Identification support should be kept in a disabled state.
[ORG_IT_SB_NET_61]: DHCP, Finger should be kept in a disabled state.
[ORG_IT_SB_NET_62]: All BSD r‐command servers/services in a disabled state.
1.8.2. IP Source Routing
[ORG_IT_SB_NET_63]: IP source routing should be kept disabled for all routers.
1.8.3. Proxy and Gratuitous ARPs
[ORG_IT_SB_NET_64]: Proxy ARP & gratuitous ARP should be kept 'disabled'.
1.8.4. Directed Broadcasts
[ORG_IT_SB_NET_65]: IP directed broadcast should be kept 'disabled' at all interfaces.
1.8.5. ICMP Exploits
[ORG_IT_SB_NET_66]: ICMP access restricted to legitimate stations for management
and investigative routines
1.8.6. Logging Integrity – NTP
[ORG_IT_SB_NET_67]: define Network Time Protocol servers on the premise router
[ORG_IT_SB_NET_68]: All internal routers should be configured to use premise router
for time synchronization
1.8.7. SNMP Service
[ORG_IT_SB_NET_69]: SNMP access to router should only be allowed only from
authorized internal IP addresses.
[ORG_IT_SB_NET_70]: SNMP should be blocked at all external interfaces.
[ORG_IT_SB_NET_71]: SNMP service should only operate in a read only mode.
1.8.8. Packet Filtering and Logging
[ORG_IT_SB_NET_72]: Ingress & egress packet filters to be activated for traffic
restriction for all ports and protocols.
[ORG_IT_SB_NET_73]: Ingress filtering packets bound to the external interface, and the
egress ACL filtering packets would be bound to the internal interface, both in an
inbound direction.
10. Information Security Guidelines: Data Network Infrastructure Enterprise Security
[Organization Name]
[Organization Address]
10
1.8.8.1. Inbound Traffic
[ORG_IT_SB_NET_74]: Premise router restricted to accept inbound packets with an
internal IP address, any local host loop back address, the link‐local IP address range,
IANA unallocated addresses or any reserved private addresses in the source field.
1.8.8.2. Outbound Traffic
[ORG_IT_SB_NET_75]: Router restricted to accept any outbound IP packet containing an
illegitimate address in the source address field through egress applied packet filter.
1.8.8.3. SYN Flood Attack
[ORG_IT_SB_NET_76]: Feature implementation in router to provide protection to
servers from a TCP SYN flood attack from an outside network.
1.8.9. ICMP Message Types & Trace‐route facility
[ORG_IT_SB_NET_77]: Inbound ICMP messages blocked except 'Echo Reply' & 'Time
Exceeded'. ICMP message number 3, code 4 would be permitted inbound and should be
denied at the outbound.
[ORG_IT_SB_NET_78]: Inbound trace‐route should be blocked in order to prevent
network discovery by unauthorized users
1.8.9.1. Distributed Denial of Service Attacks
[ORG_IT_SB_NET_79]: Distributed denial of service attack ports blocked for known
signatures.
1.8.10. Logging
[ORG_IT_SB_NET_80]: Denied attempt to a port, protocol or service to be logged.
[ORG_IT_SB_NET_81]: Routers logs to be deposited to a SYSLOG server.
1.8.11. Configuration Management
1.8.11.1. Logistics for Configuration Management
[ORG_IT_SB_NET_82]: On saving and/or loading configuration assure that the running
and startup device configurations are synchronized
[ORG_IT_SB_NET_83]: Ensure that the device current & last configuration is stored in a
secured location.
[ORG_IT_SB_NET_84]: System storing device configuration files should employ local OS
security mechanisms
[ORG_IT_SB_NET_85]: Only authorized personnel given access to the stored device
configuration files
[ORG_IT_SB_NET_86]: TFTP server residing on a server in a controlled LAN to be used
to backup and restore OS & configuration on the device.
1.8.11.2. Router Change Management
[ORG_IT_SB_NET_87]: Changes & updates to be routinely documented
[ORG_IT_SB_NET_88]: Approved activity forms should be used to aid in recording the
audit trail of the change request
[ORG_IT_SB_NET_89]: Electronic copies of configurations should be maintained at a
secure & documented shared location
[ORG_IT_SB_NET_90]: Change request process for request to approval be restricted to
authorized personnel only.
