Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the network device interface ACLs to verify all deny statements are logged. If deny statements are not logged, this is a finding.
Configure interface ACLs to log all deny statements.
Review the firewall or premise router configuration to determine if NAT has been implemented.
Implement Network Address Translation (NAT) on the firewall or premise router for NIPRNet Enclaves.
Have the SA display the configuration settings that enable this feature. Review the network topology diagram, and review VPN concentrators. Determine if tunnel mode is being used by reviewing the configuration. Examples: In CISCO Router(config)# crypto ipsec transform-set transform-set-name transform1 Router(cfg-crypto-tran)# mode tunnel OR in Junos edit security ipsec security-association sa-name] mode tunnel
Establish the VPN as a tunneled VPN. Terminate the tunneled VPN outside of the firewall. Ensure all host-to-host VPN are established between trusted known hosts.
Review the network devices configuration to determine if administrative access to the device requires some form of authentication--at a minimum a password is required. If passwords aren't used to administrative access to the device, this is a finding.
Configure the network devices so it will require a password to gain administrative access to the device.
Review the device configuration or request that the administrator logon to the device and observe the terminal. Verify either Option A or Option B (for systems with character limitations) of the Standard Mandatory DoD Notice and Consent Banner is displayed at logon. The required banner verbiage follows and must be displayed verbatim: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: "I've read & consent to terms in IS user agreem't." If the device configuration does not have a logon banner as stated above, this is a finding.
Configure all management interfaces to the network device to display the DoD-mandated warning banner verbiage at logon regardless of the means of connection or communication. The required banner verbiage that must be displayed verbatim is as follows: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: "I've read & consent to terms in IS user agreem't."
Review the management connection for administrative access and verify the network device is configured to time-out the connection at 10 minutes or less of inactivity. If the device does not terminate inactive management connections at 10 minutes or less, this is a finding.
Configure the network devices to ensure the timeout for unattended administrative access connections is no longer than 10 minutes.
Review the device configuration to ensure DNS servers have been defined if it has been configured as a client resolver (name lookup). If the device is configured as a client resolver and DNS servers are not defined, this is a finding.
Configure the device to include DNS servers or disable domain lookup.
Review the device configuration and verify it is configured to only allow SNMP access from addresses belonging to the management network. If the device is not configured to filter SNMP from the management network only, this is a finding.
Configure the network devices to only allow SNMP access from only addresses belonging to the management network.
Review the SNMP configuration of all managed nodes to ensure different community names (V1/2) or groups/users (V3) are configured for read-only and read-write access. If unique community strings or accounts are not used for SNMP peers, this is a finding.
Configure the SNMP community strings on the network device and change them from the default values. SNMP community strings and user passwords must be unique and not match any other network device passwords. Different community strings (V1/2) or groups (V3) must be configured for various levels of read and write access.
Have the FA display the services running on the firewall appliance or underlying OS.CAVEAT: Anti-virus software running on the firewall's OS would be an exception to the above requirement. In fact, it is recommended that anti-virus software be implemented on any non-appliance firewall if supported. However, it is not a finding if anti-virus software has not been implemented. If unnecessary services are found to be running on the firewall, this is a finding.
The Firewall Administrator will only utilize services related to the operation of the firewall and even if they are part of the firewall standard suite, they will be uninstalled or disabled.
Review the network device configuration and validate there are no group accounts configured for access. If a group account is configured on the device, this is a finding.
Configure individual user accounts for each authorized person then remove any group accounts.
Review the accounts authorized for access to the network device. Determine if the accounts are assigned the lowest privilege level necessary to perform assigned duties. User accounts must be set to a specific privilege level which can be mapped to specific commands or a group of commands. Authorized accounts should have the greatest privilege level unless deemed necessary for assigned duties. If it is determined that authorized accounts are assigned to greater privileges than necessary, this is a finding.
Configure authorized accounts with the least privilege rule. Each user will have access to only the privileges they require to perform their assigned duties.
Review the organization's responsibilities list and reconcile the list of authorized accounts with those accounts defined for access to the network device. If an unauthorized account is configured for access to the device, this is a finding.
Remove any account configured for access to the network device that is not defined in the organization's responsibilities list.
Review the network devices configuration to determine if passwords are viewable. If passwords are viewable in plaintext, this is a finding.
Configure the network devices to ensure passwords are not viewable when displaying configuration information.
