SEL-2740S L2S Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2019-05-06
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
c
The SEL-2740S must uniquely identify all network-connected endpoint devices before establishing any connection.
IA-3 - High - CCI-000778 - V-92263 - SV-102363r1_rule
RMF Control
IA-3
Severity
High
CCI
CCI-000778
Version
SELS-SW-000020
Vuln IDs
  • V-92263
Rule IDs
  • SV-102363r1_rule
Controlling LAN access via identification of connecting hosts can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection.
Checks: C-91561r1_chk

Review SEL-2740S flow rules to ensure they contain the proper match criteria (MAC, IP, Port, SRC, DST, etc.) for the connected hosts restricting all other access to the network. If the SEL-2740S is configured with flows with wildcard or unnecessary packet forwarding rules, this is a finding.

Fix: F-98503r1_fix

For adding an SEL-2740S Flow Rule to forward traffic, do the following: 1. Log in to OTSDN Controller using Permission Level 3. 2. Click "Flow Entries" in Navigation Menu. 3. Click "Add Flow" button. 4. Enter General Setting values for "Switch", "Enable". Optional: Enter General Settings for "Table ID", "Priority", "Idle Timeout", and "Hard Timeout". 5. Depending on communication protocol behavior, enter appropriate Match Field values for "ARP Opcode" ("Request" or "Reply"), "ARP Source", "ARP Target", "Communication Service Type (CST) Match", "Ethernet Destination", "Ethernet Source", "Ethernet Type", "InPort", "IP Proto", "IPv4 Destination", "IPv4 Source", "TCP Destination", "TCP Source", "UDP Destination", "UDP Source", "VLAN Priority", and/or "VLAN Virtually ID". 6. Enter appropriate Write-Actions for "Pop VLAN ID", "Push VLAN ID", "Set VLAN ID", "Set VLAN Priority", "Set Queue", "Group by Alias or Value", and/or "Output by Alias or Value". 7. Click "Submit". 8. Repeat for every switch necessary.

b
The SEL-2740S must be configured to mitigate the risk of ARP cache poisoning attacks.
CM-6 - Medium - CCI-000366 - V-92277 - SV-102365r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SELS-SW-000280
Vuln IDs
  • V-92277
Rule IDs
  • SV-102365r1_rule
The SEL-2740S must deter ARP cache poisoning attacks and configure the specific ARP flows that are only necessary to the control system network.
Checks: C-91575r2_chk

Review SEL-2740S ARP flow rules between hosts and ensure they are necessary for the additional flow rules that exist for communications between hosts. Note: Necessary flows are all ARPs between valid and authorized hosts that should be allowed to talk to each other and the physical path those circuits are allowed to talk. If the SEL-2740S is configured with wildcard packet forwarding flows that are not for Security Information and Event Manager (SIEM) or unnecessary rules, this is a finding.

Fix: F-98517r1_fix

Configure point-to-point ARP flow rules between every device that must communicate. To add ARP flow rules on all packet forwarding, do the following: 1. Log on to OTSDN Controller using Permission Level 3. 2. Click "Flow Entries" in Navigation Menu. 3. Click "Add Flow" button. 4. Enter General setting values for "Switch", "Enable". Optional: Enter General Settings for "Table ID", "Priority", "Idle Timeout", and "Hard Timeout". 5. Depending on communication protocol behavior, enter appropriate Match Field values for "ARP Opcode" ("Request" or "Reply"), "ARP Source", "ARP Target", "Communication Service Type (CST) Match", "Ethernet Destination", "Ethernet Source", "Ethernet Type", "InPort", "IP Proto", "IPv4 Destination", "IPv4 Source", "TCP Destination", "TCP Source", "UDP Destination", "UDP Source", "VLAN Priority", and/or "VLAN Virtually ID". 6. Enter appropriate Write-Actions for "Pop VLAN ID", "Push VLAN ID", "Set VLAN ID", "Set VLAN Priority", "Set Queue", "Group by Alias or Value", and/or "Output by Alias or Value". 7. Click "Submit".

