Nokia Service Router OS 25.x Layer 2 Switch Security Technical Implementation Guide

Overview

VersionDateFinding Count (15)Downloads
V1R12026-06-15CAT I (High): 1CAT II (Medium): 11CAT III (Low): 3
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of War (DoW) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
ClassifiedPublicSensitive
I - Mission Critical ClassifiedI - Mission Critical PublicI - Mission Critical Sensitive
II - Mission Support ClassifiedII - Mission Support PublicII - Mission Support Sensitive
III - Administrative ClassifiedIII - Administrative PublicIII - Administrative Sensitive

Findings - MAC I - Mission Critical Classified

Finding IDSeverityTitleDescription
V-283679
LOWMEDIUMHIGH
The Nokia layer 2 switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to...
V-283681
LOWMEDIUMHIGH
The Nokia layer 2 switch must have Spanning Tree Protocol (STP) loop guard enabled on all nondesignated STP switch ports.The STP loop guard feature provides additional protection against STP loops. An STP loop is created when an STP blocking port in a redundant topology ...
V-283682
LOWMEDIUMHIGH
The Nokia layer 2 switch must have Unknown Unicast Flood Blocking (UUFB) enabled.Access layer switches use the Content Addressable Memory (CAM) table to direct traffic to specific ports based on the virtual local area network (VLAN...
V-283683
LOWMEDIUMHIGH
The Nokia layer 2 switch must have Dynamic Host Configuration Protocol (DHCP) snooping for all user virtual local area networks (VLANs) to validate DHCP messages from untrusted sources.In an enterprise network, devices under administrative control are trusted sources. These devices include the switches, routers, and servers in the ne...
V-283684
LOWMEDIUMHIGH
The Nokia layer 2 switch must provide source Internet Protocol (IP) address filtering on untrusted layer 2 interfaces.Source IP address filtering on a layer 2 port prevents a malicious host from impersonating a legitimate host by assuming the legitimate host's IP addr...
V-283685
LOWMEDIUMHIGH
The Nokia layer 2 switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user virtual local area networks (VLANs).DAI intercepts ARP requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and forw...
V-283688
LOWMEDIUMHIGH
The Nokia layer 2 switch must implement Rapid Spanning Tree Protocol (RSTP) where virtual local area networks (VLANs) span multiple switches with redundant links.STP is implemented on bridges and switches to prevent layer 2 loops when a broadcast domain spans multiple bridges and switches and when redundant lin...
V-283689
LOWMEDIUMHIGH
The Nokia layer 2 switch must enable Ethernet Connectivity Fault Management (ETH-CFM) to protect against one-way connections.In topologies where fiber optic interconnections are used, physical misconnections can occur that allow a link to appear to be up when there is a mism...
V-283690
LOWMEDIUMHIGH
The Nokia layer 2 switch must assign all virtual private local area network service (VPLS) ports not in use to an inactive VLAN.A disabled port assigned to a user or management VLAN could be enabled accidentally or by an attacker. As a result, the attacker could gain access to ...
V-283691
LOWMEDIUMHIGH
The Nokia layer 2 switch must not have the default virtual local area network (VLAN) assigned to any host-facing switch ports.In a VLAN-based network, switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with other networking devices using Sp...
V-283692
LOWMEDIUMHIGH
The Nokia layer 2 switch must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessa...
V-283680
LOWMEDIUMHIGH
The Nokia layer 2 switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.Spanning Tree Protocol (STP) does not provide any means for the network administrator to securely enforce the topology of the switched network. Any sw...
V-283686
LOWMEDIUMHIGH
The Nokia layer 2 switch must have Storm Control configured on all host-facing switch ports.A traffic storm occurs when packets flood a LAN, creating excessive traffic and degrading network performance. Traffic storm control prevents network ...
V-283687
LOWMEDIUMHIGH
The Nokia layer 2 switch must have Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping configured on all virtual local area networks (VLANs).IGMP and MLD snooping provides a way to constrain multicast traffic at layer 2. By monitoring the IGMP or MLD membership reports sent by hosts within ...
V-283678
LOWMEDIUMHIGH
The Nokia layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection.Controlling local area network (LAN) access via 802.1x authentication can help prevent a malicious user from connecting an unauthorized personal compu...