11. Information Security Guidelines: Data Network Infrastructure Enterprise Security
[Organization Name]
[Organization Address]
11
1.9. Switches and VLAN
1.9.1. Wiring Architecture
[ORG_IT_SB_NET_91]: Switches (access, distributed and core) and associated cross‐
connect equipment should be installed in a perforated cabinet & kept locked.
1.9.2. Switch Accounts & Passwords
[ORG_IT_SB_NET_92]: Authentication server for administrative access.
[ORG_IT_SB_NET_93]: Besides the administrative accounts on the authentication
server, one account should be defined locally on the switch for emergency use.
[ORG_IT_SB_NET_94]: Each user should use their account (with username and
password) for switch access.
[ORG_IT_SB_NET_95]: User accounts should be built in due attainment to the least
privilege criterion.
[ORG_IT_SB_NET_96]: Accounts those are no longer valid for usage should be
immediately removed from the authentication server & the switch.
[ORG_IT_SB_NET_97]: Passwords not viewable in plain‐text in the switch configuration.
1.9.3. Switch Administrative Access
[ORG_IT_SB_NET_98]: It should be assured that all management connections to the
switch are protected thru passwords.
[ORG_IT_SB_NET_99]: Console port to be configured for a time‐out after 10 minutes
inactive period.
[ORG_IT_SB_NET_100]: Modems to be kept disconnected to console or auxiliary ports;
the later should be kept disabled.
[ORG_IT_SB_NET_101]: In‐band switch management sessions should only be allowed
from authorized IP addresses from the internal network.
[ORG_IT_SB_NET_102]: Access to the switch to be locked‐out after 03 consecutive
unsuccessful attempts
[ORG_IT_SB_NET_103]: Inactive timeout for in‐band management access to be kept
at 10 minutes
[ORG_IT_SB_NET_104]: Access control at VTY ports to record logs for permitted and
denied access attempts.
1.9.4. Virtual Local Area Network
1.9.4.1. Management VLAN & VLAN 1
[ORG_IT_SB_NET_105]: VLAN1 (management VLAN) not to be used for user & in‐band
management traffic. Use of dedicated VLANs be moved keeping management traffic
separate from user data and control traffic.
[ORG_IT_SB_NET_106]: Management VLAN to not include trunk or access port
1.9.4.2. VLAN Trunk
[ORG_IT_SB_NET_107]: Feature to be kept disabled on all access ports as posts to be
marked as trunk to be kept in a a dedicated VLAN.
[ORG_IT_SB_NET_108]: Access ports not to be assigned to a dedicated trunk VLAN.
1.9.4.3. Departmental VLAN
[ORG_IT_SB_NET_109]: Departmental entities to be kept in a separate L‐2/L‐3 VLAN as
apply. Inter department access to be allowed on request.
12. Information Security Guidelines: Data Network Infrastructure Enterprise Security
[Organization Name]
[Organization Address]
12
1.9.4.4. VLAN Access – Port Authentication & Security
[ORG_IT_SB_NET_110]: Disabled ports to be placed in an unused VLAN.
[ORG_IT_SB_NET_111]: Compliance with either port‐security or 802.1X port
authentication for all access ports. :: Trunk ports shouldn’t be MAC based
[ORG_IT_SB_NET_112]: MAC addresses should be statically configured on all access
ports for Port Security implementation.
1.9.4.5. Port Authentication – 802.1X
[ORG_IT_SB_NET_113]: Utilizing 802.1X, a secure EAP type should resides on
authentication server and within OS or application software on client devices
[ORG_IT_SB_NET_114]: 802.1X port authentication implementation require all access
ports starting in an unauthorized state.
[ORG_IT_SB_NET_115]: Re‐authentication should commence par to a decided clipping
level for 802.1X port authentication.
1.10. Remote User Access
1.10.1. Administrative Access
[ORG_IT_SB_NET_116]: Remote administration using Telnet, TN3270, TNVT or other
terminal emulated programs to be available with AAA services.
[ORG_IT_SB_NET_117]: Remote access request to originate with‐in campus network and
from an approved IP station
[ORG_IT_SB_NET_118]: Remote users to use two‐factor authentication to access the
network for device &/ server administration
[ORG_IT_SB_NET_119]: Remote access infrastructure, including authentication
server, RAS, NAS, VPN gateway would log events (session connectivity,
termination, user‐id, IP credentials, session success &/ failure) for all sessions.
[ORG_IT_SB_NET_120]: Inactive sessions to be auto‐disconnected in 30‐minutes
idle session
1.10.2. Logging Management
[ORG_IT_SB_NET_121]: Audit logs for remote access server authentication to be
maintained for a period of 30‐days (on‐line) and 01 year off‐line.
