| V-4582 | High | The network device must require authentication for console access. | Network devices with no password for administrative access via the console provide the opportunity for anyone with physical access to the device to make configuration changes enabling them to... |
| V-3056 | High | Group accounts must not be configured for use on the network device.
| Group accounts configured for use on a network device do not allow for accountability or repudiation of individuals using the shared account. If group accounts are not changed when someone leaves... |
| V-3012 | High | The network element must be password protected. | Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization’s security policy. Access to the network must be categorized as administrator, user,... |
| V-3143 | High | The network element must not have any default manufacturer passwords. | Network elements not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing network outage or denial of... |
| V-3210 | High | The network element must not use the default or well-known SNMP community strings public and private. | Network elements may be distributed by the vendor pre-configured with an SNMP agent using the well known SNMP community strings public for read only and private for read and write authorization. ... |
| V-3175 | High | The network device must require authentication prior to establishing a management connection for administrative access. | Network devices with no password for administrative access via a management connection provide the opportunity for anyone with network access to the device to make configuration changes enabling... |
| V-3196 | High | The network element must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device. | SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain... |
| V-3069 | Medium | Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules. | Administration and management connections performed across a network are inherently dangerous because anyone with a packet sniffer and access to the right LAN segment can acquire the network... |
| V-14671 | Medium | The network element must authenticate all NTP messages received from NTP servers and peers. | Since NTP is used to ensure accurate log file timestamp information, NTP could pose a security risk if a malicious user were able to falsify NTP information. To launch an attack on the NTP... |
| V-14717 | Medium | The network element must not allow SSH Version 1 to be used for administrative access. | SSH Version 1 is a protocol that has never been defined in a standard. Since SSH-1 has inherent design flaws which make it vulnerable to attacks, e.g., man-in-the-middle attacks, it is now... |
| V-19246 | Medium | The Network IDPS administrator will ensure the IDPS is protecting the enclave from malware and unexpected traffic by using TCP Reset signatures. | By listening to the conversation flow of inbound and outbound internet traffic for malware and malware references, the IDPS can prevent unwanted programs entering into the enclave. When it... |
| V-18512 | Medium | The Network IDPS administrator will tune the sensor to alarm if unexpected protocols for network management enter the subnet. | The management network must detect all attacks on the management hosts. The management network has a various range of traffic that is permitted. Some of the following traffic is allowed on... |
| V-3057 | Medium | Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.
| By not restricting authorized accounts to their proper privilege level, access to restricted functions may be allowed before authorized personell are trained or experienced enough to use those... |
| V-18513 | Medium | The Network IDPS administrator will ensure IP hijacking signatures have been implemented with the common default signatures. | There are a number of publicly available tools that exist to facilitate the hijacking of TCP sessions. An attacker using such tools can determine the TCP sequence and acknowledgement numbers that... |
| V-3160 | Medium | The network element must be running a current and supported operating system with all IAVMs addressed. | Network devices not running the latest tested and approved versions of software are vulnerable to network attacks. Running the most current, approved version of system and device software helps... |
| V-3013 | Medium | The network element must display the DoD approved login banner warning in accordance with the CYBERCOM DTM-08-060 document. | All network devices must present a DoD approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide... |
| V-18632 | Medium | The IAO/NSO will ensure if DHCPV6 is not being used in the enclave it will be disabled. | Currently, many vendors are not prepared for DHCPv6 stateful autoconfiguration, thus there are very few implementations of it. DHCPv6 is a completely separate protocol than DHCPv4. In IPV6... |
| V-3014 | Medium | The network element must timeout management connections for administrative access after 10 minutes or less of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled between the managed network... |
| V-28784 | Medium | A service or feature that calls home to the vendor must be disabled.
