Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the network device interface ACLs to verify all deny statements are logged. If deny statements are not logged, this is a finding.
Configure interface ACLs to log all deny statements.
Have the SA display the configuration settings that enable this feature. Review the network topology diagram, and review VPN concentrators. Determine if tunnel mode is being used by reviewing the configuration. Examples: In CISCO Router(config)# crypto ipsec transform-set transform-set-name transform1 Router(cfg-crypto-tran)# mode tunnel OR in Junos edit security ipsec security-association sa-name] mode tunnel
Establish the VPN as a tunneled VPN. Terminate the tunneled VPN outside of the firewall. Ensure all host-to-host VPN are established between trusted known hosts.
Review the network devices configuration to determine if administrative access to the device requires some form of authentication--at a minimum a password is required. If passwords aren't used to administrative access to the device, this is a finding.
Configure the network devices so it will require a password to gain administrative access to the device.
Review the device configuration or request that the administrator logon to the device and observe the terminal. Verify either Option A or Option B (for systems with character limitations) of the Standard Mandatory DoD Notice and Consent Banner is displayed at logon. The required banner verbiage follows and must be displayed verbatim: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: "I've read & consent to terms in IS user agreem't." If the device configuration does not have a logon banner as stated above, this is a finding.
Configure all management interfaces to the network device to display the DoD-mandated warning banner verbiage at logon regardless of the means of connection or communication. The required banner verbiage that must be displayed verbatim is as follows: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: "I've read & consent to terms in IS user agreem't."
Review the management connection for administrative access and verify the network device is configured to time-out the connection at 10 minutes or less of inactivity. If the device does not terminate inactive management connections at 10 minutes or less, this is a finding.
Configure the network devices to ensure the timeout for unattended administrative access connections is no longer than 10 minutes.
Review the device configuration to ensure DNS servers have been defined if it has been configured as a client resolver (name lookup). If the device is configured as a client resolver and DNS servers are not defined, this is a finding.
Configure the device to include DNS servers or disable domain lookup.
Review the device configuration and verify it is configured to only allow SNMP access from addresses belonging to the management network. If the device is not configured to filter SNMP from the management network only, this is a finding.
Configure the network devices to only allow SNMP access from only addresses belonging to the management network.
Review the device configuration to determine if authentication is configured for all IGP peers. If authentication is not configured for all IGP peers, this is a finding.
Configure authentication for all IGP peers.
Review the SNMP configuration of all managed nodes to ensure different community names (V1/2) or groups/users (V3) are configured for read-only and read-write access. If unique community strings or accounts are not used for SNMP peers, this is a finding.
Configure the SNMP community strings on the network device and change them from the default values. SNMP community strings and user passwords must be unique and not match any other network device passwords. Different community strings (V1/2) or groups (V3) must be configured for various levels of read and write access.
Review the network device configuration and validate there are no group accounts configured for access. If a group account is configured on the device, this is a finding.
Configure individual user accounts for each authorized person then remove any group accounts.
Review the accounts authorized for access to the network device. Determine if the accounts are assigned the lowest privilege level necessary to perform assigned duties. User accounts must be set to a specific privilege level which can be mapped to specific commands or a group of commands. Authorized accounts should have the least privilege level unless deemed necessary for assigned duties. If it is determined that authorized accounts are assigned to greater privileges than necessary, this is a finding.
Configure authorized accounts with the least privilege rule. Each user will have access to only the privileges they require to perform their assigned duties.
Review the organization's responsibilities list and reconcile the list of authorized accounts with those accounts defined for access to the network device. If an unauthorized account is configured for access to the device, this is a finding.
Remove any account configured for access to the network device that is not defined in the organization's responsibilities list.
Review the network devices configuration to determine if passwords are viewable. If passwords are viewable in plaintext, this is a finding.
Configure the network devices to ensure passwords are not viewable when displaying configuration information.
Review the network device configuration to verify only secure protocols using FIPS 140-2 validated cryptographic modules are used for any administrative access. Some of the secure protocols used for administrative and management access are listed below. This list is not all inclusive and represents a sample selection of secure protocols. -SSHv2 -SCP -HTTPS using TLS If management connections are established using protocols without FIPS 140-2 validated cryptographic modules, this is a finding.
