Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the management connection for administrative access and verify the network element is configured to time-out the connection after 10 minutes or less of inactivity.
Configure the network element to ensure the timeout for unattended administrative access connections is no longer than 10 minutes.
Review the network device configuration and validate there are no group accounts configured for access.
Configure individual user accounts for each authorized person then remove any group accounts.
Review the accounts authorized for access to the network device. Determine if the accounts are assigned the lowest privilege level necessary to perform assigned duties. User accounts must be set to a specific privilege level which can be mapped to specific commands or a group of commands. Authorized accounts should have the greatest privilege level unless deemed necessary for assigned duties. If it is determined that authorized accounts are assigned to greater privileges than necessary, this is a finding.
Configure authorized accounts with the least privilege rule. Each user will have access to only the privileges they require to perform their assigned duties.
Review the network device configuration to verify only secure protocols using FIPS 140-2 validated cryptographic modules are used for any administrative access. Some of the secure protocols used for administrative and management access are listed below. This list is not all inclusive and represents a sample selection of secure protocols. -SSHv2 -SCP -HTTPS -SSL -TLS If management connections are established using protocols without FIPS 140-2 validated cryptographic modules, this is a finding.
Configure the network device to use secure protocols with FIPS 140-2 validated cryptographic modules.
Review the configuration to verify all attempts to access the device via management connection are logged.
Configure the device to log all access attempts to the device to establish a management connection for administrative access.
Review the network element configuration to determine if the vendor default password is active.
Remove any vendor default passwords from the network element configuration.
Review the network device configuration to verify all management connections for administrative access require authentication.
Configure authentication for all management connections.
Review the network element configuration and verify if either of the SNMP community strings “public” or “private” is being used.
Configure unique SNMP community strings replacing the default community strings.
Detailed Policy requirements: Encryption requirements for data in transit: - The WLAN infrastructure (e.g., access point, bridge, or WLAN controller) and WLAN client device must be configured to use the AES-CCMP encryption protocol. Check procedures: - Interview IAO and review WLAN system documentation. - Determine if the WLAN network and client components encryption setting has been configured to use the AES-CCMP encryption protocol and no others. - Mark as a finding if the WLAN is configured to support any encryption protocol other than AES-CCMP, even if AES-CCMP is one of several supported options.
Implement AES-CCMP to protect data in transit. Deactivate encryption protocols other than AES-CCMP.
Review the configuration and verify a session using the console port will time out after 10 minutes or less of inactivity.
Configure the timeout for idle console connection to 10 minutes or less.
Review the network device's configuration and verify authentication is required for console access.
Configure authentication for console access on the network device.
Review the configuration and verify management access to the device is allowed only from hosts within the management network.
Configure an ACL or filter to restrict management access to the device from only the management network.
Review the configuration and verify the timeout is set for 60 seconds or less. The SSH service terminates the connection if protocol negotiation (that includes user authentication) is not complete within this timeout period.
Configure the network element so it will require a secure shell timeout of 60 seconds or less.
Review the configuration and verify the number of unsuccessful SSH login attempts is set at 3.
Configure the network element to require a maximum number of unsuccessful SSH login attempts at 3.
Review the configuration and verify the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected.
Disable the auxiliary port. If used for out-of-band administrative access, the port must be connected to a secured modem providing encryption and authentication.
Review the device configuration and verify it is authenticating the NTP messages received from the NTP server or peer. Authentication must be performed using either PKI (supported in NTP v4) or SHA-1 hashing algorithm. If SHA-1 is not supported by both the NTP client and server, then MD5 can be used.
Configure the device to authenticate all received NTP messages using either PKI (supported in NTP v4) or SHA-1 hashing algorithm. If SHA-1 is not supported by this client or the NTP peer or server, then MD5 can be used.
Review the configuration and verify SSH Version 1 is not being used for administrative access.
Configure the network element to use SSH version 2.
Review device configuration. 1. Obtain the SSID using a wireless scanner or the AP or WLAN controller management software. 2. Verify the name is not meaningful (e.g., site name, product name, room number, etc.) or set to the manufacturer's default value. Mark as a finding if the SSID does not meet the requirement listed above.
Change the SSID to a pseudo random word that does not identify the unit, base, or organization.
Detailed policy requirements: Wireless access points and bridges must not be directly connected to the enclave network. A network device must separate wireless access from other elements of the enclave network. Sites must also comply with the Network Infrastructure STIG configuration requirements for DMZ, VLAN, and VPN configurations, as applicable. Examples of acceptable architectures include placing access points or controllers in a screened subnet (e.g. DMZ separating intranet and wireless network) or dedicated virtual LAN (VLAN). Additional discussion of WLAN architectures is found in the Wireless Overview document contained in the Wireless STIG package. NOTE: See Figure 3-1 in the Wireless STIG for an example of an acceptable network architecture. Check Procedures: Review network architecture with the network administrator. 1. Verify compliance by inspecting the site network topology diagrams. 2. Since many network diagrams are not kept up-to-date, walk through the connections with the network administrator using network management tools or diagnostic commands to verify the diagrams are current. Mark as a finding if site wireless infrastructure such as access points and bridges are not isolated from the enclave network.
Remove wireless network devices with direct connections to an enclave network. If feasible, reconfigure network connections to isolate the WLAN infrastructure from the enclave network, separating them with a firewall or equivalent protection.
The managed network element’s OOBM interface must be configured with an IP address from the address space belonging to the OOBM network. After determining which interface is connected to the OOBM access switch, review the managed device configuration and verify the interface has been assigned an address from the local management address block.
Configure the managed network element’s OOBM interface with an IP address from the address space belonging to the OOBM network.
Step 1: Verify the managed interface has an inbound and outbound ACL or filter. Step 2: Verify the ingress ACL blocks all transit traffic—that is, any traffic not destined to the router itself. In addition, traffic accessing the managed elements should be originated at the NOC. Step 3: Verify the egress ACL blocks any traffic not originated by the managed element.
If the management interface is a routed interface, it must be configured with both an ingress and egress ACL. The ingress ACL should block any transit traffic, while the egress ACL should block any traffic that was not originated by the managed network elements.
Review the configuration and verify two NTP servers have been defined.
Specify two NTP server IP addresses on the device to be used to request time from.
Verify the call home service or feature is disabled on the device.
Configure the network device to disable the call home service or feature.