UCF STIG Viewer Logo

Perimeter L3 Switch Security Technical Implementation Guide - Cisco



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-3062 High The network element must be configured to ensure passwords are not viewable when displaying configuration information.
V-15434 High The emergency account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.
V-14689 High Inbound IP packets with a local host loopback address (127.0.0.0/8) must be blocked, denied, or dropped at the perimeter device.
V-3012 High Network devices must be password protected.
V-5626 High The switch must be configured to use 802.1x authentication on host facing access switch ports.
V-14696 High The network element must be configured to restrict the acceptance of any IP packets from the unspecified address, (0:0:0:0:0:0:0:0 or ::/128).
V-14694 High The network element will be configured to ensure IPv6 Site Local Unicast addresses are blocked on the ingress inbound filter, (FEC0::/10). Note that this consist of all addresses that begin with FEC, FED, FEE and FEF.
V-14695 High The network element must be configured restrict to accept the device from accepting any inbound IP packets with a local host loop back address, (0:0:0:0:0:0:0:1 or ::1/128).
V-14692 High Inbound IP packets using RFC 1918 address space (10.0.0.0/8, 172.16.0.0 /12, and 192.168.0 /16) must be blocked, denied, or dropped at the perimeter device.
V-14690 High Inbound IP packets using link-local address space (169.254.0.0/16) must be blocked, denied, or dropped at the perimeter device.
V-14691 High Inbound packets using IP addresses specified in the RFC5735 and RFC6598, along with network address space allocated by IANA, but not assigned by the RIRs for ISP and other end-customer use must be blocked, denied, or dropped at the perimeter device.
V-4582 High The network device must require authentication for console access.
V-18640 High Tunneled packets must be filtered at the tunnel exit point.
V-4622 High The IAO/NSO will ensure premise router interfaces that connect to an AG (i.e., ISP) are configured with an ingress ACL that only permits packets with destination addresses within the site’s address space.
V-3175 High The network devices must require authentication prior to establishing a management connection for administrative access.
V-3164 High The network device must not accept any outbound IP packets that contain an illegitimate address in the source address field by enabling Unicast Reverse Path Forwarding (uRPF) Strict mode or via egress ACL.
V-3210 High The network device must not use the default or well-known SNMP community strings public and private.
V-3196 High The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.
V-25037 High The IAO will ensure that the router or firewall software has been upgraded to mitigate the risk of DNS cache poisoning attack caused by a flawed PAT implementation using a predictable source port allocation method for DNS query traffic.
V-4623 High The IAO/NSO will ensure the premise router does not have a routing protocol session with a peer router belonging to an AS (Autonomous System) of the AG service provider. A static route is the only acceptable route to an AG.
V-3056 High Group accounts must not be configured for use on the network device.
V-7009 High The lifetime of the MD5 Key expiration must be set to never expire. The lifetime of the MD5 key will be configured as infinite for route authentication, if supported by the current approved router software version.
V-15294 High Teredo packets must be blocked inbound to the enclave and outbound from the enclave.
V-3143 High Network devices must not have any default manufacturer passwords.
V-3069 Medium Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
V-31285 Medium The network element must authenticate all BGP peers within the same or between autonomous systems (AS).
V-15432 Medium Network devices must use two or more authentication servers for the purpose of granting administrative access.
V-3013 Medium Network devices must display the DoD-approved logon banner warning.
V-5646 Medium The network device must drop half-open TCP connections through filtering thresholds or timeout periods.
V-14685 Medium The network element must be configured to ensure the routing header extension type 0, 1, and 3-255 are rejected in an IPv6 enclave.
V-14687 Medium The network element can permit outbound ICMPv6 messages Packet-too-big (type 2), Echo Request (type 128), and Neighborhood Discovery (type 135-136). Remaining ICMPv6 messages must be blocked outbound.
V-3014 Medium The network element must timeout management connections for administrative access after 10 minutes or less of inactivity.
V-14669 Medium The administrator must ensure BSD r command services are disabled.
V-28784 Medium A service or feature that calls home to the vendor must be disabled.
V-5628 Medium A dedicated management VLAN or VLANs must be configured to keep management traffic separate from user data and control plane traffic.
V-5622 Medium The native VLAN must be assigned to a VLAN ID other than the default VLAN for all 802.1q trunk links.
V-30618 Medium The administrator must ensure the perimeter router is configured to drop all inbound and outbound IPv6 packets containing a Destination Option header with invalid option type values.
V-5623 Medium Port trunking must be disabled on all access ports (do not configure trunk on, desirable, non-negotiate, or auto--only off).
