Skip to content

Operational Deployment Baseline

This is an operational hardening checklist for high-availability, high-accountability environments.

Scope

This checklist is for production network enforcement roles where outage or misconfiguration carries high operational risk.

1. Change control

  • Require peer review for policy changes
  • Use maintenance windows
  • Define rollback steps before applying changes
  • Record change ticket/reference for every production change

2. Access control

  • Restrict management interface to dedicated admin subnet/VPN
  • Use unique admin credentials and MFA where available in surrounding systems
  • Remove/disable unused admin accounts

3. Backup and recovery

  • Export configuration after every approved change
  • Store encrypted backups off-device
  • Test restore on non-production system regularly
  • Document break-glass recovery steps

4. Time, logging, and evidence

  • Configure reliable NTP
  • Forward logs to centralized logging/SIEM
  • Keep retention aligned with organizational policy
  • Validate logs include firewall/NAT/VPN decision context

5. Network policy baseline

  • Default deny on untrusted paths
  • Explicit least-privilege allow rules
  • Strict inbound exposure via NAT + matching pass rules only
  • No direct management exposure on WAN

6. VPN baseline

  • Prefer IPsec and L2TP/IPsec for new deployments
  • Treat PPTP as legacy and avoid for new deployments
  • Validate tunnel policy with explicit subnet and rule checks

7. Operations cadence

  • Daily health checks: interfaces, gateways, log anomalies
  • Weekly review: exposed services, stale rules, unused aliases
  • Monthly review: backup restore drill, access review, documentation update

8. Go-live acceptance checks

  • Documented and tested rollback
  • Known-good backup archived
  • Monitoring and alerting verified
  • On-call troubleshooting runbook available