{
	"id": "5a7ef7ec-2800-4e34-abb7-79df1951d6c0",
	"created_at": "2026-04-06T00:14:13.404166Z",
	"updated_at": "2026-04-10T13:12:39.463482Z",
	"deleted_at": null,
	"sha1_hash": "370c58bafb4b31d4f35a6b8d3d5dd8bc3c459078",
	"title": "Enhanced Visibility and Hardening Guidance for Communications Infrastructure | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 111688,
	"plain_text": "Enhanced Visibility and Hardening Guidance for Communications\r\nInfrastructure | CISA\r\nPublished: 2024-12-04 · Archived: 2026-04-05 20:48:03 UTC\r\nIntroduction\r\nThe Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau\r\nof Investigation (FBI), Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC),\r\nCanadian Centre for Cyber Security (CCCS), and New Zealand’s National Cyber Security Centre (NCSC-NZ)\r\nwarn that People’s Republic of China (PRC)-affiliated threat actors compromised networks of major global\r\ntelecommunications providers to conduct a broad and significant cyber espionage campaign. The authoring\r\nagencies are releasing this guide to highlight this threat and provide network engineers and defenders of\r\ncommunications infrastructure with best practices to strengthen their visibility and harden their network devices\r\nagainst successful exploitation carried out by PRC-affiliated and other malicious cyber actors. Although tailored to\r\nnetwork defenders and engineers of communications infrastructure, this guide may also apply to organizations\r\nwith on-premises enterprise equipment. The authoring agencies encourage telecommunications and other critical\r\ninfrastructure organizations to apply the best practices in this guide.\r\nAs of this release date, identified exploitations or compromises associated with these threat actors’ activity align\r\nwith existing weaknesses associated with victim infrastructure; no novel activity has been observed. Patching\r\nvulnerable devices and services, as well as generally securing environments, will reduce opportunities for\r\nintrusion and mitigate the actors’ activity.\r\nStrengthening Visibility\r\nIn the context of this guide, visibility refers to organizations’ abilities to monitor, detect, and understand activity\r\nwithin their networks. High visibility means having detailed insight into network traffic, user activity, and data\r\nflow, allowing network defenders to quickly identify threats, anomalous behavior, and vulnerabilities. Visibility is\r\ncritical for network engineers and defenders, particularly when identifying and responding to incidents.\r\nMonitoring\r\nNetwork Engineers\r\nClosely scrutinize and investigate any configuration modifications or alterations to network devices such as\r\nswitches, routers, and firewalls outside of the change management process. Implement comprehensive\r\nalerting mechanisms to detect unauthorized changes to the network, including unusual route updates,\r\nenabled weak protocols, and configuration changes (i.e., changes to users and Access Control Lists\r\n[ACLs]).\r\nhttps://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure\r\nPage 1 of 8\n\nStore configurations centrally and push to devices. Do not allow devices to be the trusted source of\r\ntruth for their configuration. Monitor configuration and, if feasible, test and override on a frequent\r\nbasis.\r\nImplement a strong network flow monitoring solution. This solution should allow for network flow data\r\nexporters and the associated collectors to be strategically centered around key ingress and egress locations\r\nthat provide visibility into inter-customer traffic.\r\nIf feasible, limit exposure of management traffic to the Internet. Only allow management via a limited and\r\nenforced network path, ideally only directly from dedicated administrative workstations.\r\nMonitor user and service account logins for anomalies that could indicate potential malicious activity.\r\nValidate all accounts and disable inactive accounts to reduce the attack surface. Monitor logins occurring\r\ninternally and externally from the management environment.\r\nImplement secure, centralized logging with the ability to analyze and correlate large amounts of data from\r\ndifferent sources. Encrypt any logging traffic destined for a remote destination via IPsec, TLS, or any other\r\navailable encrypted transport options. Additionally, store copies of logs off-site to ensure they cannot be\r\nmodified or deleted. Enable logging and auditing on devices and ensure logs can be offloaded from the\r\ndevice.