Firmware & OS
Patch levels, boot images, vendor advisories, support lifecycle, rollback planning.
OC Security Audit • Infrastructure Security
Router and Switch Security Audit Checklist
Secure the network infrastructure that connects users, servers, cloud services, branch offices, wireless networks, and business-critical applications. This checklist helps organizations review routers and switches for firmware risk, management exposure, VLAN weaknesses, port security gaps, ACL issues, and monitoring blind spots.
Purpose
Why routers and switches need a dedicated audit
Routers and switches are often trusted by default, but they control the paths attackers use for lateral movement, credential capture, network disruption, and access to sensitive systems. A secure firewall does not fully protect a flat internal network, an exposed management VLAN, outdated switch firmware, or permissive inter-VLAN routing.
OC Security Audit reviews the network infrastructure from a business-risk perspective: how devices are managed, how traffic is segmented, what can be reached between networks, whether logs and backups are available, and whether operational practices support secure recovery.
Audit Categories
What the router and switch audit covers
The page is organized by the major internal infrastructure areas that typically create security exposure in Cisco, HPE Aruba, and HP switching and routing environments.
Management Plane
SSH, HTTPS, console access, management VLANs, allowed admin sources, AAA.
Passwords & Privilege
Default credentials, admin roles, local accounts, secret encryption, offboarding.
VLANs & Segmentation
User, server, guest, IoT, voice, management, and inter-VLAN routing controls.
Switch Port Security
Unused ports, trunk restrictions, MAC limits, NAC/802.1X, rogue-device prevention.
ACLs & Routing
Router ACLs, route filtering, dynamic routing authentication, branch connectivity.
Layer 2 Protection
DHCP Snooping, Dynamic ARP Inspection, BPDU Guard, Root Guard, storm control.
Monitoring & Backups
SNMPv3, syslog, NTP, configuration backups, alerting, performance baselines.
Process
Our router and switch security audit process
Discover
Collect inventory, topology, device roles, firmware versions, VLANs, routing paths, and management interfaces.
Review
Analyze configurations, management access, passwords, SNMP, ACLs, trunks, Layer 2 protections, and monitoring.
Prioritize
Score each finding by likelihood, impact, and business risk so remediation is practical and defensible.
Validate
Confirm which controls are working, which are missing, and which require operational or change-control review.
Recommend
Provide secure configuration recommendations for firmware, passwords, VLANs, port security, and ACLs.
Document
Deliver checklist results, evidence notes, risk scoring, and remediation steps for IT and leadership review.
HTML Checklist
Router and switch security audit items
Use this checklist as a starting point for internal security audits, infrastructure reviews, network hardening projects, and remediation planning.
| Category | Item | Description | Likelihood | Impact | Security Risk | How to Secure | Status |
|---|---|---|---|---|---|---|---|
| Inventory & Ownership | Device inventory accuracy | Document all routers, switches, stacks, serial numbers, models, OS versions, locations, owners, and support status. | Medium | Medium | Unknown network assets create blind spots during incidents and upgrades. | Maintain an approved inventory and reconcile it during every audit cycle. | Open / Review / Complete |
| Inventory & Ownership | Lifecycle and support status | Confirm whether Cisco, HPE Aruba, and HP devices are under vendor support and not end-of-life. | High | High | Unsupported devices may not receive critical firmware or security updates. | Replace unsupported devices or document compensating controls and upgrade timelines. | Open / Review / Complete |
| Firmware & OS | Firmware version review | Compare firmware and network OS versions against vendor advisories and approved baselines. | High | High | Outdated firmware can expose routers and switches to known vulnerabilities. | Upgrade through a controlled change window after backup and compatibility review. | Open / Review / Complete |
| Firmware & OS | Boot image integrity | Verify approved boot images, startup configuration integrity, and unauthorized image changes. | Medium | High | Unapproved images may introduce instability, backdoors, or misconfiguration. | Restrict image changes and validate hashes where supported. | Open / Review / Complete |
