Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review SEL-2740S flow rules to ensure they contain the proper match criteria (MAC, IP, Port, SRC, DST, etc.) for the connected hosts restricting all other access to the network. If the SEL-2740S is configured with flows with wildcard or unnecessary packet forwarding rules, this is a finding.
For adding an SEL-2740S Flow Rule to forward traffic, do the following: 1. Log in to OTSDN Controller using Permission Level 3. 2. Click "Flow Entries" in Navigation Menu. 3. Click "Add Flow" button. 4. Enter General Setting values for "Switch", "Enable". Optional: Enter General Settings for "Table ID", "Priority", "Idle Timeout", and "Hard Timeout". 5. Depending on communication protocol behavior, enter appropriate Match Field values for "ARP Opcode" ("Request" or "Reply"), "ARP Source", "ARP Target", "Communication Service Type (CST) Match", "Ethernet Destination", "Ethernet Source", "Ethernet Type", "InPort", "IP Proto", "IPv4 Destination", "IPv4 Source", "TCP Destination", "TCP Source", "UDP Destination", "UDP Source", "VLAN Priority", and/or "VLAN Virtually ID". 6. Enter appropriate Write-Actions for "Pop VLAN ID", "Push VLAN ID", "Set VLAN ID", "Set VLAN Priority", "Set Queue", "Group by Alias or Value", and/or "Output by Alias or Value". 7. Click "Submit". 8. Repeat for every switch necessary.
Review SEL-2740S ARP flow rules between hosts and ensure they are necessary for the additional flow rules that exist for communications between hosts. Note: Necessary flows are all ARPs between valid and authorized hosts that should be allowed to talk to each other and the physical path those circuits are allowed to talk. If the SEL-2740S is configured with wildcard packet forwarding flows that are not for Security Information and Event Manager (SIEM) or unnecessary rules, this is a finding.
Configure point-to-point ARP flow rules between every device that must communicate. To add ARP flow rules on all packet forwarding, do the following: 1. Log on to OTSDN Controller using Permission Level 3. 2. Click "Flow Entries" in Navigation Menu. 3. Click "Add Flow" button. 4. Enter General setting values for "Switch", "Enable". Optional: Enter General Settings for "Table ID", "Priority", "Idle Timeout", and "Hard Timeout". 5. Depending on communication protocol behavior, enter appropriate Match Field values for "ARP Opcode" ("Request" or "Reply"), "ARP Source", "ARP Target", "Communication Service Type (CST) Match", "Ethernet Destination", "Ethernet Source", "Ethernet Type", "InPort", "IP Proto", "IPv4 Destination", "IPv4 Source", "TCP Destination", "TCP Source", "UDP Destination", "UDP Source", "VLAN Priority", and/or "VLAN Virtually ID". 6. Enter appropriate Write-Actions for "Pop VLAN ID", "Push VLAN ID", "Set VLAN ID", "Set VLAN Priority", "Set Queue", "Group by Alias or Value", and/or "Output by Alias or Value". 7. Click "Submit".
Review the SEL-2740S to ensure that the "no match criteria" rule is set to capture the packet for analysis as a possible injection or intrusion. If the SEL-2740S is not configured to with the "no match criteria" rules for the Security Information and Event Manager (SIEM), this is a finding.
To configure to capture all packets without flow rule match criteria, do the following: 1. Log on to OTSDN Controller using Permission Level 3. 2. Click "Flow Entries" in Navigation Menu. 3. Click "Add Flow" button. 4. Enter a "no match" flow rule for given ports. 5. Click "Submit".
Review the SEL-2740S flow rules to ensure each flow has a Fast Failover Group configured. If the switch is not configured to provide backup flows, this is a finding.
To configure a Fast Failover Group for a given flow, do the following: 1. Log on to OTSDN Controller using Permission Level 3. 2. Under Group Entry General settings, select "Group ID" and "Group Type" as "Fast Failover". 3. Select appropriate number of Action Buckets dependent upon use case. 4. Determine valid watch port or group, and select supported actions. 5. Click "Submit".
To ensure only allowed traffic is being forwarded through the device, check the flow rules for source and destination information on each connected device and port. If there are any flow rules that are not restrictive, this is a finding.
