DocuSign Envelope ID: 6E64B722-8B5E-4DD5-9575-E9D38836B393

Router Configuration Standard

Version 1.1

Revision History:

Version Date Revision Author Summary of change

1.0 Dec 29, 2020 Mahammad Harif Initial Draft
Shaik
1.1 Aug 29, 2022 Naresh Kambam Annual Review

Approval History:

Name Title Date Signature

Tony Jurica Sr. Director Cloud Sept 09, 2022
Solutions (acting CISO)

Released Date Sept 12, 2022

Router Configuration Standard Confidential Page 1

DocuSign Envelope ID: 6E64B722-8B5E-4DD5-9575-E9D38836B393

Table of Contents
1. Scope.................................................................................................................................................... 3
2. General Router Requirements ............................................................................................................. 3
2.1 Router Deployment ....................................................................................................................... 3
2.2 Traffic Mediation........................................................................................................................... 3
2.3 Router Configuration ..................................................................................................................... 3
2.4 Router Change Control .................................................................................................................. 4
2.5 Router Properties........................................................................................................................... 4
2.6 Authentication ............................................................................................................................... 4
2.7 Network Information ..................................................................................................................... 5
2.8 Filtering .......................................................................................................................................... 5
2.9 Failover........................................................................................................................................... 5
2.10 Backup.......................................................................................................................................... 6
3. Router Installation ............................................................................................................................... 6
3.1 Installation ..................................................................................................................................... 6
3.2 Operating System Configuration ................................................................................................... 6
3.3 Authorized Administration ............................................................................................................ 6
3.4 Testing the router .......................................................................................................................... 7
4. Router Logging and Alerting ................................................................................................................ 7
4.1 Terminating a Session .................................................................................................................... 7
4.2 Multiple Alerting Capabilities - ...................................................................................................... 7
5. Router Administration ......................................................................................................................... 8
5.1 Assigned Administrators (ISO/IEC 27001:2013 A.6.1.2.) ............................................................... 8
6. Time Synchronization .......................................................................................................................... 8
7. Review of Router Configuration ........................................................................................................... 8
8. Router Maintenance ............................................................................................................................. 8
8.1 Education and Training .................................................................................................................. 8
8.2 Administrative Requirements ........................................................................................................ 9
9. Reporting Router Security Problems .................................................................................................... 9

Router Configuration Standard Confidential Page 2

DocuSign Envelope ID: 6E64B722-8B5E-4DD5-9575-E9D38836B393

1. Scope

This standard was developed to provide the primary building blocks for
implementation of a uniform standard for routers at all Voxai Solutions locations. The
requirements specified in this standard must be strictly followed to ensure success of
this globalization effort. Organizations within Voxai Solutions shall cooperate to
ensure compliance with the requirements of this standard.

2. General Router Requirements

2.1 Router Deployment

• Routers must be housed in a physically secure location. All routers must be

hardened as per the business requirements.
• The deployment of routers must comply with and satisfy the requirements of
standards implemented by the Voxai Solutions Information Security Policy.

2.2 Traffic Mediation

All traffic coming from or going to addresses associated with networks interfaced to
the router must be mediated by the router. Only authorized traffic must be allowed
to pass through the routers.

Install DMZ to control network traffic entering and leaving the network and
crossing security boundaries.

Establish and protect internal enclaves as required to protect sensitive data by

establishing internal security control points using a router.

2.3 Router Configuration

• IP spoofing must be prevented by adequate controls.

• All unnecessary ICMP traffic must be dropped.
• The router must be configured based on documented guidelines and
procedures to resist penetration from internal and external attacks. Any
new configuration request must follow Voxai Solutions’ change
management procedure.
• For a list of trusted users, the administrator can separately allow secure
shell (SSH) access to router CLI, and HTTPS or SSL access to the router’s

Router Configuration Standard Confidential Page 3

DocuSign Envelope ID: 6E64B722-8B5E-4DD5-9575-E9D38836B393

browser-based interface. Remote access features can be used for collecting

system information and performing additional configuration, but not to
manage or install router policies.
• Manually shut down all the services that are not required by the business.
• Router passwords must be stored (e.g., in router configuration files) in a
secured form (such as MD5 Encryption or protected file). These passwords
must be changed at pre-determined frequencies.
• Configure routers properly to help resist attacks and to ensure the
integrity and confidentiality of the network traffic.

2.4 Router Change Control

(ISO/IEC 27001:2013 A.12.1.2)

Any change to the router configuration or router infrastructure must be documented

and should be in accordance with the Voxai Solutions’ change management procedure
to include:

- Approval of router change / network connection from authorized personnel

➢ Every change to router configuration must be approved by authorized
personnel and approval must be documented formally.

- Testing all network connections and changes to the router’s configuration (This is
to prevent security problems caused by misconfiguration of the network or
router. Without formal approval and testing of changes)
➢ Network Administrator / Router Administrator must test every change to
router configuration / network connection to ensure it functions as per
business requirement and securely configured to prevent any security
problems. All the results for testing network connections and changes to
the router configuration must be documented formally.

2.5 Router Properties

The router’s rule base structure must support an “Explicit Deny statements to deny
all the requests except those specifically permitted” design policy.

2.6 Authentication

• All routers on the LAN / WAN must require a user to enter a login ID and
password to gain access to the command prompt through an encrypted session
like SSH.

Router Configuration Standard Confidential Page 4

DocuSign Envelope ID: 6E64B722-8B5E-4DD5-9575-E9D38836B393

• All remote users must be authenticated via a secure method at the router
before being granted access to internal network resources.
• Terminal Timeout must be configured.
• If using external authentication (Radius/ Active Directory / SSO), Password
policy must be enforced.
• Passwords must be changed every 90 days on all routers.
2.7 Network Information

• Appropriate login banners must be implemented on all routers.

