In Mission: Impossible, Ethan Hunt's team never broadcasts mission details over open channels. Every transmission is encrypted, every agent is authenticated, and the briefing self-destructs after viewing. The IMF doesn't leave sensitive operational details lying around where anyone can intercept them, because they understand that the channel matters just as much as the message.
Meanwhile, plenty of organizations are still managing their routers, switches, and firewalls over Telnet. That's the network equivalent of leaving your mission briefing taped to a bulletin board in the lobby. Anyone on the network can read it.
What Is CIS Safeguard 12.3?
Safeguard 12.3 falls under CIS Control 12: Network Infrastructure Management, and its security function is Protect. It applies to IG2 and IG3 organizations. The directive is straightforward: manage your network infrastructure securely. That means using encrypted management protocols, SSH instead of Telnet, HTTPS instead of HTTP, SNMPv3 instead of SNMPv1 or v2, and managing your configurations through version-controlled infrastructure-as-code (IaC).
Simple in concept. Surprisingly rare in practice.
Why It Matters
Network devices are high-value targets. Routers, switches, and firewalls sit at the center of your environment, they control what traffic goes where, who can reach what, and how your entire network is segmented. If an attacker gets administrative access to your network infrastructure, they can reroute traffic, disable controls, and move laterally without tripping a single alarm.
And if you're managing those devices over unencrypted protocols, you're handing attackers a free pass. Telnet sends credentials in plaintext. SNMPv1 and v2 community strings are essentially passwords transmitted in the clear. HTTP management interfaces expose everything to anyone who can intercept traffic on the wire, which, inside your own network, isn't particularly hard.
The version-controlled IaC piece matters too. When every configuration change is tracked in a repository, you have an audit trail. You can see who changed what, when, and why. And when something breaks, or when someone does something they shouldn't, you can roll back.
What To Do: Implementation Steps
- Audit your current management protocols. Inventory all network devices and document which management protocols are currently enabled. You may be surprised how many devices still have Telnet or HTTP management enabled by default.
- Enable SSH and HTTPS, disable Telnet and HTTP. For every network device, enable SSH (v2) and HTTPS for management access. Disable Telnet and HTTP. This is non-negotiable.
- Migrate to SNMPv3. If you're using SNMP for monitoring and management, move to SNMPv3, which supports authentication and encryption. Disable SNMPv1 and v2, their community strings are a known attack vector.
- Implement infrastructure-as-code for configuration management. Use tools like Ansible, Terraform, or vendor-specific automation platforms to manage network device configurations programmatically. Store those configurations in a version-controlled repository (Git is the standard).
- Require MFA for administrative access to network devices. Admin access to network infrastructure should require multi-factor authentication. Combine this with role-based access control so that only authorized personnel can make changes.
- Review and test regularly. Periodically audit your network devices to confirm that insecure protocols remain disabled and that configuration management practices are being followed. Configuration drift is real, devices get reconfigured during incidents, and those emergency changes don't always get cleaned up properly.
Final Thoughts
Ethan Hunt would never accept a mission briefing delivered over an open, unencrypted channel. Your network team shouldn't have to either. The protocols you use to manage your infrastructure aren't just a technical preference, they're a security control. Telnet and unencrypted SNMP had their day. That day is over.
Lock down your management plane. Version-control your configs. Require MFA. And if someone on your team is still reaching for Telnet out of habit, it's time for a conversation, preferably over an encrypted channel.
Free Resource: The CIS Controls are available for free at cisecurity.org. If you want to dig into Control 12 and the full implementation guidance, it's worth the read.
Have questions about where your organization stands on Safeguard 12.3? DM me, happy to talk it through.
Official CIS Control and Safeguard Text
CIS Control 12: Network Infrastructure Management
CIS Safeguard 12.3: Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS.
Shameless Marketing Information
Gotham Technology Group offers network infrastructure security assessments and managed network services, if you want expert eyes on your environment, we're here for it.