For example, if your network has two routers and one administrator, the cost associated with setting up an AAA server is probably not justifiable. Local usernames and passwords would be much more reasonable. Documenting these decisions and getting management to sign off on them helps to cover your tail when an incident occurs. | Page 123 Friday February 15 2002 2 51 PM APPENDIX A Checklist Quick Reference You can use this checklist in two ways. First you can use it as a checklist when securing your routers. You can also use the checklist as the basis for auditing the security of your routers. Hardening Your Routers If you are using this checklist to harden your routers a good approach is to use the following three-step process 1. Use the checklist to determine your routers current security level. Check off each item that has already been taken care of. 2. Review all items in the checklist that have not been checked off. For each item determine how you are going to address that issue secure it leave it alone and accept the risk or assign the risk to someone else . insurance . 3. Secure each item that you determined needs securing. For all other items document why you are leaving this item unsecured. It is important to list the risks associated with the item and determine why the risk can be ignored or how it is being assigned to someone else. For example if your network has two routers and one administrator the cost associated with setting up an AAA server is probably not justifiable. Local usernames and passwords would be much more reasonable. Documenting these decisions and getting management to sign off on them helps to cover your tail when an incident occurs. Auditing Your Routers Auditing is a topic for a book unto itself and generally requires a higher skill level than hardening. When hardening a router a sysadmin can usually turn off services that aren t understood. An auditor however must understand not only how each service works but also the risks associated with that service. For those who are not 123 Page 124 Friday February 15 2002 2 51 PM just hardening their routers but auditing them this checklist can serve as the foundation for an audit of Cisco router security. For those new to auditing here is an overview of the typical auditing process Securing