Configure the network device to use secure protocols with FIPS 140-2 validated cryptographic modules.
Review the configuration to verify all attempts to access the device via management connection are logged. If management connection attempts are not logged, this is a finding.
Configure the device to log all access attempts to the device to establish a management connection for administrative access.
Review the running and boot configurations to determine if they are synchronized. IOS Procedure: With online editing, the "show running-config" command will only show the current running configuration settings, which are different from the IOS defaults. The "show startup-config" command will show the NVRAM startup configuration. Compare the two configurations to ensure they are synchronized. JUNOS Procedure: This will never be a finding. The active configuration is stored on flash as juniper.conf. A candidate configuration allows configuration changes while in configuration mode without initiating operational changes. The router implements the candidate configuration when it is committed; thereby, making it the new active configuration--at which time it will be stored on flash as juniper.conf and the old juniper.conf will become juniper.conf.1. If running configuration and boot configurations are not the same, this is a finding.
Add procedures to the standard operating procedure to keep the running configuration synchronized with the startup configuration.
Review the device configuration to determine if Finger has been implemented. If the Finger service is enabled, this is a finding.
Configure the device to disable the Finger service.
Review the configuration to determine if source routing is disabled. If IP source routing is enabled, this is a finding.
Configure the router to disable IP source routing.
Review the device configuration to determine that HTTP is not enabled for administrative access. The HTTPS server may be enabled for administrative access. If the device allows the use of HTTP for administrative access, this is a finding.
Configure the device to disable using HTTP (port 80) for administrative access.
Review the network devices configuration to determine if the vendor default password is active. If any vendor default passwords are used on the device, this is a finding.
Remove any vendor default passwords from the network devices configuration.
Have the administrator display the OS version in operation. The OS must be current with related IAVMs addressed. If the device is using an OS that does not meet all IAVMs or currently not supported by the vendor, this is a finding.
Update operating system to a supported version that addresses all related IAVMs.
Review the network device configuration to verify all management connections for administrative access require authentication. If authentication isn't configured for management access, this is a finding.
Configure authentication for all management connections.
Review the device configuration to verify it is configured to use SNMPv3 with both SHA authentication and privacy using AES encryption. Downgrades: If the site is using Version 1 or Version 2 with all of the appropriate patches and has developed a migration plan to implement the Version 3 Security Model, this finding can be downgraded to a Category II. If the targeted asset is running SNMPv3 and does not support SHA or AES, but the device is configured to use MD5 authentication and DES or 3DES encryption, then the finding can be downgraded to a Category III. If the site is using Version 1 or Version 2 and has installed all of the appropriate patches or upgrades to mitigate any known security vulnerabilities, this finding can be downgraded to a Category II. In addition, if the device does not support SNMPv3, this finding can be downgraded to a Category III provided all of the appropriate patches to mitigate any known security vulnerabilities have been applied and has developed a migration plan that includes the device upgrade to support Version 3 and the implementation of the Version 3 Security Model. If the device is configured to use to anything other than SNMPv3 with at least SHA-1 and AES, this is a finding. Downgrades can be determined based on the criteria above.
If SNMP is enabled, configure the network device to use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography (i.e., SHA authentication and AES encryption).
Review the network devices configuration and verify if either of the SNMP community strings "public" or "private" is being used. If default or well-known community strings are used for SNMP, this is a finding.
Configure unique SNMP community strings replacing the default community strings.
Review the network device configuration to determine if an authentication server is defined for gaining administrative access. If so, there must be only one account of last resort configured locally for an emergency. Verify the username and password for the local account of last resort is contained within a sealed envelope kept in a safe. If an authentication server is used and more than one local account exists, this is a finding.
Configure the device to only allow one local account of last resort for emergency access and store the credentials in a secure manner.
Review the configuration and verify a session using the console port will time out after 10 minutes or less of inactivity. If console access is not configured to timeout at 10 minutes or less, this is a finding.
Configure the timeout for idle console connection to 10 minutes or less.
Review the network device configuration and verify SNMP community strings are read-only when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3. If write-access is used for SNMP versions 1, 2c, or 3-noAuthNoPriv mode and there is no documented approval by the ISSO, this is a finding.