Review the network device configuration to verify only secure protocols using FIPS 140-2 validated cryptographic modules are used for any administrative access. Some of the secure protocols used for administrative and management access are listed below. This list is not all inclusive and represents a sample selection of secure protocols. -SSHv2 -SCP -HTTPS using TLS If management connections are established using protocols without FIPS 140-2 validated cryptographic modules, this is a finding.
Configure the network device to use secure protocols with FIPS 140-2 validated cryptographic modules.
Review the configuration to verify all attempts to access the device via management connection are logged. If management connection attempts are not logged, this is a finding.
Configure the device to log all access attempts to the device to establish a management connection for administrative access.
Review the device configuration to determine that HTTP is not enabled for administrative access. If the device allows the use of HTTP for administrative access, this is a finding.
Configure the device to disable using HTTP (port 80) for administrative access.
Review the network devices configuration to determine if the vendor default password is active. If any vendor default passwords are used on the device, this is a finding.
Remove any vendor default passwords from the network devices configuration.
Review the device configurations to determine if denial of service attacks guarded against. If the device is not configured to mitigate denial of service attacks, this is a finding.
If the firewall support SYN-flood or ping sweep protection then enable these features. If the firewall does not support these features, enable the security features on the router to protect the network from these attacks.
Have the administrator display the OS version in operation. The OS must be current with related IAVMs addressed. If the device is using an OS that does not meet all IAVMs or currently not supported by the vendor, this is a finding.
Update operating system to a supported version that addresses all related IAVMs.
Review the network device configuration to verify all management connections for administrative access require authentication. If authentication isn't configured for management access, this is a finding.
Configure authentication for all management connections.
The SA shall define clipping levels / thresholds as a baseline to display alert messages on specific attacks identifying the potential security violation or attack. Review the IDS or firewall configuration to determine what alerts have been defined and how the notifications are performed. If the device is not configured to alert the administrator of potential failures, this is a finding.
Configure the IDS or firewall to alarm the SA of potential attacks or system failure.
Review the device configuration to determine if all administrative actions are being logged. If administrative actions are not being logged, this is a finding.
Configure the network device to log all administrative actions performed on the device.
Review the device configuration to verify it is configured to use SNMPv3 with both SHA authentication and privacy using AES encryption. Downgrades: If the site is using Version 1 or Version 2 with all of the appropriate patches and has developed a migration plan to implement the Version 3 Security Model, this finding can be downgraded to a Category II. If the targeted asset is running SNMPv3 and does not support SHA or AES, but the device is configured to use MD5 authentication and DES or 3DES encryption, then the finding can be downgraded to a Category III. If the site is using Version 1 or Version 2 and has installed all of the appropriate patches or upgrades to mitigate any known security vulnerabilities, this finding can be downgraded to a Category II. In addition, if the device does not support SNMPv3, this finding can be downgraded to a Category III provided all of the appropriate patches to mitigate any known security vulnerabilities have been applied and has developed a migration plan that includes the device upgrade to support Version 3 and the implementation of the Version 3 Security Model. If the device is configured to use to anything other than SNMPv3 with at least SHA-1 and AES, this is a finding. Downgrades can be determined based on the criteria above.
If SNMP is enabled, configure the network device to use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography (i.e., SHA authentication and AES encryption).
Review the network devices configuration and verify if either of the SNMP community strings "public" or "private" is being used. If default or well-known community strings are used for SNMP, this is a finding.
Configure unique SNMP community strings replacing the default community strings.
Review the network device configuration to determine if an authentication server is defined for gaining administrative access. If so, there must be only one account of last resort configured locally for an emergency. Verify the username and password for the account of last resort is contained within a sealed envelope kept in a safe. If an authentication server is used and more than one local account exists, this is a finding.
Configure the device to only allow one local account of last resort for emergency access and store the credentials in a secure manner.
Review the configuration and verify a session using the console port will time out after 10 minutes or less of inactivity. If console access is not configured to timeout at 10 minutes or less, this is a finding.
Configure the timeout for idle console connection to 10 minutes or less.
Review the network device configuration and verify SNMP community strings are read-only when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3. If write-access is used for SNMP versions 1, 2c, or 3-noAuthNoPriv mode and there is no documented approval by the ISSO, this is a finding.
Configure the network device to allow for read-only SNMP access when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3.
Review the network topology diagram, and review VPN concentrators. Verify that L2TP is not permitted into the enclave's private network. L2TP uses TCP and UDP ports 1701. See the PPS Vulnerability Assessment for additional protocol guidance and reference the Backbone Transport STIG for exceptions. If L2TP is not filtered outbound, this is a finding.
