Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Ensure SEL-2740S Syslog servers are configured by doing the following: 1. Log in with Permission Level 3 rights into parent OTSDN Controller. 2. Go to the "Configuration Objects" page and select the switch. 3. Check Syslog Server IP addresses are in the settings fields configured for the log services. 4. Check Syslog flows exist and are accurate for the SEL-2740S DUT and additional neighbor devices' flows exist and are correct. If the SEL-2740S is not configured with Syslog server entries to ensure auditability, this is a finding.
To configure the SEL-2740S to send logs to Syslog servers do the following: 1. Log in with Permission Level 3 right into parent OTSDN Controller. 2. Go to the "Configuration Objects" settings page and select the desired switch for SEL-2740S node. 3. Insert the Syslog log service and configure the settings with the desired Server IP addresses into the Syslog settings fields. 4. Create the flow rules necessary for Syslog.
Review the configuration node of the SEL-2740S in the flow controller and verify the alarm contact behavior is configured as a log service under All Categories in the configuration object for the desired switch. If the switch is not configured to alert the ISSO and SA in the event of an audit processing failure, this is a finding.
On commissioning the SEL-2740S, enter the IP address, subnet mask, flow controller IP address, default gateway, and host name. Select the severity level desired for the alarm contact in the log services for the configuration node.
Ensure SEL-2740S Syslog servers are configured by doing the following: 1. Log in with Permission Level 3 rights into parent OTSDN Controller. 2. Go to the "Configuration Objects" page. 3. Check Syslog Server IP addresses are in the settings fields for the switch node in log services. 4. Check Syslog flows exist and are accurate for the SEL-2740S DUT and additional neighbor devices' flows exist and are correct. If the SEL-2740S is not configured with Syslog server entries to ensure auditability, this is a finding.
To collect logs using the OTSDN controller, do the following: 1. Go to the "Log Settings" page. 2. Select the Primary entry in the Logging table. 3. Click the "Add" icon (A) in the "Log Services" pane. 4. Select Syslog Server (B) from the menu to display a new Syslog Server Log Service box. 5. Click the "Syslog Server" box to display a blue border around the box. 6. Enter Settings (1) through (4) in the appropriate boxes. 7. Click "Submit". Use the OTSDN Controller to Syslog the events to a central Security Information and Event Manager (SIEM). Option 2 To configure the SEL-2740S to send logs to a syslog server: 1. Go to the configuration object setting page. 2. Select syslog under the log services for the desired switch. 3. Enter the settings desired for the syslog server IP address and severity level to send to this destination. 4. Repeat for amount of desired log servers as the SEL-2740S supports up to three destinations. To create the flow rule(s) for Syslog traffic: 1. Log in to OTSDN Controller with Permission Level 3. 2. Identify or create the Configuration Port to use for the path to Syslog Server. 3. Identify or create the Configuration Link to use for the path to Syslog Server. Create the Flow Rule for the SEL-2740S' Syslog traffic: 1. Click "Flow Entries" in Navigation Menu. 2. Click "Add Flow" button. 3. Enter General setting values for "Switch" Enable. Optional enter General settings for "Table ID", "Priority", "Idle Timeout", and "Hard Timeout". 4. For Syslog traffic, enter appropriate "Match Field" values for "ARP Opcode" (Request or Reply), "ARP Source", "ARP Target", "Communication Service Type (CST) Match", "Ethernet Destination", "Ethernet Source", "Ethernet Type", "InPort", "IP Proto", "IPv4 Destination", "IPv4 Source", "TCP Destination", "TCP Source", "UDP Destination", "UDP Source", "VLAN Priority", and/or "VLAN Virtually ID". 5. Enter appropriate Write-Actions for "Pop VLAN ID", "Push VLAN ID", "Set VLAN ID", "Set VLAN Priority", "Set Queue", "Group by Alias or Value", and/or "Output by Alias or "Value". 6. Click "Submit".
To ensure SEL-2740S NTP servers are configured do the following: 1. Log in with Permission Level 3 rights into parent OTSDN Controller. 2. Go to the "configuration object" settings page. 3. Check NTP Server IP addresses in the settings fields. The SEL-2740S support primary and backup NTP servers so enter the IP address of the backup if desired so there are both primary and backup displayed. 4. Check NTP flows for the SEL-2740S DUT and additional neighbor devices exist and are correct. If the SEL-2740S is not configured to maintain internal system clocks with an authoritative time server, this is a finding.
