Checklist for Employees Stock Option (ESOP)Full description
Full description
Checklist Kebutuhan bumil TM III
Full description
Contoh checklist gensetFull description
Firewall Hardening Guidelines
Sno
Hardening
1.
Don’t assume your firewall is the answer to your network security
2.
Install the latest IOS and Update properly
3.
Firewall shall have the Hostname.
4.
Ensure that the memory has appropriate requirements to install the new IOS
5.
The password shall be used as per the password policy
6.
Ensure that the console port is password protected
7.
Ensure that the console has appropriate time out
8.
Ensure that the console has Authentication reentries
9.
Ensure that the Auxiliary port is password protected (where ever required)
10.
Shutdown the other Ethernet ports which is not in use.
11.
Other unwanted or non business related ports should be closed
12.
Disable Telnet access instead use SSh Version 2
13.
Disable HTTP access instead use HTTPS
14.
Disable SNMP Version 1 instead use SNMP Version 2 or 3
15.
SNMP community string should be strong
16.
ACLs should not Permit Packets From Any Source To Any Destination And Any Service
17.
All ACL rules have a rule ID assigned
18.
VPN shall configured with strong encryption ciphers
19.
Ensure that there is a rule blocking ICMP echo requests and replies.
20.
Ensure that there is a rule blocking outgoing time exceeded and unreachable messages.
21.
Unwanted Rules should be deleted
22.
Use SSL version 3 only
23.
NTP Authentication should be enabled
24.
Warning Login Banner should be configured
25.
Sys logging should be configured with encryption
26.
Proxy arp should be disabled
27.
Use of user exec mode(which will be used by the normal users) and config mode(which will be used by the administrators) should be used in the firewall to differentiate the authentication.
28.
User shall access with their individual name and password with Privilege level
29.
The entire logs shall be sent to the appropriate person and it should be reviewed periodically
30.
Periodical checkup is required for the backup Firewall is working properly or not.
31.
Check whether the Vulnerability Assessment is periodically carried out to ensure that the firewall is secured.
32.
Ensure that the ruleset complies with the organization security policy
33.
Ensure that the following spoofed, private (RFC 1918) and illegal addresses are blocked: Standard unroutables 255.255.255.255 127.0.0.0 Private (RFC 1918) addresses 10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255
192.168.0.0 - 192.168.255.255 Reserved addresses 240.0.0.0 Illegal addresses 0.0.0.0 UDP echo ICMP broadcast (RFC 2644) Ensure that traffic from the above addresses is not transmitted by the interface. 34.
If FTP is a requirement, ensure that the server which supports FTP, is placed in a different subnet than the internal protected network
35.
Ensure that there is a rule specifying that only traffic originating from IP’s within the internal network be allowed. Traffic with IP’s other than from the Internal network are to
be dropped. 36.
Ensure that there is a deny rule for traffic destined to critical internal addresses from external sources.
37.
Anti-spoofing filters shall blocked private addresses and internal addresses appearing from the outside
38.
No Internet access from the Inside Zone and all public exposed server should be placed in DMZ with Restricted access
39.
Generating Complex Password for Pre-shared over the Site to Site VPN
40.
Configure NAT Table and Connection table time out
41.
Allowing Specific IP/Subnet access for remote Login (SSH) to Firewall
42.
Reviewing the all NAT and ACL entry for validating unused entry
43.
Reviewing/Deleting the RVPN Username validation
44.
Remote VPN access with the restricted Server IP with Port access
45.
Configuring IPS for Inline mode for inspect all Traffic through the Firewall including the VPN Traffic (Binding the Policy on Each interface)
46.
Regular/Automatic IPS Signature update
47.
The Backup should be taken whenever the changes happened in the firewall
48.
Default username and password shall be removed from firewall.