\r\nIf possible, implement a Security Information and Event Management (SIEM) tool to analyze and\r\ncorrelate logs and alerts from the routers for rapid identification of security incidents.\r\nEnsure logging takes place at all levels of the environment, network operating system, application,\r\nand software levels, as it pertains to network devices.\r\nEstablish a baseline of normal network behavior and define rules on security appliances to alert on\r\nabnormal behavior.\r\nEnsure the inventory of devices and firmware in the environment are up to date to enable effective\r\nvisibility and monitoring.\r\nNetwork Defenders\r\nImplement a monitoring and network management capability that, at a minimum, enforces configuration\r\nmanagement, automates routine administrative functions, and alerts on changes detected within the\r\nenvironment, such as connections and user and account activity.\r\nEstablish understanding of the architecture of infrastructure and production enclaves, as well as\r\nwhere the two environments meet or are segregated. Map and understand boundary and\r\ningress/egress points of the network management enclave.\r\nUnderstand which assets should be forward facing and remove those that should not be forward\r\nfacing. Closely monitor all devices that accept external connections from outside the corporate\r\nnetwork and investigate any configurations that do not comply with known good configurations,\r\nsuch as open ports, services, or unexpected Generic Routing Encapsulation (GRE) or IPsec tunnel\r\nusage. Threat actors have been observed taking advantage of external-facing vulnerable services and\r\nfeatures; therefore, proper visibility of network and security operations is vital.\r\nIf appropriate, implement a packet capture capability as part of the broader visibility effort for the\r\nenterprise. Determine capture location(s) and retention policies based on organizational demands.\r\nHardening Systems and Devices\r\nhttps://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure\r\nPage 2 of 8\n\nHardening device and network architecture is a defense-in-depth strategy. Reducing vulnerabilities, improving\r\nsecure configuration habits, and following best practices limit potential entry points for PRC-affiliated and other\r\ncyber threats.\r\nProtocols and Management Processes\r\nNetwork Engineers\r\nUse an out-of-band management network that is physically separate from the operational data flow\r\nnetwork. Ensure that management of network infrastructure devices can only come from the out-of-band\r\nmanagement network. In addition, confirm that the out-of-band management network does not allow lateral\r\nmanagement connections between devices to prevent lateral movement in the case that one device becomes\r\ncompromised. Ensure device management is physically isolated from the customer and production\r\nnetworks. When properly implemented, out-of-band management can mitigate many threat actor tactics,\r\ntechniques, and procedures (TTPs).\r\nImplement a strict, default-deny ACL strategy to control inbound and egressing traffic. Ensure all denied\r\ntraffic is logged. For maximum depth, implement on separate devices from those implementing other\r\nsecurity controls.\r\nEmploy strong network segmentation via the use of router ACLs, stateful packet inspection, firewall\r\ncapabilities, and demilitarized zone (DMZ) constructs. Separation via virtual local area networks (VLANs)\r\nand, if possible, private VLANs (PVLAN) will provide additional granular logical separation. This should\r\nbe done as part of a broader defense-in-depth approach that protects and isolates different device groups.\r\nPlace externally facing services, such as Domain Name System (DNS), web servers, and mail\r\nservers, in a DMZ to provide segmentation from the internal LAN and backend resources.\r\nAdditionally, as a general strategy, put devices with similar purposes in the same VLAN. For\r\nexample, place all user workstations from a certain team in one VLAN, while putting another team\r\nwith different functions in a separate VLAN.\r\nDo not manage devices from the internet. Only allow device management from trusted devices on\r\ntrusted networks. Use dedicated administrative workstations (DAWs) connected to dedicated\r\nmanagement zones.