Configure NTP Servers during node adoption with the following steps: 1. Go to the "configuration object" page. 2. Enter the NTP Server IP addresses in appropriate settings fields. The SEL-2740S support primary and backup NTP servers so enter the IP address of the backup if desired so there are both primary and backup displayed. 3. Click "Submit". 4. Create NTP Flows to/from NTP server to/from node.
To ensure SEL-2740S NTP servers are configured do the following: 1. Log in with Permission Level 3 rights into parent OTSDN Controller. 2. Go to the "configuration object" page. 3. Check NTP Server IP addresses in the settings fields. 4. Check NTP flows for the SEL-2740S DUT and additional neighbor devices exist and are correct. If the SEL-2740S is not configured to maintain internal system clocks with an authoritative time server, this is a finding.
Configure NTP Servers during node adoption with the following steps: 1. Go to the "configuration object" page and select desired switch. 2. Enter the NTP Server IP addresses in appropriate settings fields for primary and backup NTP server(s). 3. Click "Submit". 4. Create NTP Flows to/from NTP server to/from node.
To ensure SEL-2740S NTP servers are configured do the following: 1. Log in with Permission Level 3 rights into parent OTSDN Controller. 2. Go to the "configuration object" page and select the desired switch. 3. Check NTP Server IP addresses in the settings fields that both a primary and backup NTP server is configured. 4. Check NTP flows for the SEL-2740S DUT and additional neighbor devices exist and are correct. If the SEL-2740S is not configured to maintain internal system clocks with a backup authoritative time server, this is a finding.
Configure NTP Servers during node adoption with the following steps: 1. Go to the "configuration object" page and select desired switch. 2. Enter the NTP Server IP addresses in appropriate settings fields for primary and backup NTP server(s). 3. Click "Submit". 4. Create NTP Flows to/from NTP server to/from node.
To ensure SEL-2740's credentials and identifiers are accurate, do the following: 1. Log in with Admin rights into parent OTSDN Controller. 2. Download the latest settings for the SEL-2740S device under test (DUT). 3. Go to the "Administration" page. 4. Go to the "X.509 Entries" page. 5. Check that each certificate is necessary, status is valid and reconcile with the parent OTSDN controller(s) for the network. If the SEL-2740S is not configured with the proper X.509 certificates or contains unnecessary certificate entries, this is a finding.
To configure the SEL-2740S X.509 certificate for TLS communications, the device needs to be simply adopted by OTSDN controller. Before adopting, create an SEL-2740S configuration node object. To adopt an SEL-2740S do the following: 1. Go to the "Topology" page. 2. Select the SEL-2740S you want to adopt. The Option window shows the SEL-2740S Node Options pane. 3. Select the SEL-2740S configuration node from the "Configuration" setting. The "Adopt Configuration" button is enabled. 4. Click the "Adopt Configuration" button. The Feedback bar displays "Success" to indicate successful application of the configuration node. The adoption process starts. 5. Wait until the alarm contact pulses (about 30 to 60 seconds). After clicking the Adopt button, the process may take a minute or longer to complete depending on the speed of the SEL-5056 host machine. When complete, the selected object becomes adopted, the appropriate ports appear, and the Adoption State is "Adopted".
To ensure SEL-2740S necessary diagnostics and maintenance communications, do the following: 1. Log in with Permission Level 3 rights into parent OTSDN Controller. 2. Confirm the desired switch is adopted by checking that there is a green solid border around the switch in the UI on the topology page. 3. Click the switch node and then the Device View button. 4. Confirm a new browser page opens for the diagnostic collection of the switch. If the SEL-2740S is not successfully talking to the flow controller, this is a finding.
The adoption of SEL-2740S switches when using SEL-5056 flow controller will have saturation protection automatically enabled using flow meters between the switch and the flow controller. To configure this simply adopt the switches using the default flows which rate limit traffic to the flow controller. 1. Log in to SEL-5056 using Permission Level 3. 2. Confirm all switches are adopted and if not create a configuration object with desired settings and use the new object to adopt the switch. 3. When adoption is complete the flows between the switch and the flow controller use a meter, navigate to the meter page and confirm a new meter was created for that switch and is in the "success" state.