V-14697 Medium The network device must block IPv6 multicast addresses used as a source address.
V-14693 Medium The network device must be configured to ensure IPv6 Site Local Unicast addresses are not defined in the enclave, (FEC0::/10). Note that this consist of all addresses that begin with FEC, FED, FEE and FEF.
V-14698 Medium The IAO/NSO will ensure IPv6 addresses with embedded IPv4-compatible IPv6 addresses are blocked on the ingress and egress filters, (0::/96).
V-14699 Medium The IAO/NSO will ensure that IPv6 addresses with embedded IPv4-mapped IPv6 addresses are blocked on the ingress and egress filters, (0::FFFF/96).
V-5645 Medium Cisco Express Forwarding (CEF) must be enabled on all supported Cisco Layer 3 IP devices.
V-18647 Medium Tunnel end-points must implement filters in accordance with mitigations defined in PPS Vulnerability Assessments.
V-18566 Medium The switch must only allow a maximum of one registered MAC address per access port.
V-17814 Medium Gateway configuration at the remote VPN end-point is a not a mirror of the local gateway
V-14670 Medium The network element must be configured so that ICMPv6 unreachable notifications and redirects are disabled on all external facing interfaces.
V-14671 Medium The network element must authenticate all NTP messages received from NTP servers and peers.
V-3043 Medium The network device must use different SNMP community names or groups for various levels of read and write access.
V-3971 Medium VLAN 1 must not be used for user VLANs.
V-17835 Medium Traffic entering the tunnels is not restricted to only the authorized management packets based on destination address.
V-17834 Medium An inbound ACL is not configured for the management network sub-interface of the trunk link to block non-management traffic.
V-17833 Medium Authorized management traffic must be forwarded by the multi-layer switch from the production or managed VLANs to the management VLAN.
V-17832 Medium The management VLAN must be configured with an IP address from the management network address block.
V-30744 Medium The administrator must ensure the that all L2TPv3 sessions are authenticated prior to transporting traffic.
V-3160 Medium The network element must be running a current and supported operating system with all IAVMs addressed.
V-3165 Medium The IAO/NSO will implement tcp intercept features provided by the router or implement a filter to rate limit tcp syn to protect servers from any TCP SYN flood attacks from an outside network.
V-5613 Medium The network element must be configured for a maximum number of unsuccessful SSH login attempts set at 3 before resetting the interface.
V-5612 Medium The network element must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
V-3969 Medium The network device must only allow SNMP read-only access.
V-3968 Medium The administrator must bind the ingress ACL filtering packets entering the network to the external interface on an inbound direction.
V-5611 Medium The network element must only allow management connections for administrative access from hosts residing in to the management network.
V-3967 Medium The network element must time out access to the console port after 10 minutes or less of inactivity.
V-3966 Medium The emergency account must be limited to a single local account on the device.
V-17824 Medium The management interface is an access switchport and has not been assigned to a separate management VLAN.
V-17826 Medium The access switchport connecting to the OOBM access switch is not the only port with membership to the management VLAN.
V-17821 Medium The network element’s OOBM interface must be configured with an OOBM network address.
V-17822 Medium The network elements management interface must be configured with both an ingress and egress ACL.
V-17829 Medium The gateway router for the managed network is not configured with an ACL or filter on the egress interface to block all outbound management traffic.
V-15288 Medium ISATAP tunnels must terminate at an interior router.
V-18545 Medium The SA will ensure a packet filter is implemented to filter the enclave traffic to and from printer VLANs to allow only print traffic.
V-5731 Medium The SA will utilize ingress and egress ACLs to restrict traffic destined to the enclave perimeter in accordance with the guidelines contained in DoD Instruction 8551.1 for all ports and protocols required for operational commitments.
V-19188 Medium The router must have control plane protection enabled.
V-14717 Medium The network element must not use SSH Version 1 for administrative access.
V-30577 Medium The administrator must ensure that Protocol Independent Multicast (PIM) is disabled on all interfaces that are not required to support multicast routing.
V-17815 Medium IGP instances configured on the OOBM gateway router do not peer only with their appropriate routing domain.
V-30646 Medium The administrator must ensure the perimeter router is configured to drop all inbound and outbound IPv6 packets containing an extension header with the Endpoint Identification option.
V-17817 Medium Traffic from the managed network is able to access the OOBM gateway router
V-17816 Medium The routes from the two IGP domains are redistributed to each other.
V-17819 Medium Management network traffic must not leak onto the managed network.
V-17818 Medium Traffic from the managed network will leak into the management network via the gateway router interface connected to the OOBM backbone.