| Firmware & OS | Patch management process | Review how firmware updates are tested, approved, scheduled, and documented. | Medium | High | Unstructured updates increase outage risk or leave devices unpatched. | Create a repeatable patch process with maintenance windows and rollback steps. | Open / Review / Complete |
| Management Plane | SSH-only administration | Confirm Telnet is disabled and SSH is configured using secure versions and approved ciphers where supported. | High | High | Clear-text management protocols expose credentials and configuration data. | Disable Telnet and require SSH from trusted management networks. | Open / Review / Complete |
| Management Plane | HTTPS management review | Confirm HTTP is disabled and HTTPS uses trusted certificates where web management is required. | Medium | High | Insecure web management can leak credentials or expose admin portals. | Use HTTPS only, restrict access, and disable web management if not needed. | Open / Review / Complete |
| Management Plane | Management VLAN isolation | Verify router and switch management interfaces are isolated from user VLANs and guest networks. | High | High | Flat access to management interfaces increases takeover risk. | Place management access in a dedicated VLAN or subnet with ACL restrictions. | Open / Review / Complete |
| Management Plane | Allowed management sources | Review ACLs that limit device administration to approved jump boxes, VPNs, or admin workstations. | High | High | Broad administrative access expands the attack surface. | Permit management only from approved source IP ranges. | Open / Review / Complete |
| Authentication | Default credentials removed | Confirm vendor default usernames, passwords, and setup accounts are removed or disabled. | High | High | Default credentials are commonly abused during internal compromise. | Remove defaults and use unique named accounts or centralized authentication. | Open / Review / Complete |
| Authentication | AAA / RADIUS / TACACS+ | Review centralized authentication, authorization, and accounting for administrators. | Medium | High | Local-only accounts reduce accountability and delay offboarding. | Use AAA with least privilege, fallback controls, and admin logging. | Open / Review / Complete |
| Authentication | Privileged account review | Validate admin roles, named accounts, emergency accounts, and privilege levels. | Medium | High | Excessive admin rights can lead to unauthorized network changes. | Limit privileges and review access regularly. | Open / Review / Complete |
| Authentication | Password policy | Review password complexity, rotation expectations, encrypted secrets, and local account storage. | Medium | High | Weak or reusable passwords can lead to device compromise. | Use long unique credentials, encrypted secrets, and vault-based access. | Open / Review / Complete |
| SNMP & Monitoring | SNMP version | Confirm SNMPv1 and SNMPv2c are disabled unless there is an approved exception. | High | High | Weak SNMP versions can expose device data and community strings. | Use SNMPv3 with authentication and encryption. | Open / Review / Complete |
| SNMP & Monitoring | Community string exposure | Review SNMP community strings, ACLs, and read/write permissions. | High | High | Exposed or writable community strings can reveal or change device configuration. | Remove public/private strings and restrict SNMP to monitoring servers only. | Open / Review / Complete |
| SNMP & Monitoring | Syslog forwarding | Confirm logs are forwarded to centralized syslog/SIEM systems. | Medium | High | Local-only logs may be lost after reboot or compromise. | Forward logs to a protected logging platform with retention. | Open / Review / Complete |
| SNMP & Monitoring | NTP configuration | Verify devices use trusted NTP sources and consistent time zones. | Medium | Medium | Incorrect time breaks incident timelines and log correlation. | Configure reliable NTP and document time settings. | Open / Review / Complete |
| Segmentation | VLAN design review | Review VLANs for users, servers, voice, printers, guest, IoT, cameras, and management. | High | High | Poor segmentation allows unnecessary lateral movement. | Separate sensitive zones and document VLAN purpose and ownership. | Open / Review / Complete |
| Segmentation | Inter-VLAN routing control | Review routing between VLANs and confirm only required flows are permitted. | High | High | Overly permissive inter-VLAN routing exposes critical systems. | Use ACLs, firewall policy, or routed segmentation for controlled access. | Open / Review / Complete |
