| V-15294 | High | Teredo packets must be blocked inbound to the enclave and outbound from the enclave. | Teredo (RFC 4380) is a tunneling mechanism that allows computers to encapsulate IPv6 packets inside IPv4 to traverse IPv4-only networks. It relies on UDP to allow the tunnel to traverse NAT... |
| V-25037 | High | The IAO will ensure that the router or firewall software has been upgraded to mitigate the risk of DNS cache poisoning attack caused by a flawed PAT implementation using a predictable source port allocation method for DNS query traffic. | DNS cache poisoning is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching name server. There are inherent deficiencies in the DNS protocol... |
| V-3210 | High | The network device must not use the default or well-known SNMP community strings public and private. | Network devices may be distributed by the vendor pre-configured with an SNMP agent using the well-known SNMP community strings public for read only and private for read and write authorization. An... |
| V-3175 | High | The network device must require authentication prior to establishing a management connection for administrative access. | Network devices with no password for administrative access via a management connection provide the opportunity for anyone with network access to the device to make configuration changes enabling... |
| V-15434 | High | The emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online. | The emergency administration account is to be configured as a local account on the network devices. It is to be used only when the authentication server is offline or not reachable via the... |
| V-4582 | High | The network device must require authentication for console access. | Network devices with no password for administrative access via the console provide the opportunity for anyone with physical access to the device to make configuration changes enabling them to... |
| V-3012 | High | Network devices must be password protected. | Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Access to the network must be categorized as administrator, user,... |
| V-3143 | High | Network devices must not have any default manufacturer passwords. | Network devices not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing network outage or denial of... |
| V-3062 | High | The network element must be configured to ensure passwords are not viewable when displaying configuration information. | Many attacks information systems and network elements are launched from within the network. Hence, it is imperative that all passwords are encrypted so they cannot be intercepted by viewing the... |
| V-3196 | High | The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device. | SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain... |
| V-3056 | High | Group accounts must not be configured for use on the network device. | Group accounts configured for use on a network device do not allow for accountability or repudiation of individuals using the shared account. If group accounts are not changed when someone leaves... |
| V-3085 | Medium | The network element must have HTTP service for administrative access disabled. | The additional services the router is enabled for increases the risk for an attack since the router will listen for these services. In addition, these services provide an unsecured method for an... |
| V-14637 | Medium | Router advertisements must be suppressed on all external-facing IPv6-enabled interfaces. | Many of the known attacks in stateless autoconfiguration are defined in RFC 3756 were present in IPv4 ARP attacks. IPSec AH was originally suggested as mitigation for the link local attacks, but... |
| V-3069 | Medium | Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules. | Administration and management connections performed across a network are inherently dangerous because anyone with a packet sniffer and access to the right LAN segment can acquire the network... |
| V-14671 | Medium | The network element must authenticate all NTP messages received from NTP servers and peers. | Since NTP is used to ensure accurate log file time stamp information, NTP could pose a security risk if a malicious user were able to falsify NTP information. To launch an attack on the NTP... |
| V-3043 | Medium | The network device must use different SNMP community names or groups for various levels of read and write access. | Numerous vulnerabilities exist with SNMP; therefore, without unique SNMP community names, the risk of compromise is dramatically increased. This is especially true with vendors default community... |
| V-3156 | Medium | The device must be configured to protect the network against denial of service attacks such as Ping of Death, TCP SYN floods, etc. | A SYN-flood attack is a denial-of-service attack where the attacker sends a huge amount of please-start-a-connection packets and then nothing else. This causes the device being attacked to be... |
| V-15296 | Medium | Interfaces supporting IPv4 in NAT-PT Architecture must not receive IPv6 traffic. | Network Address Translation with Protocol Translation (NAT-PT), defined in [RFC2766], is a service that can be used to translate data sent between IP-heterogeneous nodes. NAT-PT translates IPv4... |
