Network Devices Security Technical Implementation Guide

U_Network_Devices_V8R19_Manual-xccdf.xml

Network Devices Security Technical Implementation Guide
Details

Version / Release: V8R19

Published: 2015-09-22

Updated At: 2018-09-23 05:04:35

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.
    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-3008r1_rule NET1800 MEDIUM The IAO will ensure IPSec VPNs are established as tunnel type VPNs when transporting management traffic across an ip backbone network. Using dedicated paths, the OOBM backbone connects the OOBM gateway routers located at the premise of the managed networks and at the NOC. Dedicated links can be deployed using provisioned circuits (ATM, Frame Relay, SONET, T-carrier, and others or VPN technologies such as subscribing to MPLS Layer 2 and Layer 3 VPN services) or implementing a secured path with gateway-to-gateway IPsec tunnel. The tunnel mode ensures that the management traffic will be logically separated from any other traffic traversing the same path.Information Assurance OfficerEBVC-1, ECSC-1
    SV-3012r4_rule NET0230 HIGH Network devices must be password protected. Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Access to the network must be categorized as administrator, user, or guest so the appropriate authorization can be assigned to the user requesting access to the network or a network device. Authorization requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multi-factor authentication, some combination thereof. Lack of authentication enables anyone to gain access to the network or possibly a network device providing opportunity for intruders to compromise resources within the network infrastructure.Information Assurance OfficerECSC-1, IAIA-1, IAIA-2
    SV-3013r4_rule NET0340 MEDIUM Network devices must display the DoD-approved logon banner warning. All network devices must present a DoD-approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear and unequivocal notice to both authorized and unauthorized personnel that access to the device is subject to monitoring to detect unauthorized usage. Failure to display the required logon warning banner prior to logon attempts will limit DoD's ability to prosecute unauthorized access and also presents the potential to give rise to criminal and civil liability for systems administrators and information systems managers. In addition, DISA's ability to monitor the device's usage is limited unless a proper warning banner is displayed. DoD CIO has issued new, mandatory policy standardizing the wording of "notice and consent" banners and matching user agreements for all Secret and below DoD information systems, including stand-alone systems by releasing DoD CIO Memo, "Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement", dated 9 May 2008. The banner is mandatory and deviations are not permitted except as authorized in writing by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. Implementation of this banner verbiage is further directed to all DoD components for all DoD assets via USCYBERCOM CTO 08-008A.Information Assurance OfficerECWM-1
    SV-3014r4_rule NET1639 MEDIUM The network devices must timeout management connections for administrative access after 10 minutes or less of inactivity. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled between the managed network device and a PC or terminal server when the later has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed network device as well as reduce the risk of a management session from being hijacked. Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.Information Assurance OfficerECSC-1
    SV-3031r1_rule NET1027 LOW The syslog administrator will configure the syslog sever to collect syslog messages from levels 0 through 6. Logging is a critical part of router security. Maintaining an audit trail of system activity can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network. Syslog levels 0-6 are the levels required to collect the necessary information to help in the recovery process. Information Assurance OfficerECAT-1, ECAT-2, ECSC-1
    SV-3046r1_rule NET1710 LOW The IAO/NSO will ensure that security alarms are set up within the managed network's framework. At a minimum, these will include the following: - Integrity Violation: Indicates that network contents or objects have been illegally modified, deleted, or added. - Operational Violation: Indicates that a desired object or service could not be used. - Physical Violation: Indicates that a physical part of the network (such as a cable) has been damaged or modified without authorization. - Security Mec Without the proper categories of security alarms being defined on the NMS, responding to critical outages or attacks on the network may not be coordinated correctly with the right personnel, hardware, software or vendor maintenance. Delays will inevitably occur which will cause network outages to last longer than necessary or expose the network to larger, more extensive attacks or outages. Information Assurance OfficerECSC-1
    SV-3047r1_rule NET1720 LOW The IAO/NSO will ensure that alarms are categorized by severity using the following guidelines: - Critical and major alarms are given when a condition that affects service has arisen. For a critical alarm, steps must be taken immediately in order to restore the service that has been lost completely. - A major alarm indicates that steps must be taken as soon as possible because the affected service has degraded drastically and is in danger of being lost completely. - A minor alarm indicates a problem Without the proper categories of severity levels being defined on the NMS, outages or attacks may not be responded to by order of criticality. If a critical attack or outage is not responded to first, then there will be a delay in fixing the problem, which may cause network outages to last longer than necessary or expose the network to larger more extensive attacks or outages. Information Assurance OfficerECSC-1