b
The SEL-2740S must be configured to capture all packets without flow rule match criteria.
CM-6 - Medium - CCI-000366 - V-92279 - SV-102367r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SELS-SW-000290
Vuln IDs
  • V-92279
Rule IDs
  • SV-102367r1_rule
The OTSDN switch must be capable of capturing frames that are not engineered to be in the network and send them to a Security Information and Event Manager (SIEM) or midpoint sensor for analysis.
Checks: C-91577r3_chk

Review the SEL-2740S to ensure that the "no match criteria" rule is set to capture the packet for analysis as a possible injection or intrusion. If the SEL-2740S is not configured to with the "no match criteria" rules for the Security Information and Event Manager (SIEM), this is a finding.

Fix: F-98519r2_fix

To configure to capture all packets without flow rule match criteria, do the following: 1. Log on to OTSDN Controller using Permission Level 3. 2. Click "Flow Entries" in Navigation Menu. 3. Click "Add Flow" button. 4. Enter a "no match" flow rule for given ports. 5. Click "Submit".

b
The SEL-2740S must be configured with backup flows for all host and switch flows to ensure proper failover scheme is in place for the network.
CM-6 - Medium - CCI-000366 - V-92281 - SV-102369r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SELS-SW-000300
Vuln IDs
  • V-92281
Rule IDs
  • SV-102369r1_rule
The SEL-2740S must be capable of multiple fast failover, backup and in cases isolation of the traffic from a detected threat in the system.
Checks: C-91579r1_chk

Review the SEL-2740S flow rules to ensure each flow has a Fast Failover Group configured. If the switch is not configured to provide backup flows, this is a finding.

Fix: F-98521r2_fix

To configure a Fast Failover Group for a given flow, do the following: 1. Log on to OTSDN Controller using Permission Level 3. 2. Under Group Entry General settings, select "Group ID" and "Group Type" as "Fast Failover". 3. Select appropriate number of Action Buckets dependent upon use case. 4. Determine valid watch port or group, and select supported actions. 5. Click "Submit".

b
The SEL-2740S must be configured to forward only frames from allowed network-connected endpoint devices.
CM-6 - Medium - CCI-000366 - V-92283 - SV-102371r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SELS-SW-000310
Vuln IDs
  • V-92283
Rule IDs
  • SV-102371r1_rule
By only allowing frames to be forwarded from known end-points mitigates risks associated with broadcast, unknown unicast, and multicast traffic storms.
Checks: C-91581r1_chk

To ensure only allowed traffic is being forwarded through the device, check the flow rules for source and destination information on each connected device and port. If there are any flow rules that are not restrictive, this is a finding.

Fix: F-98523r1_fix

Ensure only authentic allowed traffic by creating flow rules to restrict protocol, source, and destination of information. For adding an SEL-2740S Flow Rule to forward traffic, do the following: 1. Log on to OTSDN Controller using Permission Level 3. 2. Click "Flow Entries" in Navigation Menu. 3. Click "Add Flow" button. 4. Enter General settings values for "Switch", "Enable". Optional: Enter General Settings for "Table ID", "Priority", "Idle Timeout", and "Hard Timeout". 5. Depending on communication protocol behavior, enter appropriate Match Field values for "ARP Opcode" ("Request" or "Reply"), "ARP Source", "ARP Target", "Communication Service Type (CST) Match", "Ethernet Destination", "Ethernet Source", "Ethernet Type", "InPort", "IP Proto", "IPv4 Destination", "IPv4 Source", "TCP Destination", "TCP Source", "UDP Destination", "UDP Source", "VLAN Priority", and/or "VLAN Virtually ID". 6. Enter appropriate Write-Actions for "Pop VLAN ID", "Push VLAN ID", "Set VLAN ID", "Set VLAN Priority", "Set Queue", "Group by Alias or Value", and/or "Output by Alias or Value". 7. Click "Submit".

b
The SEL-2740S must be configured to permit the allowed and necessary ports, functions, protocols, and services.
CM-7 - Medium - CCI-000381 - V-92313 - SV-102401r1_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
SELS-SW-000010
Vuln IDs
  • V-92313
Rule IDs
  • SV-102401r1_rule
A compromised switch introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each switch is to enable only the capabilities required for operation.
Checks: C-91609r1_chk

Review SEL-2740S flow rules to ensure they contain the proper match criteria (MAC, IP, Port, SRC, DST, etc.) for the connected hosts restricting all other access to the network. If the SEL-2740S is configured with flows with wildcard or unnecessary packet forwarding rules, this is a finding.

