Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Secure Configuration Baselines for Network Devices

In a recent blog post, Ted Gary discussed results from a Tenable survey about configuration hardening at the system level. In short, organizations are making progress on enforcing and auditing their desktops and servers for secure configurations, but there is still a lot of work to do. While the whole realm of network devices was beyond the scope of the survey, it obviously can’t be beyond that of your hardening efforts.


Many of the standard frameworks use an umbrella approach for recommending configuration baselines and treat all devices and endpoints equally:

NIST Cybersecurity Framework

PR.IP-1 - A baseline configuration of information technology/industrial control systems is created and maintained.

NIST 800-53 rev 4

CM-2 - Baseline Configuration
CM-2(1) - Reviews and Updates

ITSG-33 (Canada)

CM-2 - Baseline Configuration
CM-2(1) - Reviews and Updates
CM-2(2) - Automation Support for Accuracy/ Currency

Some frameworks and standards, like the Center for Internet Security (CIS) Controls and Payment Card Industry Data Security Standard (PCI-DSS), see the management of the network itself as important enough to justify its own sections and recommendations, in addition to their general system requirements.

CIS Controls

11 - Secure Configurations for Network Devices


1.1 – Establish and implement firewall and router configuration standards.
1.1.7.a – Verify that firewall and router configuration standards require review.
2.2 - Develop configuration standards for all system components.

The central theme of all of these recommendations across the various frameworks is fundamentally a threefold process.

  1. Design and implement a secure hardened baseline across the devices in your organization.
  2. Monitor and validate that the baseline has been implemented and drift doesn’t occur.
  3. Periodically review the baseline and update it according to new threats and the ever-evolving environment.

Some of the best starting places for building the secure baseline for a number of devices are either the CIS Benchmarks or the Defense Information Systems Agency (DISA) Secure Technical Implementation Guides (STIG). These resources provide technical hardening recommendations for many popular and widely implemented devices.

If a particular device in your environment is not covered by a CIS Benchmark or DISA STIG all hope is not lost. Most vendors provide their own stand-alone hardening guides. For example, Juniper Networks published their own guide, “Hardening Junos Devices”. Much like in the desktop and server environment, there’s a chance that none of the recommendations are going to be a perfect fit out-of-the-box for all environments. If that’s the case, there might be a need to tailor one or a combination of several in order to get a complete baseline. The important lesson here is that multiple resources exist to help you build the initial baselines and avoid having to start with a blank slate.

Tenable Solutions

Tenable's secure configuration auditing solutions provide a number of audit files for network devices. Right alongside your regular vulnerability scanning you can test and validate the configuration baselines you defined for the organization. These audit files cover a wide range of devices from Cisco and Juniper to Palo Alto Networks and Huawei. Any of these devices can be evaluated for a number of different configuration parameters and generally have multiple audit files available.

Most of the audit files are built according to the CIS Benchmark or DISA STIG recommendations, and in general, overlap quite a bit. For example, testing DNS and NTP server settings, validating whether specific services or protocols are enabled and/or configured correctly, and checking that accounts and authentication are setup properly for local and remote management are all included in both standards and have checks in Tenable audit files.

If your organization requires a hybrid or tailored version of one of the benchmark documents, a completely custom audit file can be created or, in many cases, one of the standard files can be customized by adding/removing checks or modifying acceptable values.

Palo Alto

Recent Additions (F5 and Arista Devices)

Recently, Tenable has added support for additional network devices, specifically F5 BigIP and Arista MLS devices.

Our support for F5 covers a number of its technologies from the Advanced Firewall Manager and Application Security Manager to Device and Local Traffic Management.

Alongside these new plugins are accompanying audits based on the DIS STIG guidance that has been released. A full list of available DISA STIG documents is available from the DISA Information Assurance Support Environment (IASE) homepage.


Scans of F5 devices are very similar to many of the existing network device scans. F5 scans can be initiated from both the Advanced Scan or Policy Compliance templates. Inside either of those templates should be a new entry for the F5 credentials under Miscellaneous in the credentials tab.

F5 Preferences

Under the Compliance tab, you should also see a new entry for F5 which allows both the upload of custom audit files in addition to the list of audit files Tenable has released.


Like F5 devices, online Arista scans can be initiated from both the Advanced scan and Policy Compliance templates. For online scans, an SSH login is required and the credentials are stored just like any other SSH login. A new Arista section contains the custom audit upload along with the list of Tenable provided audits.

Offline Audit Support

Arista devices can also be audited in offline mode which is often convenient for validating backed-up configurations or testing a baseline configuration before it's rolled out. Offline scans are configured via the Offline Configuration Audit template.

An offline scan doesn’t require any credentials, so an SSH login is unnecessary. Setting up the audit only requires you to select an audit file or upload your custom audit and then add the configuration file you would like to be evaluated on the Compliance tab.


When planning the baseline hardening for network devices, it’s important to keep in mind that, in most cases, issues with devices such as firewalls, routers and load balancers, will ripple across the environment. A device’s configurations aren’t limited to providing its own services and protecting itself, but they also play a significant role in most organizations’ layered security practices. A compromised firewall doesn’t just mean it isn’t filtering and passing traffic, it might also be putting other devices at risk to threats they are unable or not configured to handle.

How Tenable Can Help

Tenable products offer a wide range of audit files for most popular network device platforms like Cisco, Juniper and Huawei, along with the addition of F5 and Arista. Many of these can be conducted both online against running systems and in offline mode against an exported configuration file. This offline support often proves very handy in developing a secure baseline since changes can be tested and the results are available immediately against your chosen audit file.

Related Posts

Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.