Configure the network device to allow for read-only SNMP access when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3.
Review the device configuration and verify that access ports have not been assigned membership to the VLAN 1. If any access ports are found in VLAN 1, this is a finding.
Best practices for VLAN-based networks is to prune unnecessary ports from gaining access to VLAN 1 as well as the management VLAN, and to separate in-band management, device protocol, and data traffic.
Review the device configuration to determine if VLAN 1 is pruned from all trunk and access switch ports. If VLAN 1 is not pruned from trunk or access switch ports where it's not required, this is a finding.
Best practice for VLAN-based networks is to prune unnecessary ports from gaining access to VLAN 1 and insure that it does not traverse trunks not requiring VLAN 1 traffic.
Review the device configuration to determine if all disabled ports have been placed into an unused VLAN. The VLAN must not be VLAN 1. If disabled ports are not assigned to an unused VLAN or have been placed into VLAN 1, this is a finding.
Assign all disabled ports to an unused VLAN. Do not use VLAN1.
Review the switch configurations and examine all access ports. Verify that they do not belong to the native VLAN. If any access switch ports are assigned to the native VLAN, it is a finding.
To insure the integrity of the trunk link and prevent unauthorized access, the native VLAN of the trunk port should be changed from the default VLAN 1 to its own unique VLAN. Access switchports must never be assigned to the native VLAN.
Review the network device's configuration and verify authentication is required for console access. If authentication is not configured for console access, this is a finding.
Configure authentication for console access on the network device.
Review the network device configuration to ensure all messages up to and including severity level 6 (informational) are logged and sent to a syslog server. Severity Level Message Type 0 Emergencies 1 Alerts 2 Critical 3 Errors 4 Warning 5 Notifications 6 Informational 7 Debugging If logging does not capture of up severity level 6, this is a finding.
Configure the network device to log all messages except debugging and send all log data to a syslog server.
Review the configuration and verify management access to the device is allowed only from hosts within the management network. If management access can be gained from outside of the authorized management network, this is a finding.
Configure an ACL or filter to restrict management access to the device from only the management network.
Review the configuration and verify the timeout is set for 60 seconds or less. The SSH service terminates the connection if protocol negotiation (that includes user authentication) is not complete within this timeout period. If the device is not configured to drop broken SSH sessions after 60 seconds, this is a finding.
Configure the network devices so it will require a secure shell timeout of 60 seconds or less.
Review the configuration and verify the number of unsuccessful SSH logon attempts is set at 3. If the device is not configured to reset unsuccessful SSH logon attempts at 3, this is a finding.
Configure the network device to require a maximum number of unsuccessful SSH logon attempts at 3.
Review the device configuration and examine all trunk links. Verify the native VLAN has been configured to a VLAN other than the default VLAN 1. If the native VLAN has been configured to VLAN 1, this is a finding.
To ensure the integrity of the trunk link and prevent unauthorized access, the native VLAN of the trunk port should be changed from the default VLAN 1 to its own unique VLAN. The native VLAN must be the same on both ends of the trunk link; otherwise traffic could accidently leak between broadcast domains.
Review the device configuration to determine if trunking has been disabled on access ports. If trunking is enabled on any access port, this is a finding.
Disable trunking on all access ports.
Verify if the switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. MAC Authentication Bypass (MAB) must be configured on those switch ports connected to devices that do not support an 802.1x supplicant. If 802.1x authentication or MAB is not configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.
Configure 802.1 x authentication on all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. Configure MAB on those switch ports connected to devices that do not support an 802.1x supplicant.
Review the device configurations to determine if a dedicated VLAN(s) have been implemented for the management network. VLAN 1 must not be used. If a dedicated VLAN or VLANs have not been established for the management network, this is a finding. If VLAN 1 is used for management, this is also a finding.
Best practices for VLAN-based networks is create a dedicated management VLAN, prune unnecessary ports from gaining access to VLAN 1 as well as the management VLAN, and to separate in-band management, device protocol, and data traffic.
