V-3196 | High | The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device. | SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain... |
V-4582 | High | The network device must require authentication for console access. | Network devices with no password for administrative access via the console provide the opportunity for anyone with physical access to the device to make configuration changes enabling them to... |
V-3056 | High | Group accounts must not be configured for use on the network device. | Group accounts configured for use on a network device do not allow for accountability or repudiation of individuals using the shared account. If group accounts are not changed when someone leaves... |
V-15434 | High | The emergency account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online. | The emergency account is to be configured as a local account on the network devices. It is to be used only when the authentication server is offline or not reachable via the network. The emergency... |
V-3051 | High | The IAO/NSO will ensure access to the NMS is restricted to authorized users with individual userids and passwords. | If unauthorized users gain access to the NMS they could change device configurations and SNMP variables that can cause disruptions and even denial of service conditions. |
V-3012 | High | Network devices must be password protected. | Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Access to the network must be categorized as administrator, user,... |
V-3143 | High | Network devices must not have any default manufacturer passwords. | Network devices not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing network outage or denial of... |
V-3210 | High | The network device must not use the default or well-known SNMP community strings public and private. | Network devices may be distributed by the vendor pre-configured with an SNMP agent using the well-known SNMP community strings public for read only and private for read and write authorization. An... |
V-3175 | High | The network device must require authentication prior to establishing a management connection for administrative access. | Network devices with no password for administrative access via a management connection provide the opportunity for anyone with network access to the device to make configuration changes enabling... |
V-17854 | Medium | The SNMP manager is not compliant with the OS STIG | The SNMP manager provides the interface between the network management personnel and the managed network. On the other hand, the SNMP agent provides the interface between the manager and the... |
V-17856 | Medium | The SNMP manager is not connected to only the management network. | The SNMP manager provides the interface between the network management personnel and the managed network. On the other hand, the SNMP agent provides the interface between the manager and the... |
V-3069 | Medium | Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules. | Administration and management connections performed across a network are inherently dangerous because anyone with a packet sniffer and access to the right LAN segment can acquire the network... |
V-14671 | Medium | Network devices must authenticate all NTP messages received from NTP servers and peers. | Since NTP is used to ensure accurate log file timestamp information, NTP could pose a security risk if a malicious user were able to falsify NTP information. To launch an attack on the NTP... |
V-14717 | Medium | The network device must not allow SSH Version 1 to be used for administrative access. | SSH Version 1 is a protocol that has never been defined in a standard. Since SSH-1 has inherent design flaws which make it vulnerable to attacks, e.g., man-in-the-middle attacks, it is now... |
V-23749 | Medium | The IAO will ensure the syslog server is only connected to the management network. | A syslog server provides the network administrator the ability to configure all of the communication devices on a network to send log messages to a centralized host for review, correlation,... |
V-18555 | Medium | The production VLAN assigned from the AAA server contains IP segments not intended for untrusted resources. | When policy assessment and remediation have been implemented and the advanced AAA server dynamic VLAN is mis-configured, logical separation of the production VLAN may not be assured.
Non-trusted... |
V-3057 | Medium | Authorized accounts must be assigned the least privilege level necessary to perform assigned duties. | By not restricting authorized accounts to their proper privilege level, access to restricted functions may be allowed before authorized personnel are trained or experienced enough to use those... |
V-3184 | Medium | The IAO/NSO will ensure all accounts are assigned the lowest possible level of access/rights necessary to perform their jobs. | Without a formal personnel approval process, unauthorized users may gain access to critical DoD systems. It is imperitive that only the required access to the required systems and information be... |
V-5611 | Medium | The network devices must only allow management connections for administrative access from hosts residing in the management network. | Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment could acquire the device account and password information. With this intercepted... |
V-4613 | Medium | All in-band sessions to the NMS must be secured using FIPS 140-2 approved encryption and hashing algorithms. | Without the use of FIPS 140-2 encryption to in-band management connections, unauthorized users may gain access to the NMS enabling them to change device configurations and SNMP variables that can... |
V-18558 | Medium | The IAO/NSO will ensure the network access control policy contains all non-authenticated network access requests in an Unauthorized VLAN with limited access. | Devices having an IP address that do not pass authentication can be used to attack compliant devices if they share vlans. When devices proceed into the NAC AAA (radius) functions they must... |
V-3013 | Medium | Network devices must display the DoD-approved logon banner warning. | All network devices must present a DoD-approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear... |
V-5646 | Medium | The network device must drop half-open TCP connections through filtering thresholds or timeout periods. | A TCP connection consists of a three-way handshake message sequence. A connection request is transmitted by the originator, an acknowledgement is returned from the receiver, and then an acceptance... |
V-25883 | Medium | The NTP server is connected to a network other than the management network. | NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time... |
V-3058 | Medium | Unauthorized accounts must not be configured for access to the network device. | A malicious user attempting to gain access to the network device may compromise an account that may be unauthorized for use. The unauthorized account may be a temporary or inactive account that... |
V-17843 | Medium | The AAA server is not compliant with respective OS STIG. | Using standardized authentication protocols such as RADIUS, TACACS+, and Kerberos, an authentication server provides centralized and robust authentication services for the management of network... |
V-17840 | Medium | The communications server is not configured to use PPP encapsulation and PPP authentication CHAP for the async or AUX port used for dial in. | A communications server (aka terminal server) can be used to provide interconnectivity between all managed network elements and the OOBM gateway router for administrative access to the device’s... |
V-28784 | Medium | A service or feature that calls home to the vendor must be disabled. | Call home services or features will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. The risk that... |
V-15433 | Medium | The IAO/NSO will ensure the AAA authentication method implements user authentication. | Group accounts are not permitted. |
V-17845 | Medium | An HIDS has not been implemented on the AAA server | Using standardized authentication protocols such as RADIUS, TACACS+, and Kerberos, an authentication server provides centralized and robust authentication services for the management of network... |
V-3967 | Medium | The network devices must time out access to the console port at 10 minutes or less of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
V-3966 | Medium | In the event the authentication server is down or unavailable, there must only be one local account of last resort created for emergency use. | Authentication for administrative access to the device is required at all times. A single account of last resort can be created on the device's local database for use in an emergency such as when... |
V-23750 | Medium | The IAO will ensure the syslog servers are configured IAW the appropriate OS STIG. | A syslog server provides the network administrator the ability to configure all of the communication devices on a network to send log messages to a centralized host for review, correlation,... |
V-17821 | Medium | The network devices OOBM interface must be configured with an OOBM network address. | The OOBM access switch will connect to the management interface of the managed network device. The management interface of the managed network device will be directly connected to the OOBM... |
V-17822 | Medium | The network devices management interface must be configured with both an ingress and egress ACL. | The OOBM access switch will connect to the management interface of the managed network device. The management interface can be a true OOBM interface or a standard interface functioning as the... |
V-5644 | Medium | The TFTP server used to store network element configurations and images must be only connected to the management network. | TFTP that contains network element configurations and images must only be connected to the management network to enforce restricted and limited access. |
V-7542 | Medium | The IAO will ensure that 802.1x is implemented using a secure EAP such as EAP-TLS, EAP-TTLS or PEAP. | EAP methods/types are continually being proposed, however, the three being considered secure are
EAP-TLS