User Manual
Checklist
5
61
Siemens
Application Note
Smart Infrastructure
Controls Status
Implement physical and environmental security controls (for non-SGD clients)
☐
Implement network separation
☐
Implement protective firewall rules
☐
Implement operational security controls
☐
Implement access control measures
☐
Disable in all browsers the saving function for credentials
Implement user management controls
Firewall
Assuming your firewall is deployed, and filtering traffic as intended, keeping your
firewall’s operating systems patched and up-to-date is probably the most valuable
security precaution you can take.
Configure Strong & Non-Default Passwords
Ensure that all default and blank passwords are changed to suitably strong values.
At a minimum, we recommend 10 characters in length, containing a mix of lower
and uppercase letters, numbers and special characters.
See that passwords are not re-used between devices and where passwords ap-
pear within configuration files, they are listed in encrypted and non-reversible form.
Enforce Local Account Lockouts
Enforcing account lockouts protects the accounts against password guessing and
brute force attacks. In combination with enforcing password complexity, this reduc-
es the likelihood of an account being compromised using these techniques.
Restrict Access to Administrative Ports
Restricting access to administrative ports reduces the attack surface exposed by
the device. Access to administrative ports should be restricted to trusted interfaces
and/or IP addresses. By amending firewall rules it is possible to restrict access to
the web console of both the gateway and the management systems.
Disable Plain Text Protocols for Administrative Ports
Communication sent using plain text protocols could be sniffed by attackers. Check
Point allows a secure, encrypted alternative to every plain text protocol, such as
SSH instead of Telnet. Disabling plain text protocols is a quick win in terms of im-
proving security.
Configure Suitable Remote Management Access
The likelihood is that only authorized personnel in your IT department is required to
log in and remotely manage devices. For this reason, many firewalls allow configu-
ration to restrict management access to specific interfaces, network ranges and
even IP addresses.
Use protocols that utilize suitable authentication and encryption. Unencrypted
management protocols such as Telnet, TFTP, FTP, SNMP prior to version 3, and
HTTP should not be used.
Using HTTPS or SSH for management is highly recommended, preferably config-
ured to use strong ciphers.