Review the device configuration to determine if threshold filters or timeout periods are set for dropping excessive half-open TCP connections. For timeout periods, the time should be set to 10 seconds or less. If the device cannot be configured for 10 seconds or less, it should be set to the least amount of time allowable in the configuration. Threshold filters will need to be determined by the organization for optimal filtering. If the device is not configured in a way to drop half-open TCP connections using filtering or timeout periods, this is a finding.
Configure the device to drop half-open TCP connections through threshold filtering or timeout periods.
Review the configuration and verify the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected. If the auxiliary port is enabled without the use of a secured modem, this is a finding.
Disable the auxiliary port. If used for out-of-band administrative access, the port must be connected to a secured modem providing encryption and authentication.
Review device configuration for key expirations of 180 days or less. If rotating keys are not configured to expire at 180 days or less, this is a finding.
Configure the device so rotating keys expire at 180 days or less.
Review the device configuration to determine if the device has been setup to be an FTP server. If the device has been configured to be an FTP server, this is a finding.
Disable FTP server services on the device.
Review the device configuration and verify there are no BSDr commands (e.g., rsh, rlogin, rcp, rdump, rrestore, and rdist) enabled. If BSDr commands are enabled, this is a finding.
Configure the device to disable BSDr command services.
Review the network element configuration and verify that it is authenticating NTP messages received from the NTP server or peer using a FIPS-approved message authentication code algorithm. FIPS-approved algorithms for authentication are the cipher-based message authentication code (CMAC) and the keyed-hash message authentication code (HMAC). AES and 3DES are NIST-approved CMAC algorithms. The following are NIST-approved HMAC algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. Downgrade: If the network device is not capable of authenticating the NTP server or peer using a FIPS-approved message authentication code algorithm, then MD5 can be utilized for NTP message authentication and the finding can be downgraded to a CAT III. If the network element is not configured to authenticate received NTP messages using a FIPS-approved message authentication code algorithm, this is a finding. A downgrade can be determined based on the criteria above.
Configure the device to authenticate all received NTP messages using a FIPS-approved message authentication code algorithm.
Review the device configuration and determine if authentication services are using the loopback or OOB management interface as the source address. If the loopback or OOB management interface isn't being used as the source address for authentications services, this is a finding.
Configure the device to use its loopback or OOB management interface address as the source address when originating authentication services traffic.
Review the configuration and verify the loopback interface address is used as the source address when originating syslog traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for syslog traffic, this is a finding.
Configure the device to use its loopback or OOB management interface address as the source address when originating syslog traffic.
Review the configuration and verify the loopback interface address is used as the source address when originating NTP traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for NTP traffic, this is a finding.
Configure the device to use its loopback or OOB management interface address as the source address when originating NTP traffic.
Review the configuration and verify the loopback interface address is used as the source address when originating SNMP traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for SNMP traffic, this is a finding.
Configure the device to use its loopback or OOB management interface address as the source address when originating SNMP traffic.
Review the configuration and verify the loopback interface address is used as the source address when originating NetFlow traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for IP Flow/NetFlow traffic, this is a finding.
Configure the device to use its loopback or OOB management interface address as the source address when originating IP Flow/NetFlow traffic.
Review the device configuration to verify the loopback interface address is used as the source address when originating TFTP or FTP traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for TFTP or FTP traffic, this is a finding.
Configure the network device to use a loopback or OOB management interface address as the source address when originating TFTP or FTP traffic.
Review the configuration and verify iBGP peering uses the devices loopback interface address as the source address. If the loopback interface isn't being used as the source address for iBGP peering, this is a finding.
Configure the network device's loopback address as the source address for iBGP peering.
Review the device configuration to ensure FEC0::/10 IP addresses are not defined. If FEC0::/10 IP addresses are defined, this is a finding.
Configure the device using authorized IP addresses.
Unicast Strict mode: Review the router configuration to ensure uRPF has been configured on all internal interfaces.
The network element must be configured to ensure that an ACL is configured to restrict the router from accepting any outbound IP packet that contains an external IP address in the source field.
Review the configuration and verify SSH Version 1 is not being used for administrative access. If the device is using an SSHv1 session, this is a finding.
Configure the network device to use SSH version 2.