Terminate L2TP tunnels at the enclave perimeter, either in the DMZ or a service network for filtering and content inspection before passing traffic to the enclave's private network.
Review the network device's configuration and verify authentication is required for console access. If authentication is not configured for console access, this is a finding.
Configure authentication for console access on the network device.
Review documentation that the OS was STIG compliant prior to firewall installation and that the appropriate patches have been applied that address all IAVAs.
The firewall administrator will install all patches that address IAVA.
Review the configuration and verify management access to the device is allowed only from hosts within the management network. If management access can be gained from outside of the authorized management network, this is a finding.
Configure an ACL or filter to restrict management access to the device from only the management network.
Review the configuration and verify the timeout is set for 60 seconds or less. The SSH service terminates the connection if protocol negotiation (that includes user authentication) is not complete within this timeout period. If the device is not configured to drop broken SSH sessions after 60 seconds, this is a finding.
Configure the network devices so it will require a secure shell timeout of 60 seconds or less.
Review the configuration and verify the number of unsuccessful SSH logon attempts is set at 3. If the device is not configured to reset unsuccessful SSH logon attempts at 3, this is a finding.
Configure the network device to require a maximum number of unsuccessful SSH logon attempts at 3.
Review the device configuration to determine if threshold filters or timeout periods are set for dropping excessive half-open TCP connections. For timeout periods, the time should be set to 10 seconds or less. If the device cannot be configured for 10 seconds or less, it should be set to the least amount of time allowable in the configuration. Threshold filters will need to be determined by the organization for optimal filtering. If the device is not configured in a way to drop half-open TCP connections using filtering or timeout periods, this is a finding.
Configure the device to drop half-open TCP connections through threshold filtering or timeout periods.
Identify the device or devices that make up the perimeter defense. Review the configuration of the premise routers and firewalls and verify that the filters are IAW DoD 8551. SA will review PPS Vulnerability Assessment of every port allowed into the enclave and apply all appropriate mitigations defined in the VA report. All ports and protocols allowed into the enclave must be registered in the PPSM database. Note: It is the responsibility of the enclave owner to have the applications the enclave uses registered in the PPSM database.
The SA will utilize ingress and egress ACLs to restrict traffic in accordance with the guidelines contained in DOD Instruction 8551.1 for all services and protocols required for operational commitments.
Review the configuration and verify the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected. If the auxiliary port is enabled without the use of a secured modem, this is a finding.
Disable the auxiliary port. If used for out-of-band administrative access, the port must be connected to a secured modem providing encryption and authentication.
Inspect the device configuration to validate IPv6 router advertisement suppression is enabled on all external-facing interfaces. This is applicable to all IPv6-enabled interfaces connected to an IP backbone (i.e. NIPRNet, SIPRNet, etc.), backdoor link, or an alternate gateway (AG). If router advertisements are not suppressed on external facing IPv6 interfaces, this is a finding.
Configure the network device to enable route advertisement suppression on all external facing have IPv6 enabled on the interface.
Review the firewall configuration and verify both ingress and egress traffic is being inspected. If any traffic is able to leave or enter the enclave without being inspected by the firewall, then this is a finding.
Ensure the firewall has content and protocol inspection implemented for all ingress and egress traffic.
Review the device configuration to determine if filters are in place to block loopback addresses. If loopback addresses are not being filtered by the firewall, this is a finding.
Establish filters to block any attempt from the firewall or any network to pass any packets claiming to be from a loopback address.
Review the network device or syslog server to determine whether alerts are configured to automatically generate and notify the administrator when seventy-five percent or more of the storage capacity has been reached with log data. If alerts are not configured for notification when exceeding storage capacity, this is a finding.
Configure the network device or syslog server to automatically generate and notify the administrator when seventy-five percent or more of the storage capacity has been reached with log data.
Review the device configuration to determine if logs are being dumped to a syslog when meeting the 75% storage capacity. If logs aren't being dumped at 75% capacity, this is a finding.
Configure the device to dump logs to a syslog server when reaching a storage capacity of 75%.
Review the firewall configuration to determine what alerts have been defined and how the notifications are performed. If the firewall doesn't have the proper alerts defined, this is a finding.
Configure the firewall to immediately notify authorized personnel of critical alerts.