Fix: F-98551r1_fix

For adding an SEL-2740S Flow Rule to forward traffic, do the following: 1. Log in to OTSDN Controller using Permission Level 3. 2. Click "Flow Entries" in Navigation Menu. 3. Click "Add Flow" button. 4. Enter General Setting values for "Switch", "Enable". Optional: Enter General Settings for "Table ID", "Priority", "Idle Timeout", and "Hard Timeout". 5. Depending on communication protocol behavior, enter appropriate Match Field values for "ARP Opcode" ("Request" or "Reply"), "ARP Source", "ARP Target", "Communication Service Type (CST) Match", "Ethernet Destination", "Ethernet Source", "Ethernet Type", "InPort", "IP Proto", "IPv4 Destination", "IPv4 Source", "TCP Destination", "TCP Source", "UDP Destination", "UDP Source", "VLAN Priority", and/or "VLAN Virtually ID". 6. Enter appropriate Write-Actions for "Pop VLAN ID", "Push VLAN ID", "Set VLAN ID", "Set VLAN Priority", "Set Queue", "Group by Alias or Value", and/or "Output by Alias or Value". 7. Click "Submit". 8. Repeat for every switch necessary.

b
The SEL-2740S -must be configured to limit excess bandwidth and denial of service (DoS) attacks.
SC-5 - Medium - CCI-001095 - V-92315 - SV-102403r1_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-001095
Version
SELS-SW-000050
Vuln IDs
  • V-92315
Rule IDs
  • SV-102403r1_rule
Denial of service is a condition when a resource is not available for legitimate users. Packet flooding DDoS attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch by using readily available tools such as Low Orbit Ion Cannon or by using botnets. Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, Quality of Service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).
Checks: C-91611r1_chk

Review the SEL-2740S to ensure that the meter rules and priorities are in place to ensure mission-critical traffic will not be impacted by increased traffic or bandwidth issues. If the SEL-2740S is not configured with meters and priorities necessary for mission-critical packets, this is a finding.

Fix: F-98553r1_fix

Add a flow meter rule to ensure mission-critical traffic will not be impacted. For adding an SEL-2740S Flow Meter, do the following: 1. Log in to OTSDN Controller using Permission Level 3. 2. Under "Meter Entry" General Settings, select "Meter ID", "Measurement Type", and "Burst Size". 3. Add meter rule to SEL-2740S Flow Rules that require monitoring.

b
The SEL-2740S must be configured to packet capture flows.
AU-14 - Medium - CCI-001919 - V-92317 - SV-102405r1_rule
RMF Control
AU-14
Severity
Medium
CCI
CCI-001919
Version
SELS-SW-000070
Vuln IDs
  • V-92317
Rule IDs
  • SV-102405r1_rule
Without the capability to select a user session to capture/record or view/hear, investigations into suspicious or harmful events would be hampered by the volume of information captured. The volume of information captured may also adversely impact the operation for the network. Session audits may include port mirroring, tracking websites visited, and recording information and/or file transfers.
Checks: C-91613r1_chk

Review the SEL-2740S flow rules to ensure they only include the specific copy rules for capturing ingress and egress flows only on the designated port(s). Note: A span port can be created to capture based on Flows, ports, or combination. If the SEL-2740S is configured with flows with wildcard or unnecessary packet forwarding rules, this is a finding.