| Segmentation | Guest network isolation | Confirm guest and visitor networks cannot reach internal resources. | High | High | Guest access can become an entry point into the corporate network. | Isolate guest VLANs and route them directly to internet-only access. | Open / Review / Complete |
| Segmentation | Voice VLAN security | Review voice VLAN separation and whether phones can bridge into data networks. | Medium | Medium | Voice networks can become a lateral movement path. | Apply voice VLAN controls, DHCP options, and port-level restrictions. | Open / Review / Complete |
| Switch Port Security | Unused ports disabled | Confirm unused switch ports are administratively disabled and assigned to an unused VLAN. | High | Medium | Open ports allow unauthorized internal access. | Disable unused ports and monitor link-up events. | Open / Review / Complete |
| Switch Port Security | Port security / MAC limits | Review MAC address limits, sticky MAC policies, and violation actions where appropriate. | Medium | High | Unauthorized devices can be connected to active ports. | Enable port security for access ports based on operational needs. | Open / Review / Complete |
| Switch Port Security | 802.1X / NAC readiness | Evaluate support for 802.1X, MAC authentication bypass, or NAC integration. | Medium | High | Uncontrolled network access increases insider and rogue-device risk. | Implement phased NAC for sensitive or high-risk areas. | Open / Review / Complete |
| Switch Port Security | Trunk port review | Confirm trunk ports are approved, documented, and restricted to required VLANs. | High | High | Misconfigured trunks can expose multiple VLANs to one connection. | Limit allowed VLANs and disable trunk negotiation where appropriate. | Open / Review / Complete |
| Layer 2 Protection | BPDU Guard | Review BPDU Guard on access ports to reduce rogue switch risk. | Medium | High | Rogue switches can disrupt spanning tree and network availability. | Enable BPDU Guard on access ports. | Open / Review / Complete |
| Layer 2 Protection | Root Guard | Review root bridge placement and Root Guard on appropriate ports. | Medium | High | Unexpected root bridge changes can destabilize switching paths. | Define root bridge strategy and enforce it with guard features. | Open / Review / Complete |
| Layer 2 Protection | DHCP Snooping | Review DHCP Snooping for user VLANs and trust boundaries. | Medium | High | Rogue DHCP servers can redirect or disrupt user traffic. | Enable DHCP Snooping and trust only legitimate uplink/server ports. | Open / Review / Complete |
| Layer 2 Protection | Dynamic ARP Inspection | Review ARP protection where DHCP Snooping bindings are available. | Medium | High | ARP spoofing can enable traffic interception or disruption. | Enable Dynamic ARP Inspection on supported access VLANs. | Open / Review / Complete |
| Layer 2 Protection | Storm control | Review broadcast, multicast, and unknown unicast storm-control thresholds. | Medium | Medium | Layer 2 storms can create outages. | Configure storm control on access ports with tested thresholds. | Open / Review / Complete |
| Access Control Lists | Router ACL review | Review inbound and outbound ACLs on routed interfaces. | High | High | Overly broad ACLs may expose sensitive networks or management services. | Apply least privilege and document business justification. | Open / Review / Complete |
| Access Control Lists | Management ACLs | Confirm management services are protected by explicit ACLs. | High | High | Attackers on internal networks may attempt direct device access. | Restrict SSH/HTTPS/SNMP to approved management hosts. | Open / Review / Complete |
| Access Control Lists | Any-any rules | Identify permissive allow-all rules and undocumented exceptions. | High | High | Broad rules undermine segmentation and increase blast radius. | Replace with specific source, destination, and service rules. | Open / Review / Complete |
| Routing Security | Static route review | Validate static routes, default routes, and route ownership. | Medium | High | Incorrect routes can expose traffic or create black holes. | Document route purpose and remove stale routes. | Open / Review / Complete |
| Routing Security | Dynamic routing authentication | Review OSPF, EIGRP, BGP, or other protocol authentication where used. | Medium | High | Unauthenticated routing can allow route injection or disruption. | Enable protocol authentication and route filtering where supported. | Open / Review / Complete |
| Routing Security | Route filtering | Review route redistribution and filtering between sites, WAN, VPN, and internal zones. | Medium | High | Uncontrolled redistribution can leak routes between environments. | Filter routes and document accepted prefixes. | Open / Review / Complete |
