SEL-2740S L2S Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]


Version / Release: V1R1

Published: 2019-05-06

Updated At: 2019-07-06 12:01:30




Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-102363r1_rule SELS-SW-000020 CCI-000778 HIGH The SEL-2740S must uniquely identify all network-connected endpoint devices before establishing any connection. Controlling LAN access via identification of connecting hosts can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection.
    SV-102365r1_rule SELS-SW-000280 CCI-000366 MEDIUM The SEL-2740S must be configured to mitigate the risk of ARP cache poisoning attacks. The SEL-2740S must deter ARP cache poisoning attacks and configure the specific ARP flows that are only necessary to the control system network.
    SV-102367r1_rule SELS-SW-000290 CCI-000366 MEDIUM The SEL-2740S must be configured to capture all packets without flow rule match criteria. The OTSDN switch must be capable of capturing frames that are not engineered to be in the network and send them to a Security Information and Event Manager (SIEM) or midpoint sensor for analysis.
    SV-102369r1_rule SELS-SW-000300 CCI-000366 MEDIUM The SEL-2740S must be configured with backup flows for all host and switch flows to ensure proper failover scheme is in place for the network. The SEL-2740S must be capable of multiple fast failover, backup and in cases isolation of the traffic from a detected threat in the system.
    SV-102371r1_rule SELS-SW-000310 CCI-000366 MEDIUM The SEL-2740S must be configured to forward only frames from allowed network-connected endpoint devices. By only allowing frames to be forwarded from known end-points mitigates risks associated with broadcast, unknown unicast, and multicast traffic storms.
    SV-102401r1_rule SELS-SW-000010 CCI-000381 MEDIUM The SEL-2740S must be configured to permit the allowed and necessary ports, functions, protocols, and services. A compromised switch introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network
    SV-102403r1_rule SELS-SW-000050 CCI-001095 MEDIUM The SEL-2740S -must be configured to limit excess bandwidth and denial of service (DoS) attacks. Denial of service is a condition when a resource is not available for legitimate users. Packet flooding DDoS attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance,
    SV-102405r1_rule SELS-SW-000070 CCI-001919 MEDIUM The SEL-2740S must be configured to packet capture flows. Without the capability to select a user session to capture/record or view/hear, investigations into suspicious or harmful events would be hampered by the volume of information captured. The volume of information captured may also adversely impact the oper
    SV-102407r1_rule SELS-SW-000080 CCI-001920 MEDIUM The SEL-2740S must be configured to capture flows for real-time visualization tools. Without the capability to remotely view/hear all content related to a user session, investigations into suspicious user activity would be hampered. Real-time monitoring allows authorized personnel to take action before additional damage is done. The abili
    SV-102409r1_rule SELS-SW-000130 CCI-002385 MEDIUM The SEL-2740S must be configured to prevent packet flooding and bandwidth saturation. Access layer switches use the Content Addressable Memory (CAM) table to direct traffic to specific ports based on the VLAN number and the destination MAC address of the frame. When a router has an Address Resolution Protocol (ARP) entry for a destination
    SV-102411r1_rule SELS-SW-000150 CCI-002385 MEDIUM SEL-2740S flow rules must include the host IP addresses that are bound to designated SEL-2740S ports for ensuring trusted host access. IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature uses dynamic DHCP snooping and static IP source binding to ma
    SV-102413r1_rule SELS-SW-000160 CCI-002385 MEDIUM The SEL-2740S must be configured with ARP flow rules that are statically created with valid IP-to-MAC address bindings. DAI intercepts Address Resolution Protocol (ARP) requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and before forwarding the packet to the appropriate destination. Invalid ARP packet
    SV-104417r2_rule SELS-SW-000090 CCI-001958 MEDIUM The SEL-2740S must authenticate all network-connected endpoint devices before establishing any connection. Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication cla