    SV-3050r1_rule NET1750 LOW The IAO/NSO will ensure a record is maintained of all logons and transactions processed by the management station. NOTE: Include time logged in and out, devices that were accessed and modified, and other activities performed. Logging is a critical part of network security. Maintaining an audit trail of system activity logs can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network. Audit logs are also necessary to provide a trail of evidence in case the network is compromised. Without an audit trail that provides a when, where, who and how set of information, repeat offenders could continue attacks against the network indefinitely. With this information, the network administrator can devise ways to block the attack and possibly identify and prosecute the attacker. Information Assurance OfficerECAR-1, ECAR-2, ECAR-3, ECSC-1
    SV-3051r1_rule NET1760 HIGH The IAO/NSO will ensure access to the NMS is restricted to authorized users with individual userids and passwords. If unauthorized users gain access to the NMS they could change device configurations and SNMP variables that can cause disruptions and even denial of service conditions.Information Assurance OfficerECSC-1, IAIA-1, IAIA-2
    SV-3056r7_rule NET0460 HIGH Group accounts must not be configured for use on the network device. Group accounts configured for use on a network device do not allow for accountability or repudiation of individuals using the shared account. If group accounts are not changed when someone leaves the group, that person could possibly gain control of the network device. Having group accounts does not allow for proper auditing of who is accessing or changing the network.Information Assurance OfficerIAIA-1, IAIA-2
    SV-3057r5_rule NET0465 MEDIUM Authorized accounts must be assigned the least privilege level necessary to perform assigned duties. By not restricting authorized accounts to their proper privilege level, access to restricted functions may be allowed before authorized personnel are trained or experienced enough to use those functions. Network disruptions or outages may occur due to mistakes made by inexperienced persons using accounts with greater privileges than necessary.Information Assurance OfficerECSC-1
    SV-3058r5_rule NET0470 MEDIUM Unauthorized accounts must not be configured for access to the network device. A malicious user attempting to gain access to the network device may compromise an account that may be unauthorized for use. The unauthorized account may be a temporary or inactive account that is no longer needed to access the device. Denial of Service, interception of sensitive information, or other destructive actions could potentially take place if an unauthorized account is configured to access the network device.Information Assurance OfficerECSC-1, IAAC-1
    SV-3069r5_rule NET1638 MEDIUM Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules. Administration and management connections performed across a network are inherently dangerous because anyone with a packet sniffer and access to the right LAN segment can acquire the network device account and password information. With this intercepted information they could gain access to the router and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.Information Assurance OfficerDCNR-1, ECSC-1
    SV-3070r4_rule NET1640 LOW Network devices must log all attempts to establish a management connection for administrative access. Audit logs are necessary to provide a trail of evidence in case the network is compromised. Without an audit trail that provides a when, where, who and how set of information, repeat offenders could continue attacks against the network indefinitely. With this information, the network administrator can devise ways to block the attack and possibly identify and prosecute the attacker.Information Assurance OfficerECAT-1, ECAT-2
    SV-3143r4_rule NET0240 HIGH Network devices must not have any default manufacturer passwords. Network devices not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing network outage or denial of service. Many default vendor passwords are well-known; hence, not removing them prior to deploying the network devices into production provides an opportunity for a malicious user to gain unauthorized access to the device.Information Assurance OfficerECSC-1
    SV-3160r4_rule NET0700 MEDIUM Network devices must be running a current and supported operating system with all IAVMs addressed. Network devices not running the latest tested and approved versions of software are vulnerable to network attacks. Running the most current, approved version of system and device software helps the site maintain a stable base of security fixes and patches, as well as enhancements to IP security. Viruses, denial of service attacks, system weaknesses, back doors and other potentially harmful situations could render a system vulnerable, allowing unauthorized access to DoD assets.Information Assurance OfficerECSC-1
    SV-3175r5_rule NET1636 HIGH The network device must require authentication prior to establishing a management connection for administrative access. Network devices with no password for administrative access via a management connection provide the opportunity for anyone with network access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.Information Assurance OfficerECSC-1
