Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the management connection for administrative access and verify the network device is configured to time-out the connection at 10 minutes or less of inactivity. If the device does not terminate inactive management connections at 10 minutes or less, this is a finding.
Configure the network devices to ensure the timeout for unattended administrative access connections is no longer than 10 minutes.
Review the network device configuration and validate there are no group accounts configured for access. If a group account is configured on the device, this is a finding.
Configure individual user accounts for each authorized person then remove any group accounts.
Review the accounts authorized for access to the network device. Determine if the accounts are assigned the lowest privilege level necessary to perform assigned duties. User accounts must be set to a specific privilege level which can be mapped to specific commands or a group of commands. Authorized accounts should have the greatest privilege level unless deemed necessary for assigned duties. If it is determined that authorized accounts are assigned to greater privileges than necessary, this is a finding.
Configure authorized accounts with the least privilege rule. Each user will have access to only the privileges they require to perform their assigned duties.
Review the network device configuration to verify only secure protocols using FIPS 140-2 validated cryptographic modules are used for any administrative access. Some of the secure protocols used for administrative and management access are listed below. This list is not all inclusive and represents a sample selection of secure protocols. -SSHv2 -SCP -HTTPS using TLS If management connections are established using protocols without FIPS 140-2 validated cryptographic modules, this is a finding.
Configure the network device to use secure protocols with FIPS 140-2 validated cryptographic modules.
Review the configuration to verify all attempts to access the device via management connection are logged. If management connection attempts are not logged, this is a finding.
Configure the device to log all access attempts to the device to establish a management connection for administrative access.
Review the network devices configuration to determine if the vendor default password is active. If any vendor default passwords are used on the device, this is a finding.
Remove any vendor default passwords from the network devices configuration.
Review the network device configuration to verify all management connections for administrative access require authentication. If authentication isn't configured for management access, this is a finding.
Configure authentication for all management connections.
Review the network devices configuration and verify if either of the SNMP community strings "public" or "private" is being used. If default or well-known community strings are used for SNMP, this is a finding.
Configure unique SNMP community strings replacing the default community strings.
Detailed Policy requirements: Encryption requirements for data in transit: - The WLAN infrastructure (e.g., access point, bridge, or WLAN controller) and WLAN client device must be configured to use the AES-CCMP encryption protocol. Check procedures: - Interview IAO and review WLAN system documentation. - Determine if the WLAN network and client components encryption setting has been configured to use the AES-CCMP encryption protocol and no others. - Mark as a finding if the WLAN is configured to support any encryption protocol other than AES-CCMP, even if AES-CCMP is one of several supported options.
Implement AES-CCMP to protect data in transit. Deactivate encryption protocols other than AES-CCMP.
Review the configuration and verify a session using the console port will time out after 10 minutes or less of inactivity. If console access is not configured to timeout at 10 minutes or less, this is a finding.
Configure the timeout for idle console connection to 10 minutes or less.
Review the network device's configuration and verify authentication is required for console access. If authentication is not configured for console access, this is a finding.
Configure authentication for console access on the network device.
Review the configuration and verify management access to the device is allowed only from hosts within the management network. If management access can be gained from outside of the authorized management network, this is a finding.
Configure an ACL or filter to restrict management access to the device from only the management network.
Review the configuration and verify the timeout is set for 60 seconds or less. The SSH service terminates the connection if protocol negotiation (that includes user authentication) is not complete within this timeout period. If the device is not configured to drop broken SSH sessions after 60 seconds, this is a finding.
Configure the network devices so it will require a secure shell timeout of 60 seconds or less.
Review the configuration and verify the number of unsuccessful SSH logon attempts is set at 3. If the device is not configured to reset unsuccessful SSH logon attempts at 3, this is a finding.
Configure the network device to require a maximum number of unsuccessful SSH logon attempts at 3.
Review the configuration and verify the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected. If the auxiliary port is enabled without the use of a secured modem, this is a finding.
Disable the auxiliary port. If used for out-of-band administrative access, the port must be connected to a secured modem providing encryption and authentication.
Review the device configuration and verify it is authenticating the NTP messages received from the NTP server or peer. Authentication must be performed using either PKI (supported in NTP v4) or SHA-1 hashing algorithm. If NTP messages are not authenticated using PKI or SHA-1 hashing, this is a finding.
Configure the device to authenticate all received NTP messages using either PKI (supported in NTP v4) or SHA-1 hashing algorithm.
Review the configuration and verify SSH Version 1 is not being used for administrative access. If the device is using an SSHv1 session, this is a finding.
Configure the network device to use SSH version 2.
Review device configuration. 1. Obtain the SSID using a wireless scanner or the AP or WLAN controller management software. 2. Verify the name is not meaningful (e.g., site name, product name, room number, etc.) or set to the manufacturer's default value. Mark as a finding if the SSID does not meet the requirement listed above.
Change the SSID to a pseudo random word that does not identify the unit, base, or organization.
Detailed policy requirements: Wireless access points and bridges must not be directly connected to the enclave network. A network device must separate wireless access from other elements of the enclave network. Sites must also comply with the Network Infrastructure STIG configuration requirements for DMZ, VLAN, and VPN configurations, as applicable. Examples of acceptable architectures include placing access points or controllers in a screened subnet (e.g. DMZ separating intranet and wireless network) or dedicated virtual LAN (VLAN). Additional discussion of WLAN architectures is found in the Wireless Overview document contained in the Wireless STIG package. NOTE: See Figure 3-1 in the Wireless STIG for an example of an acceptable network architecture. Check Procedures: Review network architecture with the network administrator. 1. Verify compliance by inspecting the site network topology diagrams. 2. Since many network diagrams are not kept up-to-date, walk through the connections with the network administrator using network management tools or diagnostic commands to verify the diagrams are current. Mark as a finding if site wireless infrastructure such as access points and bridges are not isolated from the enclave network.
Remove wireless network devices with direct connections to an enclave network. If feasible, reconfigure network connections to isolate the WLAN infrastructure from the enclave network, separating them with a firewall or equivalent protection.
Review the device configuration to determine if the OOB management interface is assigned an appropriate IP address from the authorized OOB management network. If an IP address assigned to the interface is not from an authorized OOB management network, this is a finding.
Configure the OOB management interface with an IP address from the address space belonging to the OOBM network.
Step 1: Verify the managed interface has an inbound and outbound ACL or filter. Step 2: Verify the ingress ACL blocks all transit traffic--that is, any traffic not destined to the router itself. In addition, traffic accessing the managed elements should be originated at the NOC. Step 3: Verify the egress ACL blocks any traffic not originated by the managed element. If management interface does not have an ingress and egress filter configured and applied, this is a finding.
If the management interface is a routed interface, it must be configured with both an ingress and egress ACL. The ingress ACL should block any transit traffic, while the egress ACL should block any traffic that was not originated by the managed network device.
Review the configuration and verify two NTP servers have been defined. If the device is not configured to use two separate NTP servers, this is a finding.
Configure the device to use two separate NTP servers.
Review the device configuration to determine if the call home service or feature is disabled on the device. If the call home service is enabled on the device, this is a finding.
Configure the network device to disable the call home service or feature.