Verify ISATAP tunnels are terminated on the infrastructure routers or L3 switches within the enclave.
Terminate ISATAP tunnels at the infrastructure router to prohibit tunneled traffic from exiting the enclave perimeter prior to inspection by the IDS, IPS, or firewall.
Verify an authentication server is required to access the device and that there are two or more authentication servers defined. If the device is not configured for two separate authentication servers, this is a finding.
Configure the device to use two separate authentication servers.
Review the emergency administration account configured on the network devices and verify that it has been assigned to a privilege level that will enable the administrator to perform necessary administrative functions when the authentication server is not online. If the emergency administration account is configured for more access than needed to troubleshoot issues, this is a finding.
Assign a privilege level to the emergency administration account to allow the administrator to perform necessary administrative functions when the authentication server is not online.
Review the device configuration to determine if IPSec tunnels used in transiting management traffic are filtered to only accept authorized traffic based on source and destination IP addresses of the management network. If filters are not restricting only authorized management traffic into the IPSec tunnel, this is a finding.
Configure filters based on source and destination IP address to restrict only authorized management traffic into IPSec tunnels used for transiting management data.
Verify the configuration at the remote VPN end-point is a mirror configuration as that reviewed for the local end-point.
Configure he crypto access-list used to identify the traffic to be protected so that it is a mirror (both IP source and destination address) of the crypto access list configured at the remote VPN peer.
Verify that the OOBM interface is an adjacency only in the IGP routing domain for the management network.
Ensure that multiple IGP instances configured on the OOBM gateway router peer only with their appropriate routing domain. Verify that the all interfaces are configured for the appropriate IGP instance.
Verify that the IGP instance used for the managed network does not redistribute routes into the IGP instance used for the management network and vice versa. As an alternative, static routes can be used to forward management traffic to the OOBM interface; however, this method may not scale well. If static routes are used to forward management traffic to the OOB backbone network, verify that the OOBM interface is not an IGP adjacency and that the correct destination prefix has been configured to forward the management traffic to the correct next-hop and interface for the static route. In the following configuration examples, 10.1.1.0/24 is the management network and 10.1.20.4 is the interface address of the OOB backbone router that the OOB gateway router connects to. The network 10.1.20.0/24 is the OOBM backbone.
Ensure that the IGP instance used for the managed network does not redistribute routes into the IGP instance used for the management network and vice versa.
Review the ACL or filters for the router’s receive path and verify that only traffic sourced from the management network is allowed to access the router. This would include both management and control plane traffic.
Ensure that traffic from the managed network is not able to access the OOBM gateway router using either receive path or interface ingress ACLs.
Examine the egress filter on the OOBM interface of the gateway router to verify that only traffic sourced from the management address space is allowed to transit the OOBM backbone. In the example configurations below, the 10.1.1.0/24 is the management network address space at the enclave or managed network and 10.2.2.0/24 is the management network address space at the NOC.
Configure the OOBM gateway router interface ACLs to ensure traffic from the managed network does not leak into the management network.
Examine the ingress filter on the OOBM interface of the gateway router to verify that traffic is only destined to the local management address space. If the device is not configured from prohibiting management traffic off the managed network, this is a finding.
Configure access control lists or filters to block any traffic from the management network destined for the managed network's production address spaces.
Review the device configuration to determine if the OOB management interface is assigned an appropriate IP address from the authorized OOB management network. If an IP address assigned to the interface is not from an authorized OOB management network, this is a finding.
Configure the OOB management interface with an IP address from the address space belonging to the OOBM network.
Step 1: Verify the managed interface has an inbound and outbound ACL or filter. Step 2: Verify the ingress ACL blocks all transit traffic--that is, any traffic not destined to the router itself. In addition, traffic accessing the managed elements should be originated at the NOC. Step 3: Verify the egress ACL blocks any traffic not originated by the managed element. If management interface does not have an ingress and egress filter configured and applied, this is a finding.
If the management interface is a routed interface, it must be configured with both an ingress and egress ACL. The ingress ACL should block any transit traffic, while the egress ACL should block any traffic that was not originated by the managed network device.