| V-17814 | Medium | Gateway configuration at the remote VPN end-point is a not a mirror of the local gateway | The IPSec tunnel end points may be configured on the OOBM gateway routers connecting the managed network and the NOC. They may also be configured on a firewall or VPN concentrator located behind... |
| V-17830 | Medium | A firewall located behind the premise router must be configured to block all outbound management traffic. | The management network must still have its own subnet in order to enforce control and access boundaries provided by Layer 3 network nodes such as routers and firewalls. Management traffic between... |
| V-18815 | Medium | IPv6 Jumbo Payload hop by hop header must be blocked. | The IPv6 Jumbo Payload allows IP packets to be larger than 65,535 bytes. This feature is only useful on very specialized high performance systems (e.g. super computers). Common place link layer... |
| V-5611 | Medium | The network devices must only allow management connections for administrative access from hosts residing in the management network. | Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment could acquire the device account and password information. With this intercepted... |
| V-3014 | Medium | The network element must timeout management connections for administrative access after 10 minutes or less of inactivity. | Setting the timeout of the session to ten minutes or less increases the level of protection afforded critical network components. |
| V-3057 | Medium | Authorized accounts must be assigned the least privilege level necessary to perform assigned duties. | By not restricting authorized accounts to their proper privilege level, access to restricted functions may be allowed before authorized personnel are trained or experienced enough to use those... |
| V-14644 | Medium | The firewall must reject requests for access or services where the source address received by the firewall specifies a loopback address. | The loopback address is used by an Inter-Processor Control (IPC) mechanism that enables the client and server portion of an application running on the same machine to communicate, and so it is... |
| V-17754 | Medium | Management traffic is not restricted to only the authorized management packets based on destination and source IP address. | The Out-of-Band Management (OOBM) network is an IP network used exclusively for the transport of OAM&P data from the network being managed to the OSS components located at the NOC. Its design... |
| V-14643 | Medium | The SA must configure the firewall for the minimum content and protocol inspection requirements. | Creating a filter to allow a port or service through the firewall without content or protocol inspection creates a direct connection between the host in the private network and a host on the... |
| V-15432 | Medium | Network devices must use two or more authentication servers for the purpose of granting administrative access. | The use of Authentication, Authorization, and Accounting (AAA) affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the routers in... |
| V-3013 | Medium | Network devices must display the DoD-approved logon banner warning. | All network devices must present a DoD-approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear... |
| V-5646 | Medium | The network device must drop half-open TCP connections through filtering thresholds or timeout periods. | A TCP connection consists of a three-way handshake message sequence. A connection request is transmitted by the originator, an acknowledgement is returned from the receiver, and then an acceptance... |
| V-14649 | Medium | The ISSO must ensure the message is displayed at the remote console if an administrator is already logged in, or when an administrator logs in if the alarm message has not been acknowledged. | By immediately displaying an alarm message, identifying the potential security violation and making it accessible with the audit record contents associated with the auditable event(s) that... |
| V-14648 | Medium | Critical alerts must be generated and notifications sent to authorized personnel regardless if the person is logged in. | By immediately displaying an alarm message, identifying the potential security violation and making it accessible with the audit record contents associated with the event(s) that generated the... |
| V-3058 | Medium | Unauthorized accounts must not be configured for access to the network device. | A malicious user attempting to gain access to the network device may compromise an account that may be unauthorized for use. The unauthorized account may be a temporary or inactive account that... |
| V-3969 | Medium | The network device must only allow SNMP read-only access. | Enabling write access to the router via SNMP provides a mechanism that can be exploited by an attacker to set configuration variables that can disrupt network operations. |
| V-28784 | Medium | A service or feature that calls home to the vendor must be disabled.