Review the firewall configuration to determine what alerts have been defined and how the notifications are performed. The message must be displayed at the remote console if an administrator is already logged in, or when an administrator logs in if the alarm message has not been acknowledged. The firewall shall immediately display an alarm message, identifying the potential security violation and make accessible the audit record contents associated with the auditable event(s) that generated the alarm. This can also be accomplished by sending email alerts using an Exchange receipt. If alerts are not configured for notification to remote consoles, this is a finding.
Configure the firewall to immediately write an alarm message to the remote consoles.
Review the firewall configuration to determine what alerts have been defined and how the notifications are performed. The relevant audit information must be available to administrators. The message will not be scrolled off the screen due to other activities taking place (e.g., the Audit Administrator is running an audit report). If the device does not write violations to the console and make accessible the audit record contents, this is a finding.
Configure the firewall to write violations to the console and make accessible the audit record contents.
Review the firewall configuration to determine what alerts have been defined and how the notifications are performed. Verify alerts generated will remain until acknowledged. If the device is not configured to send or retain notifications until acknowledgement, this is a finding.
Configure the firewall to send an alarm or retain an alert message until acknowledged.
The firewall shall display an acknowledgement message identifying a reference to the potential security violation, a notice that it has been acknowledged, the time of the acknowledgement and the user identifier that acknowledged the alarm at the remote administrator sessions that received the alarm. Have the administrator verify these capabilities. If the notifications do not include the proper references, this is a finding.
Configure the firewall to send acknowledge messages to administrators, referencing the alarm, who acknowledged the alarm, and timestamps.
Review device configuration for key expirations of 180 days or less. If rotating keys are not configured to expire at 180 days or less, this is a finding.
Configure the device so rotating keys expire at 180 days or less.
Review the device configuration and verify it is authenticating the NTP messages received from the NTP server or peer. Authentication must be performed using either PKI (supported in NTP v4) or SHA-1 hashing algorithm. If NTP messages are not authenticated using PKI or SHA-1 hashing, this is a finding.
Configure the device to authenticate all received NTP messages using either PKI (supported in NTP v4) or SHA-1 hashing algorithm.
Review the device configuration to ensure FEC0::/10 IP addresses are not defined. If FEC0::/10 IP addresses are defined, this is a finding.
Configure the device using authorized IP addresses.
Review the configuration and verify SSH Version 1 is not being used for administrative access. If the device is using an SSHv1 session, this is a finding.
Configure the network device to use SSH version 2.
Inspect the network device configuration to validate Teredo packets, UDP port 3544 is blocked both inbound to the enclave and outbound from the enclave. This requirement must be administered on either the perimeter router or firewall. If Teredo is not blocked one of these devices, this is a finding.
Configure either the perimeter router or firewall to block UDP port 3544 traffic inbound and outbound.
Review network diagram in the STIG and ensure the architecture is designed correctly. The interface facing the IPv4 LAN network must not receive IPv6 traffic. This can be accomplished by not having IPv6 on the interface supporting the IPv4 network. In addition a filter can be added to deny IPv6 at this interface. If interfaces supporting IPv4 in NAT-PT receive IPv6 traffic, this is a finding.
This can be accomplished by not having IPv6 enabled on the interface supporting the IPv4 network. In addition a filter can be added to deny IPv6 at the interface.
Verify an authentication server is required to access the device and that there are two or more authentication servers defined. If the device is not configured for two separate authentication servers, this is a finding.
Configure the device to use two separate authentication servers.
Review the emergency account configured on the network devices and verify that it has been assigned to a privilege level that will enable the administrator to perform necessary administrative functions when the authentication server is not online. If the emergency account is configured for more access than needed to troubleshoot issues, this is a finding.
Assign a privilege level to the emergency account to allow the administrator to perform necessary administrative functions when the authentication server is not online.
Where IPSec technology is deployed to connect the OOBM gateway routers or firewall, the traffic entering the tunnels must be restricted to only the authorized management packets based on destination and source IP address from the address block used for the management network. Verify that all traffic from the managed network to the management network and vice-versa is secured via IPSec encapsulation. In the configuration examples, 10.2.2.0/24 is the management network at the NOC and 10.1.1.0/24 is the management address block used at the network being managed (i.e., the enclave). When the AS PIC receives traffic on the inside interface associated with a service set, the AS PIC applies the configured Layer 3 services and then forwards the packet back to the router through the outside interface. Likewise, when the AS PIC receives traffic on the outside interface associated with a service set, it forwards the packet back to the router through the inside interface after applying the configured Layer 3 services. hostname VPN-Gateway1 ! interface Ethernet0/0 nameif Outside security-level 0 ip address 19.16.1.254 255.255.255.252 ! interface Ethernet0/1 nameif Inside security-level 100 ip address 10.1.1.1 255.255.255.0 ! isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map Outside_map ipsec-isakmp crypto map Outside_map 20 match address 101 crypto map Outside_map 20 set peer 19.16.2.254 crypto map Outside_map 20 set transform-set ESP-3DES-SHA crypto map Outside_map interface Outside ! isakmp key ***** 19.16.2.254 netmask 255.255.255.255 isakmp enable Outside ! access-list 101 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 sysopt connection permit-ipsec Note: Access lists can be defined for PIX/ASA using the familiar IOS software ACL format. However, one important difference exists between the PIX/ASA and IOS ACL formats: PIXs use real subnet masks (a 1 bit matches, and a 0 bit ignores), whereas IOS platforms use a wildcard mask (a 0 bit matches, and a 1 bit ignores).