\r\nHarden and secure virtual private network (VPN) gateways by limiting external exposure, if possible, and\r\nlimiting the port exposure to what is minimally required (for example udp/500, udp/4500 and protocol type\r\n50 (ESP)). Ensure all VPNs are configured to only use strong cryptography for key exchange,\r\nauthentication, and encryption. [1]\r\nDisable unused VPN features and cryptographic algorithms to prevent exploitable weaknesses.\r\nEnsure that traffic is end-to-end encrypted to the maximum extent possible.\r\nAs a management policy, control access to device Virtual Teletype (VTY) lines with an ACL to restrict\r\ninbound lateral movement connections.\r\nAdditionally, disable outbound connections to mitigate against lateral movement. Monitor for\r\nchanges as adversaries can modify this configuration on compromised devices to allow outbound\r\nconnections.\r\nEnsure all authentication, authorization, and accounting (AAA) logging is securely sent to a centralized\r\nlogging server with modern confidentiality, integrity, and authentication (CIA) protections.\r\nhttps://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure\r\nPage 3 of 8\n\nIf using Simple Network Management Protocol (SNMP), ensure only SNMP v3 with encryption and\r\nauthentication is used, along with ACL protections against unnecessary public exposure. Ensure\r\nconfiguration with the most secure cryptographic options supported by the hardware.\r\nDisable all unnecessary discovery protocols, such as Cisco Discovery Protocol (CDP) or Link Layer\r\nDiscovery Protocol (LLDP). If they are required, only enable on the necessary interfaces.\r\nEnsure Transport Layer Security (TLS) v1.3 is used on any TLS-capable protocols to secure data in transit\r\nover a network. [2] Ensure TLS is configured to only use strong cryptographic cipher suites. [3]\r\nUse Public Key Infrastructure (PKI)-based certificates instead of self-signed certificates.\r\nImplement a robust process to renew certificates before they expire.\r\nDisable Internet Protocol (IP) source routing.\r\nDisable Secure Shell (SSH) version 1. Ensure only SSH version 2.0 is used with the following\r\ncryptographic considerations [2]. For more information on acceptable algorithms, see NSA’s Network\r\nInfrastructure Security Guide.\r\nConfigure with minimally a 3072-bit RSA key.\r\nConfigure with minimally a 4096 Diffie-Hellman key size (group 16).\r\nWhen possible, apply secure authentication to protocols and services which allow it, such as Network Time\r\nProtocol (NTP), Terminal Access Controller Access-Control System (TACACS+), Open Shortest Path First\r\n(OSPF), Border Gateway Protocol (BGP), and Hot Standby Router Protocol (HSRP). Similarly, disable any\r\nunauthenticated management protocols or functions, such as Cisco Smart Install.\r\nUse secure cryptographic building blocks when building VPNs such as [3]:\r\nKey Exchange:\r\nDiffie-Hellman Group 15 with 3072-bit Modular Exponential (MODP)\r\nDiffie-Hellman Group 16 with 4096-bit Modular Exponential (MODP)\r\nDiffie-Hellman Group 20 with 384-bit Elliptic Curve Group (ECP)\r\nEncryption: AES-256\r\nHashing: SHA-384 or SHA-512\r\nEnsure that no default passwords are used.\r\nChange all default passwords on first use.\r\nEnsure no passwords are reset back to the default.\r\nConfirm the integrity of the software image in use by using a trusted hashing calculation utility, if\r\navailable.\r\nIf a utility is unavailable, calculate a hash of the software image on a trusted administration\r\nworkstation and compare against the vendor’s published hashes on an authenticated site as a trusted\r\nsource of truth. This may require engaging the device’s maintenance contract to access source of\r\ntruth hash values. For additional security, copy the image to a forensic workstation and calculate the\r\nhash value to compare against the vendor’s published hashes.\r\nNetwork Defenders\r\nDisable any unnecessary, unused, exploitable, or plaintext services and protocols, such as Telnet, File\r\nTransfer Protocol (FTP), Trivial FTP (TFTP), SSH v1, Hypertext Transfer Protocol (HTTP) servers, and\r\nSNMP v1/v2c. Ensure any required internet-exposed services are adequately protected by ACLs and are\r\nfully patched.\r\nhttps://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure\r\nPage 4 of 8\n\nConduct port-scanning and scanning of known internet-facing infrastructure to ensure no additional\r\nservices are accessible across the network or from the internet. Remove unnecessary internet-facing\r\ninfrastructure, monitor necessary internet-facing infrastructure, and continuously validate the architecture.\r\nRouters with an active shell environment—even if they have not been tampered with—have\r\nsignificantly more listeners running at the operating system (OS) level compared to the software\r\nlevel.\r\nNetwork defenders and network engineers should ensure close collaboration and open communication to\r\naccomplish the following:\r\nEnsure all networking configurations are stored, tracked, and regularly audited for compliance with\r\nsecurity policies and best practices.\r\nWhenever networking configurations are transmitted for storage, tracking, and troubleshooting,\r\nconfirm that they are sent using encrypted protocols. Additionally, be sure they are not attached to\r\nplaintext emails or sent via FTP or TFTP.\r\nMonitor for vendor end-of-life (EOL) announcements for hardware devices, operating system versions, and\r\nsoftware, and upgrade as soon as possible.\r\nImplement a change management system that anticipates both routine and emergency patching.\r\nContinuously monitor for vendor vulnerability and patch announcements and ensure patches are applied in\r\na timely manner. Ensure use of vendor recommended version of the operating system for the features and\r\ncapabilities required.\r\nTest and validate patches as part of the change and patch management processes.\r\nAs part of a broader password policy, store passwords with secure hashing algorithms. Passwords should\r\nmeet complexity requirements and should be stored using one-way hashing algorithms or, if available,\r\nunique keys. Follow National Institute of Standards and Technologies guidelines when creating password\r\npolicies.\r\nRequire phishing-resistant multi-factor authentication (MFA) for all accounts that access company systems,\r\nnetworks, and applications, including sensitive administrative access to routers. MFA should use a\r\ncombination of credentials and a phishing-resistant secondary verification method, such as hardware-based\r\nPKI or FIDO authentication, to ensure secure access and prevent unauthorized entry.\r\nAs part of a broader identity and access management policy, use local accounts only for emergencies and\r\nchange the passwords after each use. Verify that each use was authorized and expected. For everyday\r\nmanagement of network infrastructure, use a centralized AAA server that supports multi-factor\r\nauthentication requirements; however, ensure the AAA server is not linked to the primary corporate\r\nidentity store.\r\nLimit session token durations and require users to reauthenticate when the session expires. Conduct audits\r\nto determine the standard session duration for each role to implement session expirations.\r\nImplement a Role-Based Access Control (RBAC) strategy that assigns users to a specific role with defined\r\nand inherited permissions to better control and manage what users can do.\r\nRemove any unnecessary accounts and periodically review accounts to verify that they continue to be\r\nneeded. Apply the principle of least privilege to make sure accounts only have the minimum permissions\r\nnecessary to complete their tasks. Additionally, continuously monitor accounts in use.\r\nhttps://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure\r\nPage 5 of 8\n\nCisco-Specific Guidance\r\nOrganizations in the communications sector should be aware that the authoring agencies have observed Cisco-specific features often being targeted by, and associated with, these PRC cyber threat actors’ activity. To address\r\nthe risk of exploitation by these specific threat actors, the authoring agencies urge organizations to apply the\r\nfollowing hardening best practices to all Cisco operating systems. For additional information, see Cisco’s IOS XE\r\nHardening Guide and Guide to Securing NX-OS Software Devices .\r\nDisable Cisco’s Smart Install service using no vstack .\r\nIf not required, disable the guestshell access using  guestshell disable for those versions which support\r\nthe guestshell service.\r\nDisable all non-encrypted web management capabilities. If web management is required, configure servers\r\nin compliance with vendor recommended security settings and software images.\r\nAlways disable the underlying non-encrypted web server using no ip http server . If web\r\nmanagement is not required, disable all of the underlying web servers using no ip http server\r\nand no ip http secure-server .\r\nDisable telnet and ensure it is not available on any of the VTY lines by configuring all VTY stanzas\r\nwith  transport input ssh and transport output none .