Nokia Service Router OS 25.x Network Device Management Security Technical Implementation Guide

Overview

VersionDateFinding Count (37)Downloads
V1R12026-06-15CAT I (High): 9CAT II (Medium): 28CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of War (DoW) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
ClassifiedPublicSensitive
I - Mission Critical ClassifiedI - Mission Critical PublicI - Mission Critical Sensitive
II - Mission Support ClassifiedII - Mission Support PublicII - Mission Support Sensitive
III - Administrative ClassifiedIII - Administrative PublicIII - Administrative Sensitive

Findings - MAC I - Mission Critical Classified

Finding IDSeverityTitleDescription
V-283760
LOWMEDIUMHIGH
The Nokia router must limit the number of concurrent management sessions to a maximum of three for each administrator account and/or administrator account type.Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of al...
V-283762
LOWMEDIUMHIGH
The Nokia router must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management informati...
V-283763
LOWMEDIUMHIGH
The Nokia router must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ...
V-283764
LOWMEDIUMHIGH
The Nokia router must display the Standard Mandatory DoW Notice and Consent Banner before granting access to the device, and it must remain until the administrator acknowledges the usage conditions and takes explicit action to log on for further access.Display of the DoW-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is c...
V-283765
LOWMEDIUMHIGH
The Nokia router must initiate session auditing upon startup.If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state i...
V-283766
LOWMEDIUMHIGH
The Nokia router must protect audit information from unauthorized modification.Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit network device activi...
V-283767
LOWMEDIUMHIGH
The Nokia router must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.Changes to any software components can have significant effects on the overall security of the Nokia router. Verifying software components have been d...
V-283769
LOWMEDIUMHIGH
The Nokia router must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on the device's local da...
V-283770
LOWMEDIUMHIGH
The Nokia router must enforce a minimum 15-character password length.Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password ...
V-283771
LOWMEDIUMHIGH
The Nokia router must enforce password complexity.Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure...
V-283772
LOWMEDIUMHIGH
The Nokia router must require that when a password is changed, the characters are changed in at least eight of the positions within the password.If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increa...
V-283776
LOWMEDIUMHIGH
The Nokia router must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.To ensure network devices have a sufficient storage capacity in which to write the audit logs, they must be able to allocate audit record storage capa...
V-283777
LOWMEDIUMHIGH
The Nokia router must generate an immediate real-time alert for all audit failure events requiring real-time alerts.It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time aler...
V-283778
LOWMEDIUMHIGH
The Nokia router must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis....
V-283779
LOWMEDIUMHIGH
The Nokia router must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by...
V-283780
LOWMEDIUMHIGH
The Nokia router must be configured to authenticate Simple Network Management Protocol (SNMP) messages using a Federal Information Processing Standard (FIPS)-validated Keyed-Hash message authentication code.Without authenticating devices, unidentified or unknown devices may be introduced, facilitating malicious activity. Bidirectional authentication provi...
V-283781
LOWMEDIUMHIGH
The Nokia router must be configured to authenticate Network Time Protocol (NTP) sources using authentication with a Federal Information Processing Standard (FIPS)-compliant algorithm.If NTP is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can be used to send incorrect time information to network...
V-283783
LOWMEDIUMHIGH
The Nokia router must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m...
V-283784
LOWMEDIUMHIGH
The Nokia router must off-load audit records onto a different system or media than the system being audited.Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information s...
V-283786
LOWMEDIUMHIGH
The Nokia router must be configured to conduct backups of system-level information contained in the information system when changes occur.System-level information includes default and customized settings and security attributes, including Access Control Lists (ACLs) that relate to the ne...
V-283787
LOWMEDIUMHIGH
The Nokia router must obtain its public key certificates from an appropriate certificate policy through an approved service provider.The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stor...
V-283790
LOWMEDIUMHIGH
The Nokia router must be configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and...
V-283791
LOWMEDIUMHIGH
The Nokia router must be configured to implement a local cache of revocation data to support path discovery and validation for public key-based authentication.Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For Public Key Infrastructure (PKI) solutions, sta...
V-283792
LOWMEDIUMHIGH
The Nokia router must be configured to protect nonlocal maintenance sessions by separating the maintenance session from other network sessions within the system by logically separated communications paths.Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through an external or internal network. Communications pa...
V-283793
LOWMEDIUMHIGH
The Nokia router must be configured to include only approved trust anchors in trust stores or certificate stores managed by the organization.Public Key Infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the inter...
V-283794
LOWMEDIUMHIGH
The Nokia router must be configured to synchronize system clocks within and between systems or system components.Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication proc...
V-283795
LOWMEDIUMHIGH
The Nokia router must be configured to compare the internal system clocks on an organization-defined frequency with an organization-defined authoritative time source.Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and ...
V-283799
LOWMEDIUMHIGH
The Nokia router must be configured to implement multifactor authentication for local, network, and/or remote access to privileged and nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.Requiring a device separate from the system to which the user is attempting to gain access for one of the factors during multifactor authentication re...
V-283761
LOWMEDIUMHIGH
The Nokia router must be configured to assign appropriate user roles or access levels to authenticated users.Successful identification and authentication must not automatically give an entity full access to a network device or security domain. The lack of aut...
V-283768
LOWMEDIUMHIGH
The Nokia router must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d...
V-283773
LOWMEDIUMHIGH
The Nokia router must only store cryptographic representations of passwords.Passwords must be protected at all times, and encryption is the standard method of protecting passwords. If passwords are not encrypted, they can be p...
V-283774
LOWMEDIUMHIGH
The Nokia router must use Federal Information Processing Standard (FIPS) 140-3-approved algorithms for authentication to a cryptographic module.Unapproved mechanisms that are used for authentication to the cryptographic module are not validated and therefore cannot be relied on to provide conf...
V-283775
LOWMEDIUMHIGH
The Nokia router must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill documented and validated mission requirements.Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se...
V-283782
LOWMEDIUMHIGH
The Nokia router must use Federal Information Processing Standard (FIPS)-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentialit...
V-283785
LOWMEDIUMHIGH
The Nokia router must be configured to use at least two authentication servers for authenticating users prior to granting administrative access.Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important...
V-283788
LOWMEDIUMHIGH
The Nokia router must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stor...
V-283789
LOWMEDIUMHIGH
The Nokia router must be running an operating system release that is currently supported by the vendor.Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilit...