Operational Deployment Baseline¶
This is an operational hardening checklist for high-availability, high-accountability environments.
Scope¶
This checklist is for production network enforcement roles where outage or misconfiguration carries high operational risk.
1. Change control¶
- Require peer review for policy changes
- Use maintenance windows
- Define rollback steps before applying changes
- Record change ticket/reference for every production change
2. Access control¶
- Restrict management interface to dedicated admin subnet/VPN
- Use unique admin credentials and MFA where available in surrounding systems
- Remove/disable unused admin accounts
3. Backup and recovery¶
- Export configuration after every approved change
- Store encrypted backups off-device
- Test restore on non-production system regularly
- Document break-glass recovery steps
4. Time, logging, and evidence¶
- Configure reliable NTP
- Forward logs to centralized logging/SIEM
- Keep retention aligned with organizational policy
- Validate logs include firewall/NAT/VPN decision context
5. Network policy baseline¶
- Default deny on untrusted paths
- Explicit least-privilege allow rules
- Strict inbound exposure via NAT + matching pass rules only
- No direct management exposure on WAN
6. VPN baseline¶
- Prefer IPsec and L2TP/IPsec for new deployments
- Treat PPTP as legacy and avoid for new deployments
- Validate tunnel policy with explicit subnet and rule checks
7. Operations cadence¶
- Daily health checks: interfaces, gateways, log anomalies
- Weekly review: exposed services, stale rules, unused aliases
- Monthly review: backup restore drill, access review, documentation update
8. Go-live acceptance checks¶
- Documented and tested rollback
- Known-good backup archived
- Monitoring and alerting verified
- On-call troubleshooting runbook available