    SV-3184r1_rule NET1780 MEDIUM The IAO/NSO will ensure all accounts are assigned the lowest possible level of access/rights necessary to perform their jobs. Without a formal personnel approval process, unauthorized users may gain access to critical DoD systems. It is imperitive that only the required access to the required systems and information be provided to each individual. The lack of a password protection for communications devices provides anyone access to the device, which opens a backdoor opportunity for intruders to attack and manipulate or compromise network resources. Vendors often assign default passwords to communication devices. These default passwords are well known to the hacker community and are extremely dangerous if left unchanged.Information Assurance OfficerECSC-1
    SV-3196r4_rule NET1660 HIGH The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device. SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain access to network management information used to launch an attack against the network.Information Assurance OfficerECSC-1
    SV-3210r4_rule NET1665 HIGH The network device must not use the default or well-known SNMP community strings public and private. Network devices may be distributed by the vendor pre-configured with an SNMP agent using the well-known SNMP community strings public for read only and private for read and write authorization. An attacker can obtain information about a network device using the read community string "public". In addition, an attacker can change a system configuration using the write community string "private".Information Assurance OfficerECSC-1, IAIA-1, IAIA-2
    SV-3966r5_rule NET0440 MEDIUM In the event the authentication server is down or unavailable, there must only be one local account of last resort created for emergency use. Authentication for administrative access to the device is required at all times. A single account of last resort can be created on the device's local database for use in an emergency such as when the authentication server is down or connectivity between the device and the authentication server is not operable. The console or account of last resort logon credentials must be stored in a sealed envelope and kept in a safe.ECSC-1
    SV-3967r4_rule NET1624 MEDIUM The network devices must time out access to the console port at 10 minutes or less of inactivity. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed network device. Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.Information Assurance OfficerECSC-1
    SV-3982r3_rule NET-TUNL-013 MEDIUM L2TP must not pass into the private network of an enclave. Unlike GRE (a simple encapsulating header) L2TP is a full-fledged communications protocol with control channel, data channels, and a robust command structure. In addition to PPP, other link layer types (called pseudowires) can be and are defined for delivery in L2TP by separate RFC documents. Further complexity is created by the capability to define vender-specific parameters beyond those defined in the L2TP specifications. The endpoint devices of an L2TP connection can be an L2TP Access Concentrator (LAC) in which case it inputs/outputs the layer 2 protocol to/from the L2TP tunnel. Otherwise it is an L2TP Network Server (LNS), in which case it inputs/outputs the layer 3 (IP) protocol to/from the L2TP tunnel. The specifications describe three reference models: LAC-LNS, LAC-LAC, and LNS-LNS, the first of which is the most common case. The LAC-LNS model allows a remote access user to reach his home network or ISP from a remote location. The remote access user either dials (or otherwise connects via layer 2) to a LAC device which tunnels his connection home to an awaiting LNS. The LAC could also be located on the remote user's laptop which connects to an LNS at home using some generic internet connection. The other reference models may be used for more obscure scenarios. Although the L2TP protocol does not contain encryption capability, it can be operated over IPSEC which would provide authentication and confidentiality. A remote user in the LAC-LNS model would most likely obtain a dynamically assigned IP address from the home network to ultimately use through the tunnel back to the home network. Secondly, the outer IP source address used to send the L2TP tunnel packet to the home network is likely to be unknown or highly variable. Thirdly, since the LNS provides the remote user with a dynamic IP address to use, the firewall at the home network would have to be dynamically updated to accept this address in conjunction with the outer tunnel address. Finally, there is also the issue of authentication of the remote user prior to divulging an acceptable IP address. As a result of all of these complications, the strict filtering rules applied to the IP-in-IP and GRE tunneling cases will likely not be possible in the L2TP scenario. In addition to the difficulty of enforcing addresses and endpoints (as explained above), the L2TP protocol itself is a security concern if allowed through a security boundary. In particular: 1) L2TP potentially allows link layer protocols to be delivered from afar. These protocols were intended for link-local scope only, are less defended, and not as well-known 2) The L2TP tunnels can carry IP packets that are very difficult to see and filter because of the additional layer 2 overhead 3) L2TP is highly complex and variable (vender-specific variability) and therefore would be a viable target that is difficult to defend. It is better left outside of the main firewall where less damage occurs if the L2TP-processing node is compromised. 4) Filtering cannot be used to detect and prevent other unintended layer 2 protocols from being tunneled. The strength of the application layer code would have to be relied on to achieve this task. 5) Regardless of whether the L2TP is handled inside or outside of the main network, a secondary layer of IP filtering is required, therefore bringing it inside doesn't save resources. Therefore, it is not recommended to allow unencrypted L2TP packets across the security boundary into the network's protected areas. Reference the Backbone Transport STIG for additional L2TP guidance and use.Information Assurance OfficerECSC-1