\r\nTo securely store passwords on Cisco devices, organizations should:\r\nUse Type-8 passwords when possible.\r\nAvoid use of deprecated hashing or password types when storing passwords, such as Type-5 or\r\nType-7.\r\nIf supported, secure the TACACS+ key as a Type-6 encrypted password.\r\nIncident Reporting\r\nU.S. organizations: If suspicious activity is identified, contact your local FBI field office or the FBI’s\r\nInternet Crime Complaint Center (IC3) . Cyber incidents can also be reported to CISA by calling 1-844-\r\nSay-CISA (1-844-729-2472), emailing contact@mail.cisa.dhs.gov , or reporting online at cisa.gov/report.\r\nFor NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov\r\n.\r\nAustralian organizations: Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report\r\ncybersecurity incidents and access alerts and advisories.\r\nCanadian organizations: Report incidents by emailing CCCS at contact@cyber.gc.ca .\r\nNew Zealand organizations: Report cyber security incidents to incidents@ncsc.govt.nz or call 04 498\r\n7654.\r\nSecure by Design\r\nThe authoring agencies urge software manufacturers to incorporate secure by design principles into their software\r\ndevelopment lifecycle to strengthen the security posture of their customers. Software manufacturers should\r\nprioritize secure by design configurations to eliminate the need for customer implementation of hardening\r\nguidelines. Additionally, customers should demand that the software they purchase is secure by design. For more\r\nhttps://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure\r\nPage 6 of 8\n\ninformation on secure by design, see CISA’s Secure by Design webpage. Customers should refer to CISA’s Secure\r\nby Demand guidance for additional product security considerations.\r\nResources\r\nCISA: Cross-Sector Cybersecurity Performance Goals\r\nJoint Guide: Best Practices for Event Logging and Threat Detection\r\nNSA: Network Infrastructure Security Guide\r\nNSA, CISA, and FBI: People’s Republic of China State-Sponsored Cyber Actors Exploit Network\r\nProviders and Devices\r\nNSA: Hardening Network Devices\r\nNSA: Performing Out-of-Band Network Management\r\nNSA: Cisco Password Types: Best Practices\r\nNSA: Cisco Smart Install Protocol Misuse\r\nCCCS: Cryptographic Algorithms for UNCLASSIFIED, PROTECED A, and PROTECTED B Information\r\n– ITSP.40.111\r\nNIST: Special Publication 800-52: Guidelines for the Selection, Configuration, and Use of Transport Layer\r\nSecurity (TLS) Implementations\r\nNIST: Special Publication 800-77: Guide to IPsec VPNs\r\nReferences\r\n1. CCCS: Guidance on Securely Configuring Network Protocols\r\n2. NSA: Network Infrastructure Security Guide\r\n3. CNSS: Committee on National Security Systems Policy (CNSSP)-15\r\nDisclaimer\r\nThe authoring agencies do not endorse any commercial entity, product, company, or service, including any\r\nentities, products, or services linked within this document. Any reference to specific commercial entities, products,\r\nprocesses, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply\r\nendorsement, recommendation, or favoring by the authoring agencies. Additionally, the information in this\r\ndocument is provided “as-is” and without warranties or representations of any kind. The users of this information\r\nshall have no recourse against the authoring parties for any loss, liability, damage or cost that may be suffered or\r\nincurred at any time arising from the use of information in this document, including but not limited to loss of data\r\nor interruption of business.\r\nAcknowledgements\r\nCisco and Google Cloud Security contributed to this guidance.\r\nVersion History\r\nDecember 3, 2024: Initial version.\r\nhttps://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure\r\nPage 7 of 8\n\nPlease share your thoughts with us via our anonymous product survey ; we welcome your feedback.\r\nSource: https://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure\r\nhttps://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure"
	],
	"report_names": [
		"enhanced-visibility-and-hardening-guidance-communications-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434453,
	"ts_updated_at": 1775826759,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/370c58bafb4b31d4f35a6b8d3d5dd8bc3c459078.pdf",
		"text": "https://archive.orkl.eu/370c58bafb4b31d4f35a6b8d3d5dd8bc3c459078.txt",
		"img": "https://archive.orkl.eu/370c58bafb4b31d4f35a6b8d3d5dd8bc3c459078.jpg"
	}
}