Safeguard 12.3: Securely Manage Network Infrastructure

Safeguard 12.3: Securely Manage Network Infrastructure

By Steve Gold
Posted in Security
On June 30, 2026

In Mission: Impossible, Ethan Hunt's team never broadcasts mission details over open channels. Every transmission is encrypted, every agent is authenticated, and the briefing self-destructs after viewing. The IMF doesn't leave sensitive operational details lying around where anyone can intercept them, because they understand that the channel matters just as much as the message.

Meanwhile, plenty of organizations are still managing their routers, switches, and firewalls over Telnet. That's the network equivalent of leaving your mission briefing taped to a bulletin board in the lobby. Anyone on the network can read it.

What Is CIS Safeguard 12.3?

Safeguard 12.3 falls under CIS Control 12: Network Infrastructure Management, and its security function is Protect. It applies to IG2 and IG3 organizations. The directive is straightforward: manage your network infrastructure securely. That means using encrypted management protocols, SSH instead of Telnet, HTTPS instead of HTTP, SNMPv3 instead of SNMPv1 or v2, and managing your configurations through version-controlled infrastructure-as-code (IaC).

Simple in concept. Surprisingly rare in practice.

Why It Matters

Network devices are high-value targets. Routers, switches, and firewalls sit at the center of your environment, they control what traffic goes where, who can reach what, and how your entire network is segmented. If an attacker gets administrative access to your network infrastructure, they can reroute traffic, disable controls, and move laterally without tripping a single alarm.

And if you're managing those devices over unencrypted protocols, you're handing attackers a free pass. Telnet sends credentials in plaintext. SNMPv1 and v2 community strings are essentially passwords transmitted in the clear. HTTP management interfaces expose everything to anyone who can intercept traffic on the wire,  which, inside your own network, isn't particularly hard.

The version-controlled IaC piece matters too. When every configuration change is tracked in a repository, you have an audit trail. You can see who changed what, when, and why. And when something breaks, or when someone does something they shouldn't, you can roll back.

What To Do: Implementation Steps

  1. Audit your current management protocols. Inventory all network devices and document which management protocols are currently enabled. You may be surprised how many devices still have Telnet or HTTP management enabled by default.
  2. Enable SSH and HTTPS, disable Telnet and HTTP. For every network device, enable SSH (v2) and HTTPS for management access. Disable Telnet and HTTP. This is non-negotiable.
  3. Migrate to SNMPv3. If you're using SNMP for monitoring and management, move to SNMPv3, which supports authentication and encryption. Disable SNMPv1 and v2, their community strings are a known attack vector.
  4. Implement infrastructure-as-code for configuration management. Use tools like Ansible, Terraform, or vendor-specific automation platforms to manage network device configurations programmatically. Store those configurations in a version-controlled repository (Git is the standard).
  5. Require MFA for administrative access to network devices. Admin access to network infrastructure should require multi-factor authentication. Combine this with role-based access control so that only authorized personnel can make changes.
  6. Review and test regularly. Periodically audit your network devices to confirm that insecure protocols remain disabled and that configuration management practices are being followed. Configuration drift is real, devices get reconfigured during incidents, and those emergency changes don't always get cleaned up properly.

Final Thoughts

Ethan Hunt would never accept a mission briefing delivered over an open, unencrypted channel. Your network team shouldn't have to either. The protocols you use to manage your infrastructure aren't just a technical preference, they're a security control. Telnet and unencrypted SNMP had their day. That day is over.

Lock down your management plane. Version-control your configs. Require MFA. And if someone on your team is still reaching for Telnet out of habit, it's time for a conversation, preferably over an encrypted channel.

Free Resource: The CIS Controls are available for free at cisecurity.org. If you want to dig into Control 12 and the full implementation guidance, it's worth the read.

Have questions about where your organization stands on Safeguard 12.3? DM me, happy to talk it through.

Official CIS Control and Safeguard Text

CIS Control 12: Network Infrastructure Management

CIS Safeguard 12.3: Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS.

Shameless Marketing Information

Gotham Technology Group offers network infrastructure security assessments and managed network services, if you want expert eyes on your environment, we're here for it.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.