UCF STIG Viewer Logo

Cisco ASA Firewall Security Technical Implementation Guide


Overview

Date Finding Count (21)
2023-02-13 CAT I (High): 2 CAT II (Med): 19 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-239864 High The Cisco ASA must be configured to implement scanning threat detection.
V-239852 High The Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services.
V-239867 Medium The Cisco ASA perimeter firewall must be configured to block all outbound management traffic.
V-239866 Medium The Cisco ASA must be configured to filter outbound traffic on all internal interfaces.
V-239865 Medium The Cisco ASA must be configured to filter inbound traffic on all external interfaces.
V-239863 Medium The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost.
V-239862 Medium The Cisco ASA must be configured to send log data of denied traffic to a central audit server for analysis.
V-239861 Medium The Cisco ASA perimeter firewall must be configured to filter traffic destined to the enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.
V-239860 Medium The Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks.
V-239872 Medium The Cisco ASA must be configured to generate an alert that can be forwarded to organization-defined personnel and/or the firewall administrator when denial-of-service (DoS) incidents are detected.
V-239869 Medium The Cisco ASA must be configured to inspect all inbound and outbound traffic at the application layer.
V-239868 Medium The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel.
V-239858 Medium The Cisco ASA must be configured to use TCP when sending log records to the central audit server.
V-239859 Medium The Cisco ASA must be configured to disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.
V-239853 Medium The Cisco ASA must immediately use updates made to policy enforcement mechanisms such as firewall rules, security policies, and security zones.
V-239870 Medium The Cisco ASA must be configured to inspect all inbound and outbound IPv6 traffic for unknown or out-of-order extension headers.
V-239855 Medium The Cisco ASA must be configured to generate traffic log entries containing information to establish what type of events occurred.
V-239856 Medium The Cisco ASA must be configured to generate traffic log entries containing information to establish when (date and time) the events occurred.
V-239857 Medium The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable.
V-239854 Medium The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules.
V-239871 Medium The Cisco ASA must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).