    SV-4582r5_rule NET1623 HIGH The network device must require authentication for console access. Network devices with no password for administrative access via the console provide the opportunity for anyone with physical access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.Information Assurance OfficerIAIA-1, IAIA-2
    SV-4613r2_rule NET1762 MEDIUM All in-band sessions to the NMS must be secured using FIPS 140-2 approved encryption and hashing algorithms. Without the use of FIPS 140-2 encryption to in-band management connections, unauthorized users may gain access to the NMS enabling them to change device configurations and SNMP variables that can cause disruptions and even denial of service conditions. Information Assurance OfficerECNK-1, ECSC-1
    SV-5611r4_rule NET1637 MEDIUM The network devices must only allow management connections for administrative access from hosts residing in the management network. Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment could acquire the device account and password information. With this intercepted information they could gain access to the infrastructure and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.Information Assurance OfficerECSC-1
    SV-5612r3_rule NET1645 MEDIUM The network devices must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions. An attacker may attempt to connect to the device using SSH by guessing the authentication method, encryption algorithm, and keys. Limiting the amount of time allowed for authenticating and negotiating the SSH session reduces the window of opportunity for the malicious user attempting to make a connection to the network device.Information Assurance OfficerECSC-1
    SV-5613r4_rule NET1646 MEDIUM The network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface. An attacker may attempt to connect to the device using SSH by guessing the authentication method and authentication key or shared secret. Setting the authentication retry to 3 or less strengthens against a Brute Force attack.Information Assurance OfficerECSC-1
    SV-5644r2_rule NET1071 MEDIUM The TFTP server used to store network element configurations and images must be only connected to the management network. TFTP that contains network element configurations and images must only be connected to the management network to enforce restricted and limited access.Information Assurance OfficerECSC-1
    SV-5646r5_rule NET0965 MEDIUM The network device must drop half-open TCP connections through filtering thresholds or timeout periods. A TCP connection consists of a three-way handshake message sequence. A connection request is transmitted by the originator, an acknowledgement is returned from the receiver, and then an acceptance of that acknowledgement is sent by the originator. An attacker's goal in this scenario is to cause a denial of service to the network or device by initiating a high volume of TCP packets, then never sending an acknowledgement, leaving connections in a half-opened state. Without the device having a connection or time threshold for these half-opened sessions, the device risks being a victim of a denial of service attack. Setting a TCP timeout threshold will instruct the device to shut down any incomplete connections. Services such as SSH, BGP, SNMP, LDP, etc. are some services that may be prone to these types of denial of service attacks. If the router does not have any BGP connections with BGP neighbors across WAN links, values could be set to even tighter constraints.Information Assurance OfficerECSC-1
    SV-7365r4_rule NET1629 LOW The auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication. The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. Additional war dial attacks on the device could degrade the device and the production network. Secured modem devices must be able to authenticate users and must negotiate a key exchange before full encryption takes place. The modem will provide full encryption capability (Triple DES) or stronger. The technician who manages these devices will be authenticated using a key fob and granted access to the appropriate maintenance port, thus the technician will gain access to the managed device (router, switch, etc.). The token provides a method of strong (two-factor) user authentication. The token works in conjunction with a server to generate one-time user passwords that will change values at second intervals. The user must know a personal identification number (PIN) and possess the token to be allowed access to the device.Information Assurance OfficerECSC-1
    SV-8011r1_rule NET-NAC-010 MEDIUM The IAO will ensure that 802.1x is implemented using a secure EAP such as EAP-TLS, EAP-TTLS or PEAP. EAP methods/types are continually being proposed, however, the three being considered secure are EAP-TLS, EAP-TTLS, and PEAP. PEAP is the preferred EAP type to be used in DoD because of its ability to support a greater number of operating systems and its capability to transmit statement of health information, per NSA NAC study. Lightweight EAP (LEAP) is a CISCO proprietary protocol providing an easy-to-deploy one password authentication. LEAP is vulnerable to dictionary attacks. A "man in the middle" can capture traffic, identify a password, and then use it to access a WLAN. LEAP is inappropriate and does not provide sufficient security for use on DOD networks. EAP-MD5 is functionally similar to CHAP and is susceptible to eavesdropping because the password credentials are sent as a hash (not encrypted). In addition, server administrators would be required to store unencrypted passwords on their servers violating other security policies. EAP-MD5 is inappropriate and does not provide sufficient security for use on DOD networks. Information Assurance OfficerECSC-1