Review the configuration to verify the management interface is configured as passive for the IGP instance for the managed network. Depending on the platform and routing protocol, this may simply require that the interface or its IP address is not included in the IGP configuration. If the management interface is not configured to be passive for IGP instances, this is a finding.
Configure the management interface as passive for the IGP instance configured for the managed network. Depending on the platform and routing protocol, this may simply require that the interface or its IP address is not included in the IGP configuration.
Review the managed switch configuration and verify that the access port connected to the OOBM access switch has been assigned to the management VLAN.
If the management interface is an access switchport, assign it to a separate management VLAN while the remainder of the access switchports can be assigned to user VLANs belonging to the managed network. This provides some level of separation between the management network and the managed network.
Review the managed switch configuration and verify that an address has been configured for management VLAN from space belonging to the OOBM network that has been assigned to that site.
Assign an IP address to the management VLAN from the address space belonging to the OOBM network.
Review the managed switch configuration and verify that the access port connected to the OOBM access switch is the only port has been assigned to the management VLAN.
Ensure that the access switchport connecting to the OOBM access switch is the only port with membership to the management VLAN
By default all the VLANs that exist on a switch are active on a trunk link. Since the switch is being managed via OOBM connection, management traffic should not traverse any trunk links.
Prune the management VLAN from any VLAN trunk links belonging to the managed network’s infrastructure.
Review the switch configuration to determine if the management VLAN has been assigned an IP address from the management network address block. If the management VLAN interface has not been assigned an IP address from the management network address block, this is a finding.
Configure the management VLAN with an IP address from the management network address block.
Review the configuration to determine if an inbound ACL has been configured for the management VLAN interface to block non-management traffic. If an inbound ACL has not been configured, this is a finding.
If an MLS is used to provide inter-VLAN routing, configure an inbound ACL for the management network VLAN interface.
Review the router configuration and verify that an inbound ACL has been configured for the management network sub-interface.
If a router is used to provide inter-VLAN routing, configure an inbound ACL for the management network sub-interface for the trunk link to block non-management traffic.
For both the NOC and the managed network, the IPSec tunnel end points may be configured on the premise or gateway router, a VPN gateway firewall or VPN concentrator. Verify that all traffic from the managed network to the management network and vice-versa is secured via IPSec encapsulation.
Where IPSec technology is deployed to connect the managed network to the NOC, it is imperative that the traffic entering the tunnels is restricted to only the authorized management packets based on destination address.
Review the configuration of the MLS or router to determine if the management traffic is classified and marked to a favorable PHB at the distribution layer. According to the DISN approved QoS classifications, control plane and management plane traffic should use DSCP 48 (Network-Control PHB). In the example configurations below, an infrastructure router within the managed network’s distribution layer will classify and mark at ingress all traffic destined to management network with DSCP 48.
When management traffic must traverse several nodes to reach the management network, classify and mark management traffic at the nearest upstream MLS or router.
When management traffic must traverse several nodes to reach the management network, ensure that all core routers within the managed network have been configured to provide preferred treatment for management traffic. This will ensure that management traffic receives guaranteed bandwidth at each forwarding device along the path to the management network. Verify that a service policy is bound to all core or internal router interfaces. The service policy should be configured to place management traffic in the appropriate forwarding class. The classes must be configured to receive the required service.
When management traffic must traverse several nodes to reach the management network, ensure that all core routers within the managed network have been configured to provide preferred treatment for management traffic.
Review the firewall protecting the server farm to validate an ACL with a deny-by-default security posture has been implemented that secures the servers located on the VLAN. If the filter is not defined on the firewall and the architecture contains a layer 3 switch between the firewall and the server, then review the ACL configured for the VLAN on the L3 switch.
Configure an ACL to protect the server VLAN interface. The ACL must be in a deny-by-default security posture.
Review the firewall protecting the server farm. Vlan configurations should have a filter that secures the servers located on the vlan segment. Identify the source ip addresses that have access to the servers and verify the privilege intended with the SA. The filter should be in a deny by default posture. If the filter is not defined on the firewall and the architecture contains a layer 3 switch between the firewall and the server, than review the VLAN definition on the L3 switch.
Review the filter and ensure access from other server segments is denied unless necessary for application operation. The intent of the policy should be to protect servers from a server that has been compromised by an intruder.