| Call home services or features will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. The risk that... |
| V-5611 | Medium | The network element must only allow management connections for administrative access from hosts residing in the management network. | Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment, could acquire the device account and password information. With this intercepted... |
| V-3967 | Medium | The network element must time out access to the console port after 10 minutes or less of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
| V-19233 | Medium | The IDPS device positioned to protect servers in the server farm or DMZs must provide protection from DoS SYN Flood attacks by dropping half open TCP sessions. | SYN flood sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by... |
| V-17821 | Medium | The network element’s OOBM interface must be configured with an OOBM network address. | The OOBM access switch will connect to the management interface of the managed network elements. The management interface of the managed network element will be directly connected to the OOBM... |
| V-5646 | Medium | The network device must drop half-open TCP connections through filtering thresholds or timeout periods. | A TCP connection consists of a three-way handshake message sequence. A connection request is transmitted by the originator, an acknowledgement is returned from the receiver, and then an acceptance... |
| V-18489 | Medium | The Network IDPS administrator will ensure all Network IDPS systems are installed and operational in stealth mode —no ip address on interface with data flow. | Administrators should ensure that for both passive and inline sensors, IP addresses are not
assigned to the network interfaces used to monitor network traffic. Only networks interfaces used for... |
| V-19250 | Medium | The IDPS administrator will ensure LAND DoS signature has been implemented to protect the enclave. | The LAND attack is a denial-of-service (DoS) attack in which an attacker sends a TCP packet (with the SYN bit set) to a system in which the source and destination IP address (along with the source... |
| V-18484 | Medium | IDPS consoles, management and database servers must reside on the management network. | Sensors and agents monitor and analyze activity. The term sensor is typically used for IDPSs that monitor networks, including network-based, wireless, and network behavior analysis technologies.... |
| V-19256 | Medium | The IDPS Administrator will ensure Atomic Signatures are implemented to protect the enclave. | Without an industry agreed-upon set of definitions for IDPS controls, the use of the term signature will apply to all IDPS technologies. Signatures are defined as identifying something, defining... |
| V-3176 | Medium | The IAO/NSO will ensure the IDS or firewall is configured to alert the administrator of a potential attack or system failure. | The IDS or firewall is the first device that is under the sites control that has the possibility to alarm the local staff of an ongoing attack. An alert from either of these devices can be the... |
| V-5613 | Medium | The network element must be configured for a maximum number of unsuccessful SSH login attempts set at 3 before resetting the interface. | An attacker may attempt to connect to the device using SSH by guessing the authentication method and authentication key or shared secret. Setting the authentication retry to 3 or less strengthens... |
| V-5612 | Medium | The network element must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions. | An attacker may attempt to connect to the device using SSH by guessing the authentication method, encryption algorithm, and keys. Limiting the amount of time allowed for authenticating and... |
| V-18508 | Medium | The Network administrator will implement signatures that detect specific attacks and protocols that should not be seen on the segments containing web servers. | In the Regional Enterprise Enclave different sets of sensors will see different traffic as a result of their location within the regional enclave. By establishing separate signature profiles for... |
| V-18509 | Medium | The Network administrator will implement signatures that detect both specific attacks on public service servers and traffic types (protocols) that should not be seen on the segments containing ftp servers. | In the Regional Enterprise Enclave different sets of sensors will see different traffic as a result of their location within the regional enclave. By establishing separate signature profiles for... |
| V-3058 | Medium | Unauthorized accounts must not be configured for access to the network device. | A malicious user attempting to gain access to the network device may compromise an account that may be unauthorized for use. The unauthorized account may be a temporary or inactive account that... |
| V-18502 | Medium | The Network IDPS administrator will review whitelists and blacklists regularly and validate all entries to ensure that they are still accurate and necessary. | A blacklist is a list of discrete entities, such as hosts, TCP or UDP port numbers, ICMP types and codes, applications, usernames, URLs, filenames, or file extensions, that have been previously... |
| V-3179 | Medium | The IAO/NSO will ensure the sensor’s monitoring application or mechanism retrieves events from the sensor before the queue becomes full. | Events on the sensor are typically stored on a large input queue. The queue in the sensor is typically very large and can hold several days of logging events under normal conditions. Nevertheless,... |
| V-18501 | Medium | The IAO/NSO will ensure notifications are sent to the syslog server or central controller when threshold limits exceed the sensor’s capacity. | Scaling IDPS sensors to avoid missed packets as a result of CPU and memory thresholds when link mbps is greater than what the engine can inspect should be an initial consideration prior to... |
| V-23747 | Low | The network element must use two or more NTP servers to synchronize time. | Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. If logs cannot be successfully compared between each of the routers, switches,... |
| V-7011 | Low | The network element’s auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication. | The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. ... |
| V-14646 | Low | Alerts must be automatically generated to notify the administrator when log storage reaches seventy-five percent or more of its maximum capacity. | Configuring the network device or syslog server to provide alerts to the administrator in the event of modification or audit log capacity being exceeded ensures administrative staff is aware of... |
| V-3070 | Low | The network element must log all attempts to establish a management connection for administrative access. | Audit logs are necessary to provide a trail of evidence in case the network is compromised. Without an audit trail that provides a when, where, who and how set of information, repeat offenders... |