    SV-15272r3_rule NET0386 LOW Alerts must be automatically generated to notify the administrator when log storage reaches seventy-five percent or more of its maximum capacity. Configuring the network device or syslog server to provide alerts to the administrator in the event of modification or audit log capacity being exceeded ensures administrative staff is aware of critical alerts. Without this type of notification setup, logged audits and events could potentially fill to capacity, causing subsequent records to not be recorded and dropped without any knowledge by the administrative staff. Other unintended consequences of filling the log storage to capacity may include a denial of service of the device itself without proper notification.Information Assurance OfficerECSC-1
    SV-15327r4_rule NET0813 MEDIUM Network devices must authenticate all NTP messages received from NTP servers and peers. Since NTP is used to ensure accurate log file timestamp information, NTP could pose a security risk if a malicious user were able to falsify NTP information. To launch an attack on the NTP infrastructure, a hacker could inject time that would be accepted by NTP clients by spoofing the IP address of a valid NTP server. To mitigate this risk, the time messages must be authenticated by the client before accepting them as a time source. Two NTP-enabled devices can communicate in either client-server mode or peer-to-peer mode (aka "symmetric mode"). The peering mode is configured manually on the device and indicated in the outgoing NTP packets. The fundamental difference is the synchronization behavior: an NTP server can synchronize to a peer with better stratum, whereas it will never synchronize to its client regardless of the client's stratum. From a protocol perspective, NTP clients are no different from the NTP servers. The NTP client can synchronize to multiple NTP servers, select the best server and synchronize with it, or synchronize to the averaged value returned by the servers. A hierarchical model can be used to improve scalability. With this implementation, an NTP client can also become an NTP server providing time to downstream clients at a higher stratum level and of decreasing accuracy than that of its upstream server. To increase availability, NTP peering can be used between NTP servers. In the event the device loses connectivity to it upstream NTP server, it will be able to choose time from one of its peers. The NTP authentication model is opposite of the typical client-server authentication model. NTP authentication enables an NTP client or peer to authenticate time received from their servers and peers. It's not used to authenticate NTP clients because NTP servers don't care about the authenticity of their clients, as they never accept any time from them.Information Assurance OfficerECSC-1
    SV-15459r4_rule NET1647 MEDIUM The network device must not allow SSH Version 1 to be used for administrative access. SSH Version 1 is a protocol that has never been defined in a standard. Since SSH-1 has inherent design flaws which make it vulnerable to attacks, e.g., man-in-the-middle attacks, it is now generally considered obsolete and should be avoided by explicitly disabling fallback to SSH-1.Information Assurance OfficerECSC-1
    SV-16260r1_rule NET0434 MEDIUM The IAO/NSO will ensure the AAA authentication method implements user authentication. Group accounts are not permitted.Information Assurance OfficerECSC-1
    SV-16261r4_rule NET0441 HIGH The emergency account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online. The emergency account is to be configured as a local account on the network devices. It is to be used only when the authentication server is offline or not reachable via the network. The emergency account must be set to an appropriate authorization level to perform necessary administrative functions during this time.Information Assurance OfficerECSC-1
    SV-19075r4_rule NET0991 MEDIUM The network devices OOBM interface must be configured with an OOBM network address. The OOBM access switch will connect to the management interface of the managed network device. The management interface of the managed network device will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the OOBM interface does not have an IP address from the managed network address space, it will not have reachability from the NOC using scalable and normal control plane and forwarding mechanisms.System AdministratorInformation Assurance OfficerECSC-1
    SV-19076r4_rule NET0992 MEDIUM The network devices management interface must be configured with both an ingress and egress ACL. The OOBM access switch will connect to the management interface of the managed network device. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network device will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic does not leak into the managed network and that production traffic does not leak into the management network.System AdministratorInformation Assurance OfficerECSC-1
    SV-19115r1_rule NET1615 MEDIUM The communications server is not configured to use PPP encapsulation and PPP authentication CHAP for the async or AUX port used for dial in. A communications server (aka terminal server) can be used to provide interconnectivity between all managed network elements and the OOBM gateway router for administrative access to the device’s console port. In the event the OOBM network is not able to provide connectivity due to an outage, the communications server can provide a dial-up PPP connection to access a network element. The auxiliary port, consol port, as well as any slow-speed async serial port with an analog modem connected to the managed device also provides the capability for direct dial-up administrative access for infrastructures that do not have a communications server for management access.Information Assurance OfficerEBRP-1