Configure filters based on source and destination IP address to restrict only authorized management traffic into IPSec tunnels used for transiting management data.
Verify the configuration at the remote VPN end-point is a mirror configuration as that reviewed for the local end-point.
Configure he crypto access-list used to identify the traffic to be protected so that it is a mirror (both IP source and destination address) of the crypto access list configured at the remote VPN peer.
Review the device configuration to determine if the OOB management interface is assigned an appropriate IP address from the authorized OOB management network. If an IP address assigned to the interface is not from an authorized OOB management network, this is a finding.
Configure the OOB management interface with an IP address from the address space belonging to the OOBM network.
Step 1: Verify the managed interface has an inbound and outbound ACL or filter. Step 2: Verify the ingress ACL blocks all transit traffic--that is, any traffic not destined to the router itself. In addition, traffic accessing the managed elements should be originated at the NOC. Step 3: Verify the egress ACL blocks any traffic not originated by the managed element. If management interface does not have an ingress and egress filter configured and applied, this is a finding.
If the management interface is a routed interface, it must be configured with both an ingress and egress ACL. The ingress ACL should block any transit traffic, while the egress ACL should block any traffic that was not originated by the managed network device.
Review the configuration to verify the management interface is configured as passive for the IGP instance for the managed network. Depending on the platform and routing protocol, this may simply require that the interface or its IP address is not included in the IGP configuration. If the management interface is not configured to be passive for IGP instances, this is a finding.
Configure the management interface as passive for the IGP instance configured for the managed network. Depending on the platform and routing protocol, this may simply require that the interface or its IP address is not included in the IGP configuration.
Review the firewall configuration to verify that it is blocking all outbound management traffic. If the firewall is not blocking management network from leaking to outside networks, this is a finding.
With the exception of management traffic destined to perimeter equipment, a firewall located behind the premise router must be configured to block all outbound management traffic.
For both the NOC and the managed network, the IPSec tunnel end points may be configured on the premise or gateway router, a VPN gateway firewall or VPN concentrator. Verify that all traffic from the managed network to the management network and vice-versa is secured via IPSec encapsulation.
Where IPSec technology is deployed to connect the managed network to the NOC, it is imperative that the traffic entering the tunnels is restricted to only the authorized management packets based on destination address.
Review the device configuration to validate an ACL with a deny-by-default security posture has been implemented on the server VLAN interface.
Configure an ACL to protect the server VLAN interface. The ACL must be in a deny-by-default security posture.
Review the firewall protecting the server farm. Vlan configurations should have a filter that secures the servers located on the vlan segment. Identify the source ip addresses that have access to the servers and verify the privilege intended with the SA. The filter should be in a deny by default posture. If the filter is not defined on the firewall and the architecture contains a layer 3 switch between the firewall and the server, than review the VLAN definition on the L3 switch.
Review the filter and ensure access from other server segments is denied unless necessary for application operation. The intent of the policy should be to protect servers from a server that has been compromised by an intruder.
Identify the VLAN IP subnet and determine if the subnet passes content inspect by a firewall capable on content inspection.
Configure the firewall to inspect traffic content to and from the server farm.
Review the device configuration to ensure filters are in place to restrict the IP addresses explicitly or implicitly. Verify that ingress and egress ACLs for IPv6 have been defined to deny 6-to-4 tunnel addresses and log all violations. source type: 2002::/16 If filters are not in place to deny 6-to-4 tunnel addresses, this is a finding.
Configure the device using filters to restrict IP addresses that contain any 6-to-4 addresses.