| Call home services or features will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. The risk that... |
| V-18522 | Medium | Server VLAN interfaces must be protected by restrictive ACLs using a deny-by-default security posture. | Protecting data sitting in a server VLAN is necessary and can be accomplished using access control lists on VLANs provisioned for servers. Without proper access control of traffic entering or... |
| V-14717 | Medium | The network device must not allow SSH Version 1 to be used for administrative access. | SSH Version 1 is a protocol that has never been defined in a standard. Since SSH-1 has inherent design flaws which make it vulnerable to attacks, e.g., man-in-the-middle attacks, it is now... |
| V-3967 | Medium | The network devices must time out access to the console port at 10 minutes or less of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
| V-4619 | Medium | The FA will ensure that if the firewall product operates on an OS platform, the host must be STIG compliant prior to the installation of the firewall product. | If the host that a firewall engine is operating on is not secured, the firewall itself is exposed to greater risk. |
| V-3966 | Medium | In the event the authentication server is unavailable, the network device must have a single local account of last resort defined. | Authentication for administrative access to the device is required at all times. A single account of last resort can be created on the device's local database for use in an emergency such as when... |
| V-17821 | Medium | The network element’s OOBM interface must be configured with an OOBM network address. | The OOBM access switch will connect to the management interface of the managed network elements. The management interface of the managed network element will be directly connected to the OOBM... |
| V-17822 | Medium | The network elements management interface must be configured with both an ingress and egress ACL. | The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the... |
| V-5731 | Medium | The SA will utilize ingress and egress ACLs to restrict traffic destined to the enclave perimeter in accordance with the guidelines contained in DoD Instruction 8551.1 for all ports and protocols required for operational commitments. | Vulnerability assessments must be reviewed by the SA and protocols must be approved by the IA staff before entering the enclave.
Access Control Lists (ACLs) are the first line of defense in a... |
| V-30638 | Medium | The IAO must ensure firewalls deployed in an IPv6 enclave meet the requirements defined by DITO and NSA milestone objective 3 guidance. | 1) Drop IPv6 Undetectable protocol/port (May be an intrinsic FW feature.) - IPv6 allows an unlimited number of extension headers to be applied to a packet. A FW may not be able to locate the layer... |
| V-3054 | Medium | The firewall must not utilize any services or capabilities that are not necessary for the administration of the firewall. | The risk of an attack increases with more services enabled on the firewall, since the firewall will listen for these services. If non-firewall services (e.g., DNS servers, e-mail client servers,... |
| V-14693 | Medium | The network device must be configured to ensure IPv6 Site Local Unicast addresses are not defined in the enclave, (FEC0::/10). Note that this consist of all addresses that begin with FEC, FED, FEE and FEF. | As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of... |
| V-3982 | Medium | L2TP must not pass into the private network of an enclave. | Unlike GRE (a simple encapsulating header) L2TP is a full-fledged communications protocol with control channel, data channels, and a robust command structure. In addition to PPP, other link layer... |
| V-72879 | Medium | The firewall must not be listening for telnet service. | Telnet is an unencrypted service which can be easily exploited, especially when used over a public network such as the internet. With telnet enabled on the firewall, an attacker may be able to... |
| V-18608 | Medium | IPv6 6-to-4 addresses with a prefix of 2002::/16 must be filtered at the perimeter. | "6-to-4" is a tunneling IPv6 transition mechanism [RFC 3056]. The guidance is the default case, which assumes that 6-to-4 is not being used as an IPv6 transition mechanism. If 6-to-4 is... |
| V-17835 | Medium | Traffic entering the tunnels is not restricted to only the authorized management packets based on destination address. | Similar to the OOBM model, when the production network is managed in-band, the management network could also be housed at a NOC that is located locally or remotely at a single or multiple... |
| V-18525 | Medium | The IAO will ensure the Server Farm VLANs are protected by severely restricting the actions the hosts can perform on the servers by firewall content filtering. | Most current applications are deployed as a multi-tier architecture. The multi-tier model uses separate server machines to provide the different functions of presentation, business logic, and... |
| V-3176 | Medium | The network devices must be configured to alert the administrator of a potential attack or system failure. | The IDS or firewall is the first device that is under the sites control that has the possibility to alarm the local staff of an ongoing attack. An alert from either of these devices can be the... |
| V-3021 | Medium | The network element must only allow SNMP access from addresses belonging to the management network. | Detailed information about the network is sent across the network via SNMP. If this information is discovered by attackers it could be used to trace the network, show the networks topology, and... |
| V-5613 | Medium | The network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface. | An attacker may attempt to connect to the device using SSH by guessing the authentication method and authentication key or shared secret. Setting the authentication retry to 3 or less strengthens... |