[ORG_IT_SB_NET_122]: Audit trails & logs to be reviewed per an agreed periodic
frequency.
1.10.3. Dial‐up Communication
[ORG_IT_SB_NET_123]: Administrative and or management to be carried out thru a
PSTN based dial‐up connection.
[ORG_IT_SB_NET_124]: User located outside the fiber connected campus to access
using dial‐up connection or a fiber based (last mile UTP/cat‐6) broadband.
[ORG_IT_SB_NET_125]: Users can connect to the organization one user at a time.
[ORG_IT_SB_NET_126]: Users to comply with organization recommendation on
hardware, software and environmental requirements
[ORG_IT_SB_NET_127]: Users to use a PPP based asynchronous dial‐up connection
[ORG_IT_SB_NET_128]: Regional customer‐network‐support to be equipped with dial‐up
testing account at their disposal given a limited connection time and no caller line
identification check.
13. Information Security Guidelines: Data Network Infrastructure Enterprise Security
[Organization Name]
[Organization Address]
13
1.10.4. Remote Access Server
[ORG_IT_SB_NET_129]: Access servers to be provisioned with digital dial‐in only facility
using ISDN primary rate interface
[ORG_IT_SB_NET_130]: Remote access server to be installed in a de‐militarized zone or
a screened subnet and given necessary protection.
[ORG_IT_SB_NET_131]: Management access to RAS devices to be secured using FIPS
140‐2 validated encryption algorithms including AES, 3DES, SSH etc.
[ORG_IT_SB_NET_132]: Management to be restricted to approved authorized IP
addresses.
[ORG_IT_SB_NET_133]: Administrative procedures for device management & access as
highlighted for routers would hold true for a RAS as well.
1.11. Remote Client to VPN Gateway
[ORG_IT_SB_NET_134]: VPN gateways should terminate on or outside of the firewall.
[ORG_IT_SB_NET_135]: Remote access through VPNs to be running a standard security
framework, encryption and integrity algorithms
1.12. Network Management and Support Services
1.12.1. Network Management
[ORG_IT_SB_NET_136]: SNMP community strings used should be other than the system
default parameters. The changed values should be changed as par to an expiry time.
[ORG_IT_SB_NET_137]: IPSec should be used to provide integrity for the traffic
between the network management workstation and all monitored devices.
[ORG_IT_SB_NET_138]: SNMP version‐3 'Security Model' with MD5 packet
authentication & DES for PDU to be used.
[ORG_IT_SB_NET_139]: Only monitoring status be retrieved thru SNMP. Write privileges
should be kept disabled at the device & at the NM server end.
[ORG_IT_SB_NET_140]: In case, privileged as well as non‐privileged mode is used, then
different community names should be employed for read‐only & read‐write access.
[ORG_IT_SB_NET_141]: Security alarms should be set up for the managed
network's framework with following inclusions:
o Integrity Violation: Unauthorized modification, deletion or addition to the
network configuration.
o Operational Violation: Unauthorized usage of an object or service.
o Physical Violation: Physical part damage & / modification without
authorization.
o Security Mechanism Violation: Indicates that the network's security system
has been compromised or breached.
o Time Domain Violation: Event occurrence outside the parameterized allowed
or typical time slot.
[ORG_IT_SB_NET_142]: Events (major, critical, minor, warming, and indeterminate)
alarms should be categorized with respect to severity.
1.12.2. Network Management (NM) Station
[ORG_IT_SB_NET_143]: NM server station should be located in a secure environment.
[ORG_IT_SB_NET_144]: Only necessary accounts for network management operations
should be created & maintained.
14. Information Security Guidelines: Data Network Infrastructure Enterprise Security
[Organization Name]
[Organization Address]
14
[ORG_IT_SB_NET_145]: Active record should be maintained for all action / transactions
done or processed by the management station, including time logged in and out,
devices that were accessed and modified, and other performed activities.
[ORG_IT_SB_NET_146]: Access to be restricted to authorized users with user‐ID &
passwords.
[ORG_IT_SB_NET_147]: Management connections to NM station should be restricted to
authorized IP address.
[ORG_IT_SB_NET_148]: Monitored devices to be configured to provide response to the
authorized NMS station.
[ORG_IT_SB_NET_149]: NM station would be governed under the domain policy for
server machines. Accounts maintained on the NM station should be given adequate
rights to carry out the task justly.