    SV-19116r1_rule NET1616 LOW The communications server is not configured to require AAA authentication for PPP connections using a RADIUS or TACACS+ authentication server in conjunction with 2-factor authentication. A communications server (aka terminal server) can be used to provide interconnectivity between all managed network elements and the OOBM gateway router for administrative access to the device’s console port. In the event the OOBM network is not able to provide connectivity due to an outage, the communications server can provide a dial-up PPP connection to access a network element. The auxiliary port, consol port, as well as any slow-speed async serial port with an analog modem connected to the managed device also provides the capability for direct dial-up administrative access for infrastructures that do not have a communications server for management access.Information Assurance OfficerEBRP-1
    SV-19117r1_rule NET1617 LOW The communications server is not configured accept a callback request or in a secured mode so that it will not callback an unauthorized user. A communications server (aka terminal server) can be used to provide interconnectivity between all managed network elements and the OOBM gateway router for administrative access to the device’s console port. In the event the OOBM network is not able to provide connectivity due to an outage, the communications server can provide a dial-up PPP connection to access a network element. The auxiliary port, consol port, as well as any slow-speed async serial port with an analog modem connected to the managed device also provides the capability for direct dial-up administrative access for infrastructures that do not have a communications server for management access.Information Assurance OfficerEBRP-1
    SV-19118r1_rule NET0436 MEDIUM The AAA server is not compliant with respective OS STIG. Using standardized authentication protocols such as RADIUS, TACACS+, and Kerberos, an authentication server provides centralized and robust authentication services for the management of network components. An authentication server is very scalable as it supports many user accounts and authentication sessions with the network components. It is critical that the AAA server’s operating system is secured and other methods are used to ensure that the server is not compromised.Information Assurance OfficerDCCS-1, DCCS-2
    SV-19119r1_rule NET0437 LOW The AAA server is not configured with a unique key to be used for communication (i.e. RADIUS, TACACS+) with any client requesting authentication services. Using standardized authentication protocols such as RADIUS, TACACS+, and Kerberos, an authentication server provides centralized and robust authentication services for the management of network components. An authentication server is very scalable as it supports many user accounts and authentication sessions with the network components. It is critical that the AAA server’s operating system is secured and other methods are used to ensure that the server is not compromised.Information Assurance OfficerECSC-1
    SV-19120r1_rule NET0438 MEDIUM An HIDS has not been implemented on the AAA server Using standardized authentication protocols such as RADIUS, TACACS+, and Kerberos, an authentication server provides centralized and robust authentication services for the management of network components. An authentication server is very scalable as it supports many user accounts and authentication sessions with the network components. It is critical that the AAA server’s operating system is secured and other methods are used to ensure that the server is not compromised.Information Assurance OfficerECID-1
    SV-19123r1_rule NET0815 LOW The NTP server is not compliant with the OS STIG NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of failure for the NTP infrastructure are eliminated. Knowing the correct time is not only crucial for proper network functioning but also for security. Compromising an NTP server opens the door to more sophisticated attacks that include NTP poisoning, replay attacks, and denial of service. To provide security through separation and isolation, the NTP server should only be connected to the management network. This enables the NTP server to provide time to the managed devices using a secured as well as a preferred path. If the NTP server is not an appliance, it is critical that the system is secured by maintaining compliance with the appropriate OS STIG as well as implementing an HIDS. Information Assurance OfficerDCCS-1, DCCS-2
    SV-19124r1_rule NET0816 LOW An HIDS has not been implemented on the NTP server. NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of failure for the NTP infrastructure are eliminated. Knowing the correct time is not only crucial for proper network functioning but also for security. Compromising an NTP server opens the door to more sophisticated attacks that include NTP poisoning, replay attacks, and denial of service. To provide security through separation and isolation, the NTP server should only be connected to the management network. This enables the NTP server to provide time to the managed devices using a secured as well as a preferred path. If the NTP server is not an appliance, it is critical that the system is secured by maintaining compliance with the appropriate OS STIG as well as implementing an HIDS. Information Assurance OfficerECID-1
    SV-19125r1_rule NET0817 LOW Two independent sources of time reference are not being utilized. NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of failure for the NTP infrastructure are eliminated. Knowing the correct time is not only crucial for proper network functioning but also for security. Compromising an NTP server opens the door to more sophisticated attacks that include NTP poisoning, replay attacks, and denial of service. Hence, it is imperative that at least two independent sources of time reference are used.Information Assurance OfficerECSC-1
