CIS Control 11: Secure Configuration for Network Devices such as Firewalls, Routers, and Switches

Home  »  Blog  »  Cyber Security  »  CIS Control...

By Bill Minahan   |   March 29, 2021   |   0 Comments

CIS Control 13

CIS Control 11: Secure Configuration for Network Devices such as Firewalls, Routers, and Switches

What is CIS Control 11?

CIS Control 11 focuses on establishing, implementing, and actively managing (track, report on, and correct) the security configuration of network infrastructure devices. This is done by using rigorous configuration management and a change control process in order to prevent attackers from exploiting vulnerable services and settings.

The CIS controls are a set of actions that protect your organization from the most pervasive cyber attacks. There are 20 total critical controls that prioritize the most essential actions your organization can take in order to gain the highest pay-off results.

Why is this CIS Control Critical?

The CIS Controls are based on actionable guidance from today’s biggest threats, formed by the consensus of the world’s leading experts across a variety of sectors.

CIS Control 11 is critical because in most cases, the default configurations for network infrastructure devices and geared towards ease-of-use as well as ease-of-deployment, not security.

For instance, open services and ports, default accounts (including service accounts) or passwords, support for older (vulnerable) protocols, pre-installation of unnecessary software, can all be exploited in their default state.

As a result, the management of the security configurations for networking devices is not a one-time action, but a process that involves continued analysis and evaluation of not only the configuration items but also the permitted traffic flows.

Oftentimes, attackers take advantage of network devices becoming less secure in their configurations over time as users demand exceptions for specific business needs. In some cases, the security risk of the exception is neither properly analyzed nor measured against the associated business need. Furthermore, both business risk and need can change over time.

Attackers search for vulnerable default settings, gaps, and inconsistencies in firewall rule sets, routers, and switches and use those holes to penetrate defenses.

Furthermore, they exploit flaws in these devices to gain access to networks, redirect traffic on a network, and intercept information while in transmission. Through these actions, the attacker is able to gain access to sensitive data, alter important information, and can even use a compromised machine to pose as another trusted system on the network.

As a result, it is critical to secure the configuration for network devices, such as firewalls, routers, and switches.

How to Implement CIS Control 11


Asset Type

Security Function

Control Title

Control Descriptions


Network Identify Maintain Standard Security Configurations for Network Devices  

Maintain documented security configuration standards for all authorized network devices.



Network Identify Document Traffic Configuration Rules  

All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need.



Network Detect Use Automated Tools to Verify Standard Device Configurations and Detect Changes  

Compare all network device configurations against approved security configurations defined for each network device in use, and alert when any deviations are discovered.



Network Protect Install the Latest Stable Version of Any Security-Related Updates on All Network Devices  

Install the latest stable version of any security-related updates on all network devices.



Network Protect Manage Network Devices Using Multi-Factor Authentication and Encrypted Sessions  

Manage all network devices using multi-factor authentication and encrypted sessions.



Network Protect Use Dedicated Workstations for All Network Administrative Tasks Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be segmented from the organization’s primary network and not be allowed Internet access. This machine shall not be used for reading email, composing documents, or surfing the Internet.


Network Protect Manage Network Infrastructure Through a Dedicated Network  

Manage the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices.



Implementing CIS Controls

If your team is struggling to implement CIS Control 11 and could use the assistance of a third-party security provider, aNetworks is here to help. Our team of experts can assist with whatever level of service you require from consulting to complete implementation.

If you are interested in learning more about CIS Controls, view our comprehensive list here.

If you are interested, then please contact us below.

Contact Us

Furthermore, if you are looking for more information, check out our resource center here.

Finally, you can always find us on TwitterLinkedIn, and Facebook.

Category: Cyber Security