V-30648 Medium The administrator must ensure the perimeter router is configured to drop all inbound and outbound IPv6 packets containing the NSAP address option.
V-30579 Medium The administrator must ensure that boundaries are established at the enclave perimeter for all administrative scoped multicast traffic.
V-30578 Medium The administrator must ensure that a PIM neighbor filter is bound to all interfaces that have PIM enabled.
V-3082 Medium IP Proxy ARP must be disabled on all external interfaces.
V-14688 Medium The administrator must bind the egress ACL filtering packets leaving the network to the internal interface on an inbound direction.
V-3057 Medium Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.
V-18633 Medium The network device must drop all inbound and outbound IPv4 and IPv6 packets being tunneled with outdated protocols.
V-15293 Medium The IAO/NSO will ensure the ingress filter drops unexpected protocol 41 packets at the 6to4 site router before sensor inspection.
V-18636 Medium Tunnel endpoints must be explicitly defined as auto configuration tunnels are not permitted.
V-3058 Medium Unauthorized accounts must not be configured for access to the network device.
V-15295 Medium The IAO/NSO will ensure in NAT-PT architecture there is no tunneled IPv4 in IPv6 traffic.
V-14703 Medium The network device must block IPv6 Unique Local Unicast Addresses on the enclaves perimeter ingress and egress filter.
V-14705 Medium The administrator will enable CEF to improve router stability during a SYN flood attack in an IPv6 enclave.
V-30657 Medium The administrator must ensure the perimeter router is configured to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type.
V-15296 Medium The IAO/NSO will ensure interfaces supporting IPv4 in NAT-PT Architecture do not receive IPv6 traffic.
V-14683 Medium The system administrator will ensure the undetermined transport packet is blocked at the perimeter in an IPv6 enclave by the router.
V-3984 Medium Access switchports must not be assigned to the native VLAN.
V-3982 Medium L2TP must not pass into the private network of an enclave.
V-18608 Medium The IAO/NSO will ensure IPv6 6-to-4 addresses with a prefix of 2002::/16 are dropped at the enclave perimeter by the ingress and egress filters.
V-18635 Medium Tunnel entry point and the tunnel exit point must contain filters for expected tunnel protocol traffic with source and destination addresses and deny the remaining traffic by default.
V-3022 Medium The administrator must ensure SNMP is blocked at all external interfaces. SNMP Access is permitted for enterprise mapping capabilities as directed by CTO 09-011.
V-3021 Medium The network element must only allow SNMP access from addresses belonging to the management network.
V-3026 Medium Internet Control Message Types (ICMP) must be blocked inbound from external untrusted networks (e.g., ISP and other non-DoD networks).
V-3027 Medium Internet Control Message Types (ICMP) must be blocked outbound to external untrusted networks (e.g., ISP and other non-DoD networks).
V-18522 Medium Server VLAN interfaces must be protected by restrictive ACLs using a deny-by-default security posture.
V-18523 Medium The IAO will ensure the Server Farm infrastructure is secured by ACLs on VLAN interfaces that restrict data originating from one server farm segment destined to another server farm segment.
V-14686 Medium The network element can permit inbound ICMPv6 messages Packet-too-big (type 2), Time Exceeded (type 3), Parameter Problem (type 4), Echo Reply (type 129), and Neighbor Discovery (type 135-136). Remaining ICMPv6 messages must be blocked inbound.
V-5618 Medium Gratuitous ARP must be disabled.
V-3084 Medium The administrator must ensure ICMP unreachable notifications, mask replies, and redirects are disabled on all external interfaces of the premise router.
V-3085 Medium The network element must have HTTP service for administrative access disabled.
V-14637 Medium Router advertisements must be suppressed on all external-facing IPv6-enabled interfaces.
V-3080 Medium The Configuration auto-loading feature must be disabled.
V-3081 Medium The router must have IP source routing disabled.
V-14632 Medium The IAO/NSO will ensure the route to the AG network adheres to the PPS CAL boundary 13 and 14 policies and is in compliance with all perimeter filtering defined in the perimeter and router sections of the Network STIG.
V-30594 Medium The administrator must ensure the perimeter router is configured to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with invalid option type values.
V-30660 Medium The administrator must ensure the 6-to-4 router is configured to drop any IPv4 packets with protocol 41 received from the internal network.
V-18610 Medium The IAO/NSO will ensure IPv6 6bone address space is blocked on the ingress and egress filter, (3FFE::/16).
V-3035 Medium The administrator will restrict BGP connections to known IP addresses of neighbor routers from trusted Autonomous Systems.
V-3034 Medium The network element must authenticate all IGP peers.