Fix: F-98555r1_fix

Add specific SEL-2740S flow rules for capturing a copy of packets for user sessions use OpenFlow ALL Groups. To add an SEL-2740S Group, do the following: 1. Log on to OTSDN Controller using Permission Level 3. 2. Under "Group Entry" General Settings, select "Group ID" and "Group Type". 3. Select appropriate number of Action Buckets dependent upon use case. 4. Determine valid watch port or group, and select supported actions. 5. Click "Submit".

b
The SEL-2740S must be configured to capture flows for real-time visualization tools.
AU-14 - Medium - CCI-001920 - V-92319 - SV-102407r1_rule
RMF Control
AU-14
Severity
Medium
CCI
CCI-001920
Version
SELS-SW-000080
Vuln IDs
  • V-92319
Rule IDs
  • SV-102407r1_rule
Without the capability to remotely view/hear all content related to a user session, investigations into suspicious user activity would be hampered. Real-time monitoring allows authorized personnel to take action before additional damage is done. The ability to observe user sessions as they are happening allows for interceding in ongoing events that after-the-fact review of captured content would not allow.
Checks: C-91615r1_chk

Review the SEL-2740S flow rules to ensure they only include the specific copy rules for capturing ingress and egress flows only on the designated port(s). Note: A span port can be created to capture based on Flows, ports, or combination. If the SEL-2740S is configured with flows with wildcard or unnecessary packet forwarding rules, this is a finding.

Fix: F-98557r2_fix

Add specific SEL-2740S flow rules for capturing a copy of packets for user sessions use OpenFlow ALL Groups. To add an SEL-2740S Group, do the following: 1. Log on to OTSDN Controller using Permission Level 3. 2. Under "Group Entry" General settings, select "Group ID" and "Group Type". Use a unique group ID and use an ALL group to send the packet to more than one destination. 3. Select appropriate number of Action Buckets dependent upon use case. 4. Determine valid watch port or group, and select supported actions. 5. Click "Submit".

b
The SEL-2740S must be configured to prevent packet flooding and bandwidth saturation.
SC-5 - Medium - CCI-002385 - V-92321 - SV-102409r1_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
SELS-SW-000130
Vuln IDs
  • V-92321
Rule IDs
  • SV-102409r1_rule
Access layer switches use the Content Addressable Memory (CAM) table to direct traffic to specific ports based on the VLAN number and the destination MAC address of the frame. When a router has an Address Resolution Protocol (ARP) entry for a destination host and forwards it to the access layer switch and there is no entry corresponding to the frame's destination MAC address in the incoming VLAN, the frame will be sent to all forwarding ports within the respective VLAN, which causes flooding. Large amounts of flooded traffic can saturate low-bandwidth links, causing network performance issues or complete connectivity outage to the connected devices. Unknown unicast flooding has been a nagging problem in networks that have asymmetric routing and default timers. To mitigate the risk of a connectivity outage, the Unknown Unicast Flood Blocking (UUFB) feature must be implemented on all access layer switches. The UUFB feature will block unknown unicast traffic flooding and only permit egress traffic with MAC addresses that are known to exit on the port.
Checks: C-91617r1_chk

Review the SEL-2740S flows to ensure the meter rules are in place to prevent packet flooding and bandwidth saturation. If the switch is not configured to prevent packet flooding, this is a finding.

Fix: F-98559r1_fix

Add a flow meter rule to prevent packet flooding and bandwidth saturation. To add an SEL-2740S Flow Meter, do the following: 1. Log on to OTSDN Controller using Permission Level 3. 2. Under "Meter Entry" General settings, select "Meter ID", "Measurement Type", and "Burst Size". 3. Add meter rule to SEL-2740S Flow Rules that require monitoring.

b
SEL-2740S flow rules must include the host IP addresses that are bound to designated SEL-2740S ports for ensuring trusted host access.
SC-5 - Medium - CCI-002385 - V-92323 - SV-102411r1_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
SELS-SW-000150
Vuln IDs
  • V-92323
Rule IDs
  • SV-102411r1_rule
IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports. Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host's ability to attack the network by claiming a neighbor host's IP address.
Checks: C-91619r1_chk

Review the SEL-2740S flow rules to ensure all include IP addresses assigned to given hosts and are bound to the SEL-2740S ports. If the SEL-2740S flow rules are not configured with hosts' IP addresses for packets ingressing or egressing the ports, this is a finding.

