You can use this checklist in two ways. First, you can use it as a checklist when securing your routers. You can also use the checklist as the basis for auditing the security of your routers.
If you are using this checklist to harden your routers, a good approach is to use the following three-step process:
Use the checklist to determine your routers’ current security level. Check off each item that has already been taken care of.
Review all items in the checklist that have not been checked off. For each item, determine how you are going to address that issue—secure it, leave it alone and accept the risk, or assign the risk to someone else (e.g., insurance).
Secure each item that you determined needs securing. For all other items, document why you are leaving this item unsecured. It is important to list the risks associated with the item and determine why the risk can be ignored or how it is being assigned to someone else.
For example, if your network has two routers and one administrator, the cost associated with setting up an AAA server is probably not justifiable. Local usernames and passwords would be much more reasonable. Documenting these decisions and getting management to sign off on them helps to cover your tail when an incident occurs.
Auditing is a topic for a book unto itself and generally requires a higher skill level than hardening. When hardening a router, a sysadmin can usually turn off services ...