Ensure the SEL-2740S X.509 certificate is properly configured on the SEL-2740S by checking the "Certificates" page on the OTSDN Controller. If the SEL-2740S public keys were not provided by an approved certificate policy or authority, this is a finding.
Import a PEM or PFX X.509 Certificate from an approved service provider into the flow controller as the Root CA certificate so the flow controller can use it to generate and commission the SEL-2740S with an accepted chain of trust. To do this log into the flow controller with security administrator privileges and navigate to the Administration page and then to the X.509 page. Select Import and use the certificate type CA Cert.
Ensure the SEL-2740S is adopted by only the appropriate OTSDN Controller(s) by checking the "Topology" page on the OTSDN Controller for the SEL-2740S under test to ensure it is adopted by the appropriate OTSDN Controller(s). If the SEL-2740S is adopted by a rogue OTSDN Controller or does not appear as an adopted device in the network, this is a finding.
To configure the SEL-2740S for initial trust and X.509 certificate creation for TLS communications, the device needs to be adopted by OTSDN controller. Before adopting, create an SEL-2740S configuration node object. To adopt an SEL-2740S do the following: 1. Go to the "Topology" page. 2. Select on the SEL-2740S you want to adopt. The "Option" window shows the SEL-2740S "Node Options" pane. 3. Select the SEL-2740S configuration node from the "Configuration" setting. The "Adopt Configuration" button is enabled. 4. Click the "Adopt Configuration" button. The "Feedback" bar displays "Success" to indicate successful application of the configuration node. The adoption process starts. 5. Wait until the alarm contact pulses (about 30 to 60 seconds). After clicking the "Adopt" button, the process may take a minute or longer to complete depending on the speed of the SEL-5056 host machine. When complete, the selected object becomes adopted, the appropriate ports appear, and the Adoption State is "Adopted".
To ensure SEL-2740S Syslog servers are configured do the following: 1. Log in with Permission Level 3 rights into parent OTSDN Controller. 2. Download the latest settings for the SEL-2740S device under test (DUT). 3. Go to the "Configuration Object" page and select the desired switch node. 4. Check the log services settings and confirm the desired Syslog Server IP addresses and severity levels are in the settings fields. 5. Check Syslog flows exist and are accurate for the SEL-2740S DUT and additional neighbor devices' flows exist and are correct. If the SEL-2740S is not configured with Syslog server entries to ensure auditability, this is a finding.
To configure the SEL-2740S to send logs to Syslog servers do the following: 1. Log in with Permission Level 3 right into parent OTSDN Controller. 2. Go to the "Configuration Objects" settings page and select the desired switch for SEL-2740S node. 3. Insert the Syslog log service and configure the settings with the desired Server IP addresses into the Syslog settings fields. 4. Create the flow rules necessary for Syslog.
Verify NTP packets only traverse on the private network by traffic engineering both the physical path and redundant path between switch and NTP server. 1. Login to the OTSDN Controller with permission Level 3 rights into parent. 2. Go to the Configuration Objects settings page. 3. Review the NTP Server IP addresses in the settings fields. If the IP addresses are not within the private network, this is a finding.
Deploy the NTP server within the private network. Provision both the physical path and redundant path between the switch and NTP server to ensure NTP packets only traverse the private network. Use multilayer packet inspection at each hop of the switches to whitelist only the intended NTP clients and server can communicate to each other.
Verify that the switch is configured to use a syslog server for the purpose of forwarding alerts to the administrators and the ISSO. 1. Login with Permission Level 3 into the OTSDN Controller. 2. Go to the Configuration Object page and select the subject switch node. 3. Check the log services settings and confirm hat a syslog server IP address is in the settings fields. If the SEL-2740S is not configured to use a syslog server, this is a finding.
To configure the SEL-2740S to send logs to Syslog servers do the following: 1. Login with Permission Level 3 right into parent OTSDN Controller. 2. Go to the Configuration Objects settings page and select the desired switch. 3. Insert the Syslog log service and configure the settings with the desired IP addresses into the syslog settings fields. 4. Create the flow rules necessary for syslog.