V-5624 Medium The IAO/NSO will ensure if 802.1x Port Authentication is implemented, re-authentication must occur every 60 minutes.
V-18648 Medium Tunnel entry and exit points must be in a deny-by-default security posture.
V-14666 Medium Each eBGP neighbor must be authenticated with a unique password.
V-14707 Medium The network element must be configured from accepting any outbound IP packet that contains an illegitimate address in the source address field via egress ACL or by enabling Unicast Reverse Path Forwarding in an IPv6 enclave.
V-17754 Medium IPSec tunnels used to transit management traffic must be restricted to only the authorized management packets based on destination and source IP address.
V-3008 Medium The IAO will ensure IPSec VPNs are established as tunnel type VPNs when transporting management traffic across an ip backbone network.
V-3079 Low The network element must have the Finger service disabled.
V-3078 Low Network devices must have TCP and UDP small servers disabled.
V-3077 Low Cisco Discovery Protocol (CDP) must be disabled on all external facing interfaces.
V-3070 Low The network element must log all attempts to establish a management connection for administrative access.
V-3072 Low The running configuration must be synchronized with the startup configuration after changes have been made and implemented.
V-30617 Low The administrator must ensure that the maximum hop limit is at least 32.
V-4584 Low The network element must log all messages except debugging and send all log data to a syslog server.
V-14675 Low The router must use its loopback or OOB management interface address as the source address when originating SNMP traffic.
V-14672 Low The router must use its loopback or OOB management interface address as the source address when originating TACACS+ or RADIUS traffic.
V-14674 Low The router must use its loopback or OOB management interface address as the source address when originating NTP traffic.
V-3972 Low VLAN 1 must be pruned from all trunk and access ports that do not require it.
V-3973 Low Disabled switch ports must be placed in an unused VLAN (do not use VLAN1).
V-17837 Low The core router within the managed network has not been configured to provide preferred treatment for management traffic that must traverse several nodes to reach the management network.
V-17836 Low Management traffic is not classified and marked at the nearest upstream MLS or router when management traffic must traverse several nodes to reach the management network.
V-23747 Low The network element must use two or more NTP servers to synchronize time.
V-5617 Low DHCP Services must be disabled.
V-5615 Low Network devices must have TCP Keep-Alives enabled for TCP sessions.
V-4624 Low The IAO/NSO will ensure the AG network service provider IP addresses are not redistributed into or advertised to the NIPRNet or any router belonging to any other Autonomous System (AS) i.e. to another AG device in another AS.
V-14677 Low The network device must use its loopback or OOB management interface address as the source address when originating TFTP or FTP traffic.
V-17825 Low An address has not been configured for the management VLAN from space belonging to the OOBM network assigned to that site.
V-17827 Low The management VLAN is not pruned from any VLAN trunk links belonging to the managed network’s infrastructure.
V-17823 Low The management interface must be configured as passive for the IGP instance deployed in the managed network.
V-19189 Low The administrator must ensure that multicast routers are configured to establish boundaries for Admin-local or Site-local scope multicast traffic.
V-18544 Low Printers must be assigned to a VLAN that is not shared by unlike devices.
V-30736 Low The administrator must ensure the 6-to-4 router is configured to drop any outbound IPv6 packets from the internal network with a source address that is not within the 6to4 prefix 2002:V4ADDR::/48 where V4ADDR is the designated IPv4 6to4 address for the enclave.
V-5614 Low Network devices must have the PAD service disabled.
V-14673 Low The router must use its loopback or OOB management interface address as the source address when originating syslog traffic.
V-14681 Low The router must use its loopback interface address as the source address for all iBGP peering sessions.
V-14676 Low The router must use its loopback or OOB management interface address as the source address when originating NetFlow traffic.
V-5616 Low Network devices must have identification support disabled.
V-3020 Low The network element must have DNS servers defined if it is configured as a client resolver.
V-3028 Low Trace routes originating from untrusted networks (e.g., ISP and other non-DoD networks) must be blocked to prevent network discovery by unauthorized users.
V-3086 Low BOOTP services must be disabled.
V-3083 Low IP directed broadcast must be disabled on all layer 3 interfaces.
V-14667 Low Network devices must be configured with rotating keys used for authenticating IGP peers that have a duration exceeding 180 days.
V-30585 Low The administrator must ensure that multicast groups used for source specific multicast (SSM) routing are from the specific multicast address space reserved for this purpose.
V-7011 Low The network element’s auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
V-3005 Low The IAO/NSO will ensure that workstation clients’ real IPv4 addresses are not revealed to the public by implementing NAT on the firewall or the router.
V-3000 Low The network device must log all access control lists (ACL) deny statements.