Review the device configuration to determine if a VLAN has been established for printers.
Create a VLAN on the device for print type devices and assign printers to the VLAN ID.
To verify compliance with this requirement, an ACL must be configured on the L3 switch VLAN interface assigned for the printer VLAN, or on the firewall interface connecting to the printer VLAN. Exception to this requirement is traffic from RSD sensors connected to the VLAN. Note: The SA managing the local enclave should identify the printer port traffic within the enclave. Ports commonly used by printers are ports 515, 631, 1782, 9100, 9101, and 9102. The SA can review RFC 1700 Port Assignments and review printer vendor documents to determine what ports should be allowed.
Define the filter on the VLAN ACL or build a firewall ruleset to accomplish the requirment.
A shutdown action puts the interface into the error-disabled state immediately and sends an SNMP trap notification if it receives a frame with a different layer 2 source address that what has been configured or learned for port security. The following Catalyst IOS interface command will shutdown the interface when such an event occurs: switchport port-security violation shutdown
Configure the port to shutdown when insecure hosts are connected to the wall jack.
Review the switch configuration to verify each access port is configured for a single registered MAC address. Some technologies are exempt from requiring a single MAC address per access port; however, restrictions still apply. VoIP or VTC endpoints may provide a PC port so a PC can be connected. Each of the devices will need to be statically assigned to each access port. Another green initiative where a single LAN drop is shared among several devices is called "hot-desking", which is related to conservation of office space and teleworking. Hot-desking is where several people are assigned to work at the same desk at different times, each user with their own PC. In this case, a different MAC address needs to be permitted for each PC that is connecting to the LAN drop in the workspace. Additionally, this workspace could contain a single phone (and possibly desktop VTC endpoint) used by all assignees and the PC port on it might be the connection for their laptop. In this case, it is best not to use sticky port security, but to use a static mapping of authorized devices or implement 802.1x. If this is not a teleworking remote location, this exemption does not apply.
Configure the switch to limit the maximum number of registered MAC addresses on each access switch port to one.
Identify the tunnel endpoints, then review all routing devices to ensure the tunnel entry point is not used as a default route. Traffic destined to the tunnel should be directed to the tunnel endpoint by static routes, policy based routing, or by the mechanics of the interior routing protocol, but not by default route statements.
The SA must carefully plan and configure or let IGP determine what goes into each tunnel.
Determine if control plane protection has been implemented on the device by verifying traffic types have been classified based on importance levels and a policy has been configured to filter and rate limit the traffic according to each class. If the device doesn't have any control plane protection configured on the device, this is a finding.
Implement control plane protection by classifying traffic types based on importance levels and configure filters to restrict and rate limit the traffic punted to the route processor as according to each class.
An administratively scoped IP multicast region is defined to be a topological region in which there are one or more boundary routers with common boundary definitions. Such a router is said to be a boundary for multicast scoped addresses in the range defined in its configuration. In order to support administratively scoped multicast, a multicast boundary router will drop multicast traffic matching an interface's boundary definition in either direction. The IPv4 administrative scoped multicast address space is 239/8 which is divided into two scope levels: the Local Scope and Organization Local Scope. The Local Scope range is 239.255.0.0/16 and can expand into the reserved ranges 239.254.0.0/16 and 239.253.0.0/16 if 239.255.0.0/16 is exhausted. The IPv4 Organization Local Scope is 239.192.0.0/14 is the space from which an organization should allocate sub-ranges when defining scopes for private use. This scope can be expanded to 239.128.0.0/10, 239.64.0.0/10, and 239.0.0.0/10 if necessary. The scope of IPv6 multicast packets are determined by the scope value where 4 (ffx4::/16) is Admin-local, 5 (ffx5::/16) is Site-local, and 8 (ffx8::/16) is Organization-local. Review the multicast topology to determine any documented Admin-local (scope = 4) or Site-local (scope = 5) multicast boundaries for IPv6 traffic or any Local-scope (address block 239.255.0.0/16) boundary for IPv4 traffic. Verify that appropriate boundaries are configured on the applicable multicast-enabled interfaces.