Review the device configuration to determine filters drop all inbound and/or outbound IPv6 packets containing a hop-by-hop option of option type 0xC2. If IPv6 Jumbo Payloads are not dropped, this is a finding. Alternatively, if the system is specifically designed to use very large payloads and its use is documented in architecture design documents, than this is not a finding.
Configure the firewall to drop all inbound and/or outbound IPv6 packets containing a hop-by-hop option of option type 0xC2.
Review the configuration and verify two NTP servers have been defined. If the device is not configured to use two separate NTP servers, this is a finding.
Configure the device to use two separate NTP servers.
Verify that the software implemented on the router or firewall has been updated to a release that mitigates the risk of a DNS cache poisoning attack. A number of vendors have released patches to implement source port randomization. This change significantly reduces the practicality of cache poisoning attacks. See the Systems Affected section at http://www.kb.cert.org/vuls/id/800113 for additional details for specific products not listed below. The following BlueCoat products are vulnerable: Proxy SG: Fixed in 4.2.8.6 or 5.2.4.3 and later. Director: Fixed in: 4.2.2.4 or 5.2.2.5 and later. Proxy RA: Fixed in 2.3.2.1 and later. The following Secure Computing products are vulnerable: Sidewinder G2 6.1 .0.01 Sidewinder G2 6.1 .0.02 Sidewinder 5.0 Sidewinder 5.0 .0.01 Sidewinder 5.0 .0.02 Sidewinder 5.0 .0.03 Sidewinder 5.0 .0.04 Sidewinder 5.1 Sidewinder 5.1 .0.01 Sidewinder 5.1 .0.02 Sidewinder 5.1 .1 Sidewinder 5.1 .1.01 Sidewinder 5.2 Sidewinder 5.2 .0.01 Sidewinder 5.2 .0.02 Sidewinder 5.2 .0.03 Sidewinder 5.2 .0.04 Sidewinder 5.2 .1 Sidewinder 5.2 .1.02 Sidewinder 5.2.1 .10 Sidewinder Software 5.0 Sidewinder Software 5.0 .0.01 Sidewinder Software 5.0 .0.02 Sidewinder Software 5.0 .0.03 Sidewinder Software 5.0 .0.04 Sidewinder Software 5.1 Sidewinder Software 5.1 .0.01 Sidewinder Software 5.1 .0.02 Sidewinder Software 5.1 .1 Sidewinder Software 5.1 .1.01 Sidewinder Software 5.2 Sidewinder Software 5.2 .0.01 Sidewinder Software 5.2 .0.02 Sidewinder Software 5.2 .0.03 Sidewinder Software 5.2 .0.04 Sidewinder Software 5.2 .1 Sidewinder Software 5.2 .1.02 CyberGuard Classic CyberGuard TSP See Secure Computing Knowledgebase article 11446 for the resolution to updates to these vulnerable products. The following Juniper Networks ScreenOS firewall versions are vulnerable. ScreenOS 5.1 ScreenOS 5.2 The following Cisco PIX/ASA releases are vulnerable: 6.3(5) and earlier. Fixed with 6.3(5.144) and later 7.0 Fixed with 7.0(8.1) 7.1 Fixed with 7.1(2.74) 7.2 Fixed with 7.2(4.9) 8.0 Fixed with 8.0(3.32) 8.1 Fixed with 8.1(1.8) , 8.1(1.100), and 8.1(101.4) 8.2 Fixed with 8.2(0.140)
Update the OS to the release that mitigates the risk of a DNS cache poisoning attack
Review the device configuration to validate timestamps are configured for logging. If timestamps are not configured for logging purposes, this is a finding.
Configure the network device to include timestamps on all device logs.
Review the active logs and verify the source IP, destination IP, port, protocol used and action taken are recorded fields in the event record. If logs do not include the source IP, destination IP, port, or protocol, this is a finding.
Ensure the firewall logs are receiving source IP, destination IP, port, protocol used and action taken.
Review the device configuration to determine if the call home service or feature is disabled on the device. If the call home service is enabled on the device, this is a finding.
Configure the network device to disable the call home service or feature.
Drop all inbound IPv6 packets for which the layer 4 protocol and ports (if applicable) cannot be located. Drop all inbound IPv6 packets with a Type 0 Routing Header unless those packets also contain an IPSec AH or IPSec ESP header. Drop all inbound IPv6 packets containing undefined header extensions/protocol values. Drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering to include protocol/port values cannot be determined. Drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain.
Identify the firewall capabilities to ensure they support the DITO requirements prior to procurement. Review current alternatives defined in the MO3 guidance for mitigation.