The Network Infrastructure Security Technical Implementation Guide (STIG) is for securing a Inter-networking device such as a router or a switch. It is a good source of knowledge to secure a system based on best security practices.
The guide is divided into a Infrastructure and Perimeter type device.
- The Infrastructure device being the common intermediary node within an autonomous system (AS).
- The Perimeter device being the outer most edge type device.
We also see that is it being divided up further by Router and L3 Switch type.
- Router being the traditional layer 3 type device: OSI model layer 3 – Network layer, routing protocols BGP, OSPF, RIP.
- Layer 3 (L3) switch (L2 – Layer 2 Data Link layer) being a high port density ethernet device that supports Layer 3 functionality (Routing).
The check list covers many security aspects. The identification associated with each check further categorizes into:
NETxxxx – x representing a numerical value
Infrastructure Router
NETxxxx – General network security configuration checks.
NET-IPV6-xxx – IPv6 related security configuration checks.
NET-TUNL-xxx – VPN or tunnel related security configuration checks.
NET-MCAST-xxx – Multicast related security configuration checks.
Perimeter Router
NETxxxx – General network security configuration checks.
NET-IPV6-xxx – IPv6 related security configuration checks.
NET-TUNL-xxx – VPN or tunnel related security configuration checks.
NET-MCAST-xxx – Multicast related security configuration checks.
Perimeter L3 Switch
NETxxxx – General network security configuration checks.
NET-IPV6-xxx – IPv6 related security configuration checks.
NET-TUNL-xxx – VPN or tunnel related security configuration checks.
NET-MCAST-xxx – Multicast related security configuration checks.
NET-NAC-xxx – Network Admission Control related security configuration checks.
NET-SRVFRM-xxx – Server Farm related security configuration checks.
NET-VLAN-xxx – Virtual LANs related security configuration checks.
Infrastructure L3 Switch
NETxxxx – General network security configuration checks.
NET-IPV6-xxx – IPv6 related security configuration checks.
NET-TUNL-xxx – VPN or tunnel related security configuration checks.
NET-MCAST-xxx – Multicast related security configuration checks.
NET-NAC-xxx – Network Admission Control related security configuration checks.
NET-SRVFRM-xxx – Server Farm related security configuration checks.
NET-VLAN-xxx – Virtual LANs related security configuration checks.
L2 Switch
NETxxxx – General network security configuration checks.
NET-NAC-xxx – Network Admission Control related security configuration checks.
NET-VLAN-xxx – Virtual LANs related security configuration checks.
The Network Infrastructure STIG is freely available from: http://iase.disa.mil/stigs/net_perimeter/network_infra/routers_switches.html