    SV-19127r1_rule NET0819 LOW The NTP server is not configured with a symmetric key that is unique from any key configured on any other NTP server. NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of failure for the NTP infrastructure are eliminated. Knowing the correct time is not only crucial for proper network functioning but also for security. Compromising an NTP server opens the door to more sophisticated attacks that include NTP poisoning, replay attacks, and denial of service. Information Assurance OfficerECSC-1
    SV-19129r1_rule NET1731 MEDIUM The SNMP manager is not compliant with the OS STIG The SNMP manager provides the interface between the network management personnel and the managed network. On the other hand, the SNMP agent provides the interface between the manager and the device being managed. The manager is the collector of alarm information via SNMP traps as well as statistical and historical management information retrieved by polling the agents within the managed network. This information is vital for real time monitoring and alarm management as well as for strategic planning and performance management. IA measures must be implemented to mitigate the risk of the SNMP manager being compromised.Information Assurance OfficerDCCS-1, DCCS-2
    SV-19130r1_rule NET1732 LOW An HIDS has not been implemented on the SNMP manager The SNMP manager provides the interface between the network management personnel and the managed network. On the other hand, the SNMP agent provides the interface between the manager and the device being managed. The manager is the collector of alarm information via SNMP traps as well as statistical and historical management information retrieved by polling the agents within the managed network. This information is vital for real time monitoring and alarm management as well as for strategic planning and performance management. In addition to the SNMP safeguards outlined in section 2, IA measures must be implemented to mitigate the risk of the SNMP manager being compromised.Information Assurance OfficerECID-1
    SV-19131r1_rule NET1733 MEDIUM The SNMP manager is not connected to only the management network. The SNMP manager provides the interface between the network management personnel and the managed network. On the other hand, the SNMP agent provides the interface between the manager and the device being managed. The manager is the collector of alarm information via SNMP traps as well as statistical and historical management information retrieved by polling the agents within the managed network. This information is vital for real time monitoring and alarm management as well as for strategic planning and performance management. To provide security through separation and isolation, the SNMP manager should only be connected to the management network. This enables the SNMP manager to provide management services to the managed devices using a secured as well as a preferred path.Information Assurance OfficerECSC-1
    SV-19132r1_rule NET1734 LOW SNMP messages are stored for a minimum of 30 days and then archived. The SNMP manager provides the interface between the network management personnel and the managed network. On the other hand, the SNMP agent provides the interface between the manager and the device being managed. The manager is the collector of alarm information via SNMP traps as well as statistical and historical management information retrieved by polling the agents within the managed network. This information is vital for real time monitoring and alarm management as well as for strategic planning and performance management.System AdministratorInformation Assurance OfficerECSC-1
    SV-20099r1_rule NET-NAC-001 MEDIUM The production VLAN assigned from the AAA server contains IP segments not intended for untrusted resources. When policy assessment and remediation have been implemented and the advanced AAA server dynamic VLAN is mis-configured, logical separation of the production VLAN may not be assured. Non-trusted resources are resources that are not authenticated in a NAC solution implementing only the authentication component of NAC. Non-trusted resources could become resources that have been authenticated but have not had a successful policy assessment when the automated policy assessment component has been implemented.Information Assurance OfficerDCSP-1
    SV-20102r1_rule NET-NAC-004 MEDIUM The IAO/NSO will ensure the network access control policy contains all non-authenticated network access requests in an Unauthorized VLAN with limited access. Devices having an IP address that do not pass authentication can be used to attack compliant devices if they share vlans. When devices proceed into the NAC AAA (radius) functions they must originate in the Unauthorized VLAN by default. If the device fails authentication it should be denied IP capability and movement to other dynamic VLANs used in the NAC process flow or moved to a VLAN that has limited capability such as a Guest VLAN with internet access, but without access to production assets.Information Assurance OfficerDCSP-1
    SV-28651r4_rule NET0812 LOW Network devices must use at least two NTP servers to synchronize time. Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. If logs cannot be successfully compared between each of the routers, switches, and firewalls, it will be very difficult to determine the exact events that resulted in a network breach incident. NTP provides an efficient and scalable method for network devices to synchronize to an accurate time source.System AdministratorInformation Assurance OfficerECSC-1