Ensure only authentic allowed traffic by creating flow rules to restrict protocol, source, and destination of information. For adding an SEL-2740S Flow Rule to forward traffic, do the following: 1. Log on to OTSDN Controller using Permission Level 3. 2. Click "Flow Entries" in Navigation Menu. 3. Click "Add Flow" button. 4. Enter General settings values for "Switch", "Enable". Optional: Enter General Settings for "Table ID", "Priority", "Idle Timeout", and "Hard Timeout". 5. Depending on communication protocol behavior, enter appropriate Match Field values for "ARP Opcode" ("Request" or "Reply"), "ARP Source", "ARP Target", "Communication Service Type (CST) Match", "Ethernet Destination", "Ethernet Source", "Ethernet Type", "InPort", "IP Proto", "IPv4 Destination", "IPv4 Source", "TCP Destination", "TCP Source", "UDP Destination", "UDP Source", "VLAN Priority", and/or "VLAN Virtually ID". 6. Enter appropriate Write-Actions for "Pop VLAN ID", "Push VLAN ID", "Set VLAN ID", "Set VLAN Priority", "Set Queue", "Group by Alias or Value", and/or "Output by Alias or Value". 7. Click "Submit".
Review SEL-2740S flow rules to ensure they contain the proper match criteria (MAC, IP, Port, SRC, DST, etc.) for the connected hosts restricting all other access to the network. If the SEL-2740S is configured with flows with wildcard or unnecessary packet forwarding rules, this is a finding.
For adding an SEL-2740S Flow Rule to forward traffic, do the following: 1. Log in to OTSDN Controller using Permission Level 3. 2. Click "Flow Entries" in Navigation Menu. 3. Click "Add Flow" button. 4. Enter General Setting values for "Switch", "Enable". Optional: Enter General Settings for "Table ID", "Priority", "Idle Timeout", and "Hard Timeout". 5. Depending on communication protocol behavior, enter appropriate Match Field values for "ARP Opcode" ("Request" or "Reply"), "ARP Source", "ARP Target", "Communication Service Type (CST) Match", "Ethernet Destination", "Ethernet Source", "Ethernet Type", "InPort", "IP Proto", "IPv4 Destination", "IPv4 Source", "TCP Destination", "TCP Source", "UDP Destination", "UDP Source", "VLAN Priority", and/or "VLAN Virtually ID". 6. Enter appropriate Write-Actions for "Pop VLAN ID", "Push VLAN ID", "Set VLAN ID", "Set VLAN Priority", "Set Queue", "Group by Alias or Value", and/or "Output by Alias or Value". 7. Click "Submit". 8. Repeat for every switch necessary.
Review the SEL-2740S to ensure that the meter rules and priorities are in place to ensure mission-critical traffic will not be impacted by increased traffic or bandwidth issues. If the SEL-2740S is not configured with meters and priorities necessary for mission-critical packets, this is a finding.
Add a flow meter rule to ensure mission-critical traffic will not be impacted. For adding an SEL-2740S Flow Meter, do the following: 1. Log in to OTSDN Controller using Permission Level 3. 2. Under "Meter Entry" General Settings, select "Meter ID", "Measurement Type", and "Burst Size". 3. Add meter rule to SEL-2740S Flow Rules that require monitoring.
Review the SEL-2740S flow rules to ensure they only include the specific copy rules for capturing ingress and egress flows only on the designated port(s). Note: A span port can be created to capture based on Flows, ports, or combination. If the SEL-2740S is configured with flows with wildcard or unnecessary packet forwarding rules, this is a finding.
Add specific SEL-2740S flow rules for capturing a copy of packets for user sessions use OpenFlow ALL Groups. To add an SEL-2740S Group, do the following: 1. Log on to OTSDN Controller using Permission Level 3. 2. Under "Group Entry" General Settings, select "Group ID" and "Group Type". 3. Select appropriate number of Action Buckets dependent upon use case. 4. Determine valid watch port or group, and select supported actions. 5. Click "Submit".
Review the SEL-2740S flow rules to ensure they only include the specific copy rules for capturing ingress and egress flows only on the designated port(s). Note: A span port can be created to capture based on Flows, ports, or combination. If the SEL-2740S is configured with flows with wildcard or unnecessary packet forwarding rules, this is a finding.