Local Scope range is 239.255.0.0/16 and can expand into the reserved ranges 239.254.0.0/16 and 239.253.0.0/16 if 239.255.0.0/16 is exhausted. The scope of IPv6 multicast packets are determined by the scope value where 4 is Admin-local and 5 is Site-local. Configure the necessary boundary to ensure packets addressed to these administratively scoped multicast addresses do not cross the applicable administrative boundaries.
Review the configuration and verify two NTP servers have been defined. If the device is not configured to use two separate NTP servers, this is a finding.
Configure the device to use two separate NTP servers.
Review the device configuration to determine if the call home service or feature is disabled on the device. If the call home service is enabled on the device, this is a finding. Note: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.
Configure the network device to disable the call home service or feature. Note: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.
If IPv4 or IPv6 multicast routing is enabled, ensure that all interfaces enabled for PIM is documented in the network’s multicast topology diagram. Review the router or multi-layer switch configuration to determine if multicast routing is enabled and what interfaces are enabled for PIM.
If IPv4 or IPv6 multicast routing is enabled, ensure that all interfaces enabled for PIM is documented in the network’s multicast topology diagram. Enable PIM only on the applicable interfaces according to the multicast topology diagram.
Review the router or multi-layer switch to determine if either IPv4 or IPv6 multicast routing is enabled. If either is enabled, verify that all interfaces enabled for PIM has a neighbor filter to only accept PIM control plane traffic from the documented routers according to the multicast topology diagram.
If IPv4 or IPv6 multicast routing is enabled, ensure that all interfaces enabled for PIM has a neighbor filter to only accept PIM control plane traffic from the documented routers according to the multicast topology diagram.
Review the router or multi-layer switch configuration to determine if the maximum hop limit has been configured. If it has been configured, then it must be set to at least 32. If the maximum hop limit is not set to at least 32, this is a finding.
Configure maximum hop limit to at least 32.
If the router is functioning as a 6to4 router, verify that there is an egress filter (inbound on the internal-facing interface) to drop any outbound IPv4 packets that are tunneling IPv6 packets.
If the router is functioning as a 6to4 router, configure an egress filter (inbound on the internal-facing interface) to drop any outbound IPv4 packets that are tunneling IPv6 packets.
If the router is functioning as a 6to4 router, verify that an egress filter (inbound on the internal-facing interface) has been configured to drop any outbound IPv6 packets from the internal network with a source address that is not within the 6to4 prefix 2002:V4ADDR::/48 where V4ADDR is the designated IPv4 6to4 address for the enclave.
If the router is functioning as a 6to4 router, configure an egress filter (inbound on the internal-facing interface) to drop any outbound IPv6 packets from the internal network with a source address that is not within the 6to4 prefix 2002:V4ADDR::/48 where V4ADDR is the designated IPv4 6to4 address for the enclave.
Review the router or multi-layer switch configuration and determine if L2TPv3 has been configured to provide transport across an IP network. If it has been configured, verify that the L2TPv3 session requires authentication. If authentication has not been configured for L2TPv3, this is a finding. Note: Layer 2 Forwarding or L2F (RFC2341), which is the "version 1", and L2TPv2 (RFC 2661) are used for remote access services based on the Virtual Private Dial-up Network (VPDN) model--not for tunneling IP packets across a backbone as with L2TPv3. With the VPDN model, a user obtains a layer-2 connection to a RAS using dialup PSTN or ISDN service and then establishes a PPP session over that connection. The L2 termination and PPP session endpoints reside on the RAS. L2TP extends the PPP model by allowing the L2 and PPP endpoints to reside on different devices that are interconnected by a backbone network. A remote access client has an L2 connection to an L2TP Access Concentrator (LAC) that tunnels PPP frames across the IP backbone to the L2TP Network Server (LNS) residing in the private network.
Configure L2TPv3 to use authentication for any peering sessions.
Review the device configuration to determine if authentication is being used for all peers. A password or key should be defined for each BGP neighbor regardless of the autonomous system the peer belongs. Most vendors' command lines use a neighbor statement or keyword to specify a BGP peer. If BGP peers are not authenticated, this is a finding.
Configure the device to authenticate all BGP peers.