| Site Connectivity | WAN and branch links | Review routers/switches supporting branch, data center, and cloud connectivity. | Medium | High | Weak inter-site controls can allow compromise to spread across locations. | Validate routing, ACLs, monitoring, and redundancy for site links. | Open / Review / Complete |
| Site Connectivity | Site-to-site VPN interfaces | Review router interfaces, routes, ACLs, and monitoring tied to VPN connectivity. | Medium | High | VPN-connected networks often have excessive trust. | Limit reachable subnets and monitor tunnel health. | Open / Review / Complete |
| Resilience | Configuration backups | Confirm scheduled configuration backups are captured and protected. | High | Medium | No backup increases downtime after failure or misconfiguration. | Automate backups and test restoration. | Open / Review / Complete |
| Resilience | Change control | Review change tickets, approval workflow, and post-change validation. | Medium | High | Untracked changes make incidents harder to diagnose. | Require documented changes for routing, VLAN, ACL, and firmware updates. | Open / Review / Complete |
| Resilience | High availability links | Review stack members, uplinks, LACP, redundant power, and failover paths. | Medium | High | Single points of failure can interrupt business operations. | Document redundancy and test failover scenarios. | Open / Review / Complete |
| Physical Security | Rack and closet access | Review physical access to network closets, MDFs, IDFs, and data center racks. | Medium | High | Physical access can bypass logical controls. | Restrict access, lock cabinets, and log entry where feasible. | Open / Review / Complete |
| Physical Security | Console port control | Review console access procedures, adapters, and local recovery controls. | Medium | Medium | Uncontrolled console access can allow device reconfiguration. | Control physical console access and protect emergency credentials. | Open / Review / Complete |
| Documentation | Network diagrams | Validate current logical and physical diagrams. | Medium | Medium | Outdated diagrams slow troubleshooting and audits. | Update diagrams with VLANs, uplinks, trunks, and routing paths. | Open / Review / Complete |
| Documentation | Standards and baseline configs | Review standard templates for Cisco, HPE Aruba, and HP devices. | Medium | High | Inconsistent configs create security gaps and support issues. | Create approved baseline configurations by device role. | Open / Review / Complete |
Monitoring Applications
Five applications commonly used to monitor routers and switches
Monitoring tools support availability, interface health, bandwidth usage, SNMP metrics, alerting, configuration awareness, and faster incident response. Vendor fit depends on network size, budget, skill level, and operational requirements.
SolarWinds Network Performance Monitor
Enterprise network performance monitoring, availability, topology, and alerting.
Visit vendor site →
Paessler PRTG Network Monitor
Sensor-based monitoring for bandwidth, uptime, health, and network services.
Visit vendor site →
ManageEngine OpManager
Router, switch, firewall, server, and network performance monitoring.
Visit vendor site →
Zabbix Network Monitoring
Open-source monitoring for SNMP metrics, availability, alerting, and dashboards.
Visit vendor site →
Auvik Network Management
Cloud-based visibility, topology mapping, alerts, and network management support.
Visit vendor site →
Platform Focus
Cisco, HPE Aruba, and HP router/switch environments
OC Security Audit can help review common configuration and operational risks across mixed-vendor environments, including older HP switching, HPE Aruba access layers, and Cisco routing and switching platforms.
Cisco routers and switches
Review IOS/IOS XE configuration hygiene, SSH/AAA, ACLs, SNMPv3, routing controls, VLANs, trunking, spanning-tree protections, configuration backups, and logging.
HPE Aruba switching
Review AOS-CX or ArubaOS-Switch settings, management access, VLAN design, port security, firmware, SNMP, syslog, role-based access, and uplink controls.
HP legacy networks
Review lifecycle risk, older firmware, insecure protocols, switch closet exposure, undocumented VLANs, missing backups, and migration or hardening priorities.
Need help reviewing router and switch security?
OC Security Audit helps organizations identify infrastructure security gaps, prioritize remediation, and improve internal network resilience across routers, switches, VLANs, site connectivity, and management systems.