Add specific SEL-2740S flow rules for capturing a copy of packets for user sessions use OpenFlow ALL Groups. To add an SEL-2740S Group, do the following: 1. Log on to OTSDN Controller using Permission Level 3. 2. Under "Group Entry" General settings, select "Group ID" and "Group Type". Use a unique group ID and use an ALL group to send the packet to more than one destination. 3. Select appropriate number of Action Buckets dependent upon use case. 4. Determine valid watch port or group, and select supported actions. 5. Click "Submit".
Review the SEL-2740S flows to ensure the meter rules are in place to prevent packet flooding and bandwidth saturation. If the switch is not configured to prevent packet flooding, this is a finding.
Add a flow meter rule to prevent packet flooding and bandwidth saturation. To add an SEL-2740S Flow Meter, do the following: 1. Log on to OTSDN Controller using Permission Level 3. 2. Under "Meter Entry" General settings, select "Meter ID", "Measurement Type", and "Burst Size". 3. Add meter rule to SEL-2740S Flow Rules that require monitoring.
Review the SEL-2740S flow rules to ensure all include IP addresses assigned to given hosts and are bound to the SEL-2740S ports. If the SEL-2740S flow rules are not configured with hosts' IP addresses for packets ingressing or egressing the ports, this is a finding.
To add IP Host addressed flow rules on all packet forwarding, do the following: 1. Log on to OTSDN Controller using Permission Level 3. 2. Click "Flow Entries" in Navigation Menu. 3. Click "Add Flow" button. 4. Enter General Setting values for "Switch", "Enable". Optional: Enter General Settings for "Table ID", "Priority", "Idle Timeout", and "Hard Timeout". 5. Depending on communication protocol behavior, enter appropriate Match Field values for "ARP Opcode" ("Request" or "Reply"), "ARP Source", "ARP Target', "Communication Service Type (CST) Match", "Ethernet Destination", "Ethernet Source", "Ethernet Type", "InPort", "IP Proto", "IPv4 Destination", "IPv4 Source", "TCP Destination", "TCP Source', 'UDP Destination", "UDP Source", "VLAN Priority", and/or "VLAN Virtually ID". 6. Enter appropriate Write-Actions for "Pop VLAN ID", "Push VLAN ID", "Set VLAN ID", "Set VLAN Priority", "Set Queue", "Group by Alias or Value", and/or "Output by Alias or Value". 7. Click "Submit".
Review the SEL-2740S configuration to verify that Dynamic Address Resolution Protocol (ARP) flow rules have valid IP-to-MAC address bindings. If the SEL-2740S Dynamic Address Resolution Protocol (ARP) flow rules are not configured with the valid IP-to-MAC address bindings, this is a finding.
To add ARP flow rules on all packet forwarding, do the following: 1. Log on to OTSDN Controller using Permission Level 3. 2. Click "Flow Entries" in Navigation Menu. 3. Click "Add Flow" button. 4. Enter General Setting values for "Switch", "Enable". Optional: Enter General Settings for "Table ID", "Priority", "Idle Timeout", and "Hard Timeout". 5. Depending on communication protocol behavior, enter appropriate Match Field values for "ARP Opcode" ("Request" or "Reply"), "ARP Source", "ARP Target", "Communication Service Type (CST) Match", "Ethernet Destination", "Ethernet Source", "Ethernet Type", "InPort", "IP Proto", "IPv4 Destination", "IPv4 Source", "TCP Destination", "TCP Source", "UDP Destination", "UDP Source", "VLAN Priority", and/or "VLAN Virtually ID". 6. Enter appropriate Write-Actions for "Pop VLAN ID", "Push VLAN ID", "Set VLAN ID", "Set VLAN Priority", "Set Queue", "Group by Alias or Value", and/or "Output by Alias or Value". 7. Click "Submit".
This finding can be downgraded to a CAT III if there is no horizontal cabling from the switch to the general work area. Verify that all cabling is contained within the telecom room, wiring closet, or equipment room. If there is cabling from the switch to LAN outlets (i.e.RJ-45 wall plates) in the general work area, this is a CAT II finding. If all cabling is contained within the telecom room, wiring closet, or equipment room, this is a CAT III finding.
Ensure there is no horizontal cabling from the switch to the general work area. Verify that all cabling is contained within the telecom room, wiring closet, or equipment room.