By Kes Jecius, RedSeal Senior Consulting Engineer
The Center for Internet Security’s (CIS) eleventh control for implementing a cybersecurity program is for your organization to actively track, report on, and correct the security configurations for network devices. This involves the use of a configuration management system and robust change control processes. What has been missing is a common set of network device security configurations standards that can be utilized by network and security teams.
As a networking professional for over 30 years, I understand the need to consistently and securely configure network devices. I built “golden templates” to make sure that any time I added a new device, it is configured the same as the last one. I utilized my own knowledge base and vendor recommendations for how to configure these network devices. Sound familiar?
But, network manufacturers frequently provide software updates to add new features, correct bugs, and address identified security holes in their networking devices. How often do we go back to update golden templates and check existing network devices when we install a new software version or use a new feature? In my experience, rarely. Network operations teams are too busy addressing access requirements and network-related support tickets. Checking existing configurations for correctness becomes a summer intern’s job.
Then, the security group starts the important work of establishing policies for how to secure information within your enterprise. Because network devices are part of the security infrastructure, the security analyst starts asking questions of the network operations teams and the divide between groups becomes apparent. The networking teams are addressing access requirements and tickets. They just don’t have the manpower to address the security analyst’s concerns.
To help bridge this internal divide, organizations are turning to security frameworks to allow teams to understand both sides of the equation. A very useful framework comes from CIS. CIS provides CIS Benchmarks, a set of configuration guidelines for the most common networking devices and platforms. These benchmarks have been developed by both security and networking professionals as minimum configuration security standards. Network teams can establish projects to update golden templates and then address security configuration issues on individual devices. By using the CIS Benchmarks, security teams have a set of standards to run an audit of network device configurations — and assess the overall risk to the enterprise when device configurations don’t match the standards.
Federal government agencies have done this for many years using DISA STIGs (Security Technical Information Guides). CIS Benchmarks are similar to these standards, but the Department of Defense has security requirements that are different from many commercial organizations.
As a single project, reconfiguring many networking devices is a challenge. You’ll need to make these security standards part of the existing golden templates and then integrate them with the on-going change management processes. It will take some time to fully migrate to these standards. Consider smaller projects that address a portion of the CIS Benchmarks so you can demonstrate tangible improvements more quickly.
Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a foundational solution that provides significant value for understanding the networking environment and helping to identify network devices that do not meet minimum recommended network device configuration standards. Whether you utilize CIS Benchmarks, STIGs, or some other established standard, make sure that these controls receive some attention in your overall cybersecurity strategy.
Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your cybersecurity program using the CIS Controls.