| V-5612 | Medium | The network devices must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions. | An attacker may attempt to connect to the device using SSH by guessing the authentication method, encryption algorithm, and keys. Limiting the amount of time allowed for authenticating and... |
| V-18523 | Medium | The IAO will ensure the Server Farm infrastructure is secured by ACLs on VLAN interfaces that restrict data originating from one server farm segment destined to another server farm segment. | ACLs on VLAN interfaces do not protect against compromised servers. The Server farm vlans need to protect the servers located on one subnet from servers located on another subnet. Protecting a... |
| V-3160 | Medium | Network devices must be running a current and supported operating system with all IAVMs addressed. | Network devices not running the latest tested and approved versions of software are vulnerable to network attacks. Running the most current, approved version of system and device software helps... |
| V-3008 | Medium | The IAO will ensure IPSec VPNs are established as tunnel type VPNs when transporting management traffic across an ip backbone network. | Using dedicated paths, the OOBM backbone connects the OOBM gateway routers located at the premise of the managed networks and at the NOC. Dedicated links can be deployed using provisioned... |
| V-23747 | Low | The network element must use two or more NTP servers to synchronize time. | Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. If you cannot successfully compare logs between each of your routers, switches,... |
| V-3020 | Low | The network element must have DNS servers defined if it is configured as a client resolver. | The susceptibility of IP addresses to spoofing translates to DNS host name and IP address mapping vulnerabilities. For example, suppose a source host wishes to establish a Telnet connection with... |
| V-14647 | Low | The network device must dump logs when they reach 75% capacity to a syslog server. | Having a procedure tested and verified will prevent the logs from filling when they reach 75% capacity. |
| V-14646 | Low | Alerts must be automatically generated to notify the administrator when log storage reaches seventy-five percent or more of its maximum capacity. | Configuring the network device or syslog server to provide alerts to the administrator in the event of modification or audit log capacity being exceeded ensures administrative staff is aware of... |
| V-14655 | Low | The ISSO must ensure an alert will remain written on the consoles until acknowledged by an administrator. | Critical alerts require immediate response. Critical alerts must not roll off the screens. The requirements are necessary to ensure an administrator will be aware of the alerts or alarm. The... |
| V-14667 | Low | Network devices must be configured with rotating keys used for authenticating IGP peers that have a duration of 180 days or less. | If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect routes and redirecting traffic. Changing the... |
| V-17823 | Low | The network element’s management interface is not configured as passive for the IGP instance deployed in the managed network. | The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the... |
| V-14653 | Low | The ISSO must ensure the alarm message identifying the potential security violation makes accessible the audit record contents associated with the event(s). | The relevant audit information must be available to administrators. The firewall shall immediately display an alarm message, identifying the potential security violation and make accessible the... |
| V-3178 | Low | Administrator logons, changes to the administrator group, and account lockouts must be logged. | The network device and the associated logging functions allows for forensic investigations if properly configured and protected. The administrators account is the most sought after account so... |
| V-3000 | Low | The network device must log all interface access control lists (ACL) deny statements. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, attempted to be done, and by whom in order to compile an... |
| V-14656 | Low | The ISSO must ensure an acknowledgement message identifying a reference to the potential security violation is logged and it contains a notice that it has been acknowledged, the time of the acknowledgement and the user identifier that acknowledged the alarm, at the remote administrator session that received the alarm. | Acknowledging the alert could be a single event, or different events. In addition, assurance is required that each administrator that received the alarm message also receives the acknowledgement... |
| V-7011 | Low | The auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication. | The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. ... |
| V-25890 | Low | Network device logs must be timestamped. | Device logs can be used for forensic analysis in support of incident as well as to aid with normal traffic analysis. It can take numerous days to recover from a firewall outage when a proper... |
| V-25891 | Low | Network device logs must include source IP, destination IP, port, protocol used and action taken. | The network device logs can be used for forensic analysis in support of incident as well as to aid with normal traffic analysis. |
| V-3070 | Low | Network devices must log all attempts to establish a management connection for administrative access. | Audit logs are necessary to provide a trail of evidence in case the network is compromised. Without an audit trail that provides a when, where, who and how set of information, repeat offenders... |