    SV-28655r1_rule NET1022 MEDIUM The IAO will ensure the syslog server is only connected to the management network. A syslog server provides the network administrator the ability to configure all of the communication devices on a network to send log messages to a centralized host for review, correlation, reporting, and storage. This implementation provides for easier management of network events and is an effective facility for monitoring and the automatic generation of alert notification. The repository of messages facilitates troubleshooting functions when problems are encountered and can assist in performing root cause analysis. A malicious user or intruder could attempt to cover his tracks by polluting the syslog data or even force the server to crash. Disabling the syslog server would eliminate visibility of the network infrastructure that security analysts depend on. The first line of defense is to ensure that the syslog server will only accept syslog packets from known managed devices and administrative access from trusted management workstations. Because syslog messages are sent from managed devices to the syslog server in clear text an attacker on the network can easily sniff the messages. Furthermore, the syslog protocol uses UDP; thereby, making it relatively easy to spoof a managed device. Placing the syslog server on a separate subnet such as the management network isolated from general access and transient traffic will assist in reducing these risks.Information Assurance OfficerECSC-1
    SV-28656r1_rule NET1023 MEDIUM The IAO will ensure the syslog servers are configured IAW the appropriate OS STIG. A syslog server provides the network administrator the ability to configure all of the communication devices on a network to send log messages to a centralized host for review, correlation, reporting, and storage. This implementation provides for easier management of network events and is an effective facility for monitoring and the automatic generation of alert notification. The repository of messages facilitates troubleshooting functions when problems are encountered and can assist in performing root cause analysis. A malicious user or intruder could attempt to cover his tracks by polluting the syslog data or even force the server to crash. Disabling the syslog server would eliminate visibility of the network infrastructure that security analysts depend on. The first line of defense is to ensure that the syslog server will only accept syslog packets from known managed devices and administrative access from trusted management workstations. Because syslog messages are sent from managed devices to the syslog server in clear text an attacker on the network can easily sniff the messages. Furthermore, the syslog protocol uses UDP; thereby, making it relatively easy to spoof a managed device. Placing the syslog server on a separate subnet such as the management network isolated from general access and transient traffic will assist in reducing these risks.System AdministratorInformation Assurance OfficerECSC-1
    SV-32243r1_rule NET0814 MEDIUM The NTP server is connected to a network other than the management network. NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of failure for the NTP infrastructure are eliminated. Knowing the correct time is not only crucial for proper network functioning but also for security. Compromising an NTP server opens the door to more sophisticated attacks that include NTP poisoning, replay attacks, and denial of service. To provide security through separation and isolation, the NTP server should only be connected to the management network. This enables the NTP server to provide time to the managed devices using a secured as well as a preferred path.System AdministratorInformation Assurance OfficerECSC-1
    SV-32516r1_rule NET0431 LOW The IAO will ensure all AAA authentication services are configured to use two-factor authentication . AAA network security services provide the primary framework through which a network administrator can set up access control on network points of entry or network access servers, which is usually the function of a router or access server. Authentication identifies a user; authorization determines what that user can do; and accounting monitors the network usage. Without AAA, unauthorized users may gain access and possibly control of the routers. If the router network is compromised, large portions of the network could be incapacitated with only a few commands. Information Assurance OfficerDCCS-2, ECSC-1
    SV-32517r1_rule NET0432 LOW The IAO will ensure the authentication server is configured to use tiered authorization groups for various levels of access. The foundation of a good security scheme in the network is the protection of the user interfaces of the networking devices from unauthorized access. Protecting access to the user interfaces on your network devices prevents unauthorized users from making configuration changes that can disrupt the stability of your network or compromise your network security.Information Assurance OfficerDCCS-2, ECSC-1
    SV-32518r1_rule NET0435 MEDIUM The IAO will ensure the authentication server is connected to the management network. Using standardized authentication protocols such as RADIUS, TACACS+, and Kerberos, an authentication server provides centralized and robust authentication services for the management of network components. In order to control access to the servers as well as monitor traffic to them, the authentication servers should only be connected to the management network.Information Assurance OfficerECSC-1
    SV-36774r4_rule NET0405 MEDIUM A service or feature that calls home to the vendor must be disabled. Call home services or features will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. The risk that transmission of sensitive data sent to unauthorized persons could result in data loss or downtime due to an attack.Information Assurance OfficerNetwork Security OfficerECSC-1