Acquiring, managing, and disposing of network devices

Proper acquisition and initial deployment of network devices are crucial to maintain the security of existing networks. If the security of devices or their initial configurations is not adequately safeguarded, unauthorized access might lead to future security breaches.

Equipment Procurement and Initial Preparation

All network equipment should be acquired from trusted sources to ensure authenticity. Proper preparations should be conducted in a suitable environment before integrating the equipment into the final network.

Equipment reuse is advisable only within similar customer environments. For example, transforming a non-encrypting router into an encryption gateway or moving an encryption endpoint from one section of an organization to another. Specific guidelines may be detailed in Security Procedures for individual products.

On-Site Deployment

Equipment should be conveyed to the designated location through a method that ensures traceability. Whenever feasible, direct delivery to an identified individual is encouraged. Shipment should utilize tamper-evident packaging, which must be verified before deployment.

Occasionally, it may be required to store equipment away from the primary staging area, planning for future network service delivery. In such cases, items should be stored in environments similar to where they will ultimately be utilized, e.g., the same data center or logistics facility. Maintaining accurate storage records facilitates the acceptable redeployment of unused gear to other environments.

Initial Configuration and Registration

Depending on the VPN architecture and Public Key Infrastructure (PKI) in use, it is possible to centrally install an enrollment profile onto endpoint devices. Alternatively, a technician might have to deploy a specific initial configuration directly in the field for that particular setup. It’s critical to safeguard the integrity of the initial configuration in both scenarios.

Configuration documents and related materials must be created and stored in a controlled manner, ensuring audits for any modifications and limiting changes to authorized personnel. Deployment mechanisms should prevent unauthorized alterations, potentially through existing management frameworks or by utilizing protected digital signatures.

Upon device introduction to the network, an endpoint certificate may need to be generated and recorded in the corresponding PKI. This technical procedure should be reinforced by organizational protocols to ensure that only designated devices are permitted to enroll. For instance, prior documentation may be necessary in a work tracking system for a field technician to initiate the enrollment process.

Without well-defined processes, it becomes increasingly challenging to guarantee that only eligible devices access legitimate credentials, which amplifies the risk of unauthorized endpoints establishing secure connections with the network.

While maintaining network security can seem intimidating, implementing simple measures can significantly deter potential attackers.

Device Information Security

Generally, endpoint configuration details are not sensitive, aside from private keys, passwords, and similar information. Protecting the integrity of this information is essential to ensure endpoints connect to the correct networks, thus preventing misconfiguration.

Establishment of Management Networks

We highly recommend developing a management network specifically for performing administrative tasks across all network devices.

• Administration of network elements should solely originate from the management network or local management interfaces.
• Management terminals must exclusively access system management resources and interfaces. They should be restricted from accessing other networks (such as the Internet) or opening unfiltered content (like emails or external file shares). For example, using a remote desktop for internet browsing is permissible.
• Access to the management network should be strictly regulated. Vendor and third-party access must not be default-enabled, but allowed on a case-by-case basis for limited timeframes, with checks ensuring only expected actions are performed.
• Management activities must align with business processes allowing for effective audits, tracing any changes made to the responsible individual(s) and their reasons for such alterations.
• Incorporating a qualified security architect during management network design will enhance the architecture against common threats and ensure the appropriate implementation of security measures.

Security Clearances for Management Staff

Individuals with unsupervised access to private keys across various devices or organizations are considered privileged and should undergo thorough background checks. This is crucial for engineers capable of modifying configurations or affecting services for multiple clients.

Personnel with management privileges should meet at least the BPSS level BS7858:2012, or an appropriate equivalent. Organizations might adopt enhanced security screening methods for highly privileged roles.

Device Management Practices

Management traffic must consistently be secured. Acceptable approaches for device management are encapsulated in their Security Procedures; however, as a general principle, management traffic should be encrypted, maintaining both its integrity and authentication, similar to user data it safeguards. IPsec, SSH, and TLS are viable options for ensuring this.

Where possible, management traffic should be distinct from data traffic, utilizing either physical or cryptographic separations. Device management should preferably occur over a separate physical or logical circuit to data traffic to minimize vulnerabilities and keep potential attackers from interfering with non-essential interfaces.

Administrative access credentials must be safeguarded, ensuring only individuals with legitimate needs can conduct management functions. Engineers should be restricted to accessing credentials for only the devices they oversee. If an engineer switches roles, access must be modified or revoked, and any management passwords or keys they previously possessed should be updated.

Utilizing systems to broker access to devices, which do not necessitate direct access to privileged credentials, is also acceptable.

Employees with privileged access should be monitored to confirm compliance with governing policies.

Device Maintenance Guidelines

Occasionally, it may be necessary to return endpoint devices or diagnostic reports (like crash logs) to the manufacturer for troubleshooting. However, there is a risk that such devices or information may inadvertently reveal user credentials, allowing unauthorized future network access.

It is advised that vendors should not receive direct remote access to endpoint devices; any such access, if necessary, must be brokered and strictly controlled through the management network.

Before returning a device or diagnostic info to a vendor, any associated credentials should be revoked or modified as needed. Completely erasing sensitive information from logs or devices may not be feasible, and overwriting may impede valuable investigations. It is critical to inform data owners from affected networks about the planned actions and protective measures for their data that might linger within devices or logs. They must consent that those measures are adequate and accept the potential release of their information.

Forming Management Connections

When establishing connections to endpoint devices from the management network, both technical and procedural safeguards are necessary to ensure the legitimacy of the device being accessed, and to prevent potential interference. Ideally, this would involve previously established cryptographic trust (e.g., through certificate exchanges or out-of-band validation of SSH fingerprints). Non-cryptographic methods should be avoided to mitigate against man-in-the-middle attack risks.

It is crucial that procedures for decommissioning and disposing of equipment do not unintentionally endanger information or networks. Devices providing security functions can retain sensitive data even when not powered. The aim is to ensure devices do not retain recoverable user information or reconnect to the secured network post-disposal.

The following guidelines should be applied to all equipment used in providing the encrypted network service:

• All device-associated certificates (operational, management, and maintenance) should be revoked before disposal.
• Any other credentials linked to a device ought to be modified or revoked as necessary.
• The recommendations in our Secure Sanitization of Storage Media guide should be adhered to for any devices that have processed decrypted information.
• Factory resets or wiping the device should be implemented as a standard precaution.

Specific Situations

Any equipment, like a VPN gateway, for which the NCSC has issued Security Procedures, should be decommissioned and disposed of according to that guidance. This generally involves performing a low-level wipe of configuration data stored on the device, followed by a reset to factory settings. Any credentials or certificates associated with the device must be revoked and modified as necessary.