Fix: F-98561r1_fix

To add IP Host addressed flow rules on all packet forwarding, do the following: 1. Log on to OTSDN Controller using Permission Level 3. 2. Click "Flow Entries" in Navigation Menu. 3. Click "Add Flow" button. 4. Enter General Setting values for "Switch", "Enable". Optional: Enter General Settings for "Table ID", "Priority", "Idle Timeout", and "Hard Timeout". 5. Depending on communication protocol behavior, enter appropriate Match Field values for "ARP Opcode" ("Request" or "Reply"), "ARP Source", "ARP Target', "Communication Service Type (CST) Match", "Ethernet Destination", "Ethernet Source", "Ethernet Type", "InPort", "IP Proto", "IPv4 Destination", "IPv4 Source", "TCP Destination", "TCP Source', 'UDP Destination", "UDP Source", "VLAN Priority", and/or "VLAN Virtually ID". 6. Enter appropriate Write-Actions for "Pop VLAN ID", "Push VLAN ID", "Set VLAN ID", "Set VLAN Priority", "Set Queue", "Group by Alias or Value", and/or "Output by Alias or Value". 7. Click "Submit".

b
The SEL-2740S must be configured with ARP flow rules that are statically created with valid IP-to-MAC address bindings.
SC-5 - Medium - CCI-002385 - V-92325 - SV-102413r1_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
SELS-SW-000160
Vuln IDs
  • V-92325
Rule IDs
  • SV-102413r1_rule
DAI intercepts Address Resolution Protocol (ARP) requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and before forwarding the packet to the appropriate destination. Invalid ARP packets are dropped and logged. DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in the DHCP snooping binding database. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.
Checks: C-91621r1_chk

Review the SEL-2740S configuration to verify that Dynamic Address Resolution Protocol (ARP) flow rules have valid IP-to-MAC address bindings. If the SEL-2740S Dynamic Address Resolution Protocol (ARP) flow rules are not configured with the valid IP-to-MAC address bindings, this is a finding.

Fix: F-98563r1_fix

To add ARP flow rules on all packet forwarding, do the following: 1. Log on to OTSDN Controller using Permission Level 3. 2. Click "Flow Entries" in Navigation Menu. 3. Click "Add Flow" button. 4. Enter General Setting values for "Switch", "Enable". Optional: Enter General Settings for "Table ID", "Priority", "Idle Timeout", and "Hard Timeout". 5. Depending on communication protocol behavior, enter appropriate Match Field values for "ARP Opcode" ("Request" or "Reply"), "ARP Source", "ARP Target", "Communication Service Type (CST) Match", "Ethernet Destination", "Ethernet Source", "Ethernet Type", "InPort", "IP Proto", "IPv4 Destination", "IPv4 Source", "TCP Destination", "TCP Source", "UDP Destination", "UDP Source", "VLAN Priority", and/or "VLAN Virtually ID". 6. Enter appropriate Write-Actions for "Pop VLAN ID", "Push VLAN ID", "Set VLAN ID", "Set VLAN Priority", "Set Queue", "Group by Alias or Value", and/or "Output by Alias or Value". 7. Click "Submit".

b
The SEL-2740S must authenticate all network-connected endpoint devices before establishing any connection.
IA-3 - Medium - CCI-001958 - V-94587 - SV-104417r2_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001958
Version
SELS-SW-000090
Vuln IDs
  • V-94587
Rule IDs
  • SV-104417r2_rule
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions. This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply. Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system.
Checks: C-93777r1_chk

This finding can be downgraded to a CAT III if there is no horizontal cabling from the switch to the general work area. Verify that all cabling is contained within the telecom room, wiring closet, or equipment room. If there is cabling from the switch to LAN outlets (i.e.RJ-45 wall plates) in the general work area, this is a CAT II finding. If all cabling is contained within the telecom room, wiring closet, or equipment room, this is a CAT III finding.

Fix: F-100705r1_fix

Ensure there is no horizontal cabling from the switch to the general work area. Verify that all cabling is contained within the telecom room, wiring closet, or equipment room.