• When used - the router must be configured with NAT mechanism to protect
any internal network information to be exposed through queries from external
devices.

2.8 Filtering

The router must be capable of employing filtering techniques used to permit or deny
services, applications, and protocols to specified network addresses as needed. The
router shall provide user interface for the configuration of filtering based on relevant
attributes, such as, source and destination IP address, protocol type, source and
destination TCP/UDP port, and inbound or outbound interface.

Inbound traffic filtering must be configured based on configuration guidelines, to

include blocking based on the following.

• Traffic from a non-authenticated source system with a destination address

of the router.
• Traffic containing ICMP traffic.
• Non-IP traffic

2.8.1SNMP Rules

• All routers being monitored via SNMP must have non-default SNMP
community strings.
• Routers not being monitored via SNMP must have SNMP disabled.
2.9 Failover

All internet facing routers or routers executing critical processes must be

configured with failover and load balancing for high availability and maximum
throughput capability.

Router Configuration Standard Confidential Page 5

DocuSign Envelope ID: 6E64B722-8B5E-4DD5-9575-E9D38836B393

2.10 Backup

• Backup of router configuration files must be taken before every change in

configuration.
• Router configuration files must be available only to authorized individuals.

3. Router Installation
3.1 Installation

The router must be installed on a dedicated platform as an appliance with a licensed

version of the recommended operating system (IOS in case of Cisco). The OS must
have all necessary patches installed.

3.2 Operating System Configuration

• Removal or disabling of unused network protocols, services, and

applications.
• Removal or disabling of unnecessary user accounts, e.g., Administrator and
Guest.
• Replacement of vendor passwords.
• Implementation of appropriate access controls.
• Configuration of audit logging controls.
• Application of all relevant operating system patches and releases.

NOTE: The configuration information of routers must be properly documented and

securely stored.

When configuring routers, the administration staff must consider the configuration
of other network infrastructure components such as firewalls, web servers, LAN
servers, etc. to ensure no adverse effect in their operation and configuration.

3.3 Authorized Administration

Only authorized administrators are allowed access to routers to set-up, maintain, and
modify security rules (ACL’s) / Routes on Voxai Solutions routers. Access to routers
must comply with the Voxai Solutions Authentication and Access Control Policy.

Router Configuration Standard Confidential Page 6

DocuSign Envelope ID: 6E64B722-8B5E-4DD5-9575-E9D38836B393

3.4 Testing the router.

• No test route statement should ever be tested on a production system.

• Never delete / modify any route statement in large complex network on a
production system.
• Every configuration / modification to the existing configuration must be
thoroughly tested offline.

4. Router Logging and Alerting

• Logging and auditing must be enabled.

• The audit logs of internet facing routers must be monitored on a daily basis
and a quarterly report on critical events must be submitted to IT Head/ Head
IT security.

• Event log information related to the traffic passing through the router must be
exportable to reporting and analysis tools.

• Event logs (audit trails) shall be available on demand online for analysis
purposes for a minimum period of 90 days. This period can be extended if
system resources allow sufficient storage area for the duration.

• Router event logs must be archived offline for at least 365 days (one year).
Event logs must be managed and maintained in a manner compliant with the
Voxai Solutions implemented audit and relevant standards for Information
Security.

4.1 Terminating a Session

The router must provide automatic facilities to terminate a single or multiple active
connection upon detection of intrusion. The router must also provide manual
facilities to terminate a single or multiple active connection by any authorized
administrator.

4.2 Multiple Alerting Capabilities -

The router shall provide integration of multiple administrator selectable alerting

options including paging, audible alarms, e-mail notification and Simple Network
Management Protocol (SNMP) traps for integration with third party SNMP-based
network management systems. Only secure versions of SNMP must be used.

Router Configuration Standard Confidential Page 7

DocuSign Envelope ID: 6E64B722-8B5E-4DD5-9575-E9D38836B393

5. Router Administration
5.1 Assigned Administrators (ISO/IEC 27001:2013 A.6.1.2.)

Physical and logical access to routers must be restricted only to assigned

administrators responsible for configuration and maintenance of the devices.

Group Name Role/ Responsibilities

Admin Group/ IT Administration and monitoring of the Router and

Operations Team other network components, such as switches

Tech User Group Back-end operations support, query management and

reporting

6. Time Synchronization

Routers must be synchronized against a Central Network Time Source (NTP) exists
at Voxai Solutions. This is to make sure events in the logs can be correlated
accurately.

7. Review of Router Configuration

Internet facing routers running configuration must be reviewed at least Quarterly

and routers which are confined to intranet routing must be reviewed Bi-annually.
Vulnerability assessment scans shall include scans of running configuration for
common configuration errors.

8. Router Maintenance
8.1 Education and Training

Proper and adequate training must be provided to all LAN, WAN, & Security
administrators to insure appropriate maintenance and administration of the router.

Router Configuration Standard Confidential Page 8

DocuSign Envelope ID: 6E64B722-8B5E-4DD5-9575-E9D38836B393

8.2 Administrative Requirements

Router administrators must maintain the router configuration continuously in

accordance with the Voxai Solutions business requirements and current policies.
Change management must be performed in a manner compliant with the
requirements of the Voxai Solutions software release processing and Change
Management Policy for Information Security.

9. Reporting Router Security Problems

The security monitoring group shall interface with router administrators for the
remediation of router security problems identified as a result of a security incident.

The Information Security Steering Committee is the owner of this document and is responsible for
ensuring that this policy document is reviewed in line with the review requirements stated above.

A current version of this document is available to all members of staff.

Router Configuration Standard Confidential Page 9