UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Layer 2 Switch Security Technical Implementation Guide



Findings (MAC II - Mission Support Public)

Finding ID Severity Title
V-4582 High The network device must require authentication for console access.
V-5626 High The switch must be configured to use 802.1x authentication on host facing access switch ports.
V-3056 High Group accounts must not be configured for use on the network device.
V-15434 High The network element’s emergency account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.
V-3012 High The network element must be password protected.
V-3143 High The network element must not have any default manufacturer passwords.
V-3062 High The network element must be configured to ensure passwords are not viewable when displaying configuration information.
V-3210 High The network element must not use the default or well-known SNMP community strings public and private.
V-3175 High The network device must require authentication prior to establishing a management connection for administrative access.
V-3196 High The network element must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.
V-3085 Medium The network element must have HTTP service for administrative access disabled.
V-3069 Medium Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
V-14671 Medium The network element must authenticate all NTP messages received from NTP servers and peers.
V-3043 Medium The network element must use different SNMP community names or groups for various levels of read and write access.
V-14717 Medium The network element must not allow SSH Version 1 to be used for administrative access.
V-3971 Medium The IAO/NSO will ensure VLAN1 is not used for user VLANs.
V-17832 Medium The management VLAN is not configured with an IP address from the management network address block.
V-5613 Medium The network element must be configured for a maximum number of unsuccessful SSH login attempts set at 3 before resetting the interface.
V-3057 Medium Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.
V-3160 Medium The network element must be running a current and supported operating system with all IAVMs addressed.
V-15432 Medium The network element must use two or more authentication servers for the purpose of granting administrative access.
V-3013 Medium The network element must display the DoD approved login banner warning in accordance with the CYBERCOM DTM-08-060 document.
V-5646 Medium The network device must drop half-open TCP connections through filtering thresholds or timeout periods.
V-3058 Medium Unauthorized accounts must not be configured for access to the network device.
V-14669 Medium The network element must have BSDr commands disabled.
V-28784 Medium A service or feature that calls home to the vendor must be disabled.
V-5611 Medium The network element must only allow management connections for administrative access from hosts residing in the management network.
V-5628 Medium The IAO/NSO will ensure VLAN1 is not used for in-band management traffic. A dedicated management VLAN or VLANs will be defined to keep management traffic separate from user data and control plane traffic.
V-3969 Medium The network device must only allow SNMP read-only access.
V-5624 Medium The IAO/NSO will ensure if 802.1x Port Authentication is implemented, re-authentication must occur every 60 minutes.
V-5622 Medium The IAS/NSO will ensure that the native VLAN is assigned to a VLAN ID other than the default VLAN for all 802.1q trunk links.
V-3966 Medium In the event the authentication server is down or unavailable, there must only be one local account created for emergency use.
V-17824 Medium The management interface is an access switchport and has not been assigned to a separate management VLAN.
V-17826 Medium The access switchport connecting to the OOBM access switch is not the only port with membership to the management VLAN.
V-17820 Medium The OOBM access switch is not physically connected to the managed network element OOBM interface.
V-17821 Medium The network element’s OOBM interface must be configured with an OOBM network address.
V-18566 Medium The switch must only allow a maximum of one registered MAC address per access port.
V-5623 Medium The IAO/NSO will ensure trunking is disabled on all access ports (do not configure trunk on, desirable, non-negotiate, or auto—only off).
V-3984 Medium The IAO/NSO will ensure access switchports are not assigned to the native VLAN.
V-3021 Medium The network element must only allow SNMP access from addresses belonging to the management network.
V-3967 Medium The network element must time out access to the console port after 10 minutes or less of inactivity.
V-5612 Medium The network element must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
V-3014 Medium The network element must timeout management connections for administrative access after 10 minutes or less of inactivity.
V-3972 Low The IAO/NSO will ensure VLAN1 is pruned from all trunk and access ports that do not require it.
V-3973 Low The IAO/NSO will ensure disabled ports are placed in an unused VLAN (do not use VLAN1).
V-4584 Low The network element must log all messages except debugging and send all log data to a syslog server.
V-23747 Low The network element must use two or more NTP servers to synchronize time.
V-3079 Low The network element must have the Finger service disabled.
V-17825 Low An address has not been configured for the management VLAN from space belonging to the OOBM network assigned to that site.
V-17827 Low The management VLAN is not pruned from any VLAN trunk links belonging to the managed network’s infrastructure.
V-3072 Low The network element’s running configuration must be synchronized with the startup configuration after changes have been made and implemented.
V-18544 Low Printers must be assigned to a VLAN that is not shared by unlike devices.
V-3020 Low The network element must have DNS servers defined if it is configured as a client resolver.
V-7011 Low The network element’s auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
V-3070 Low The network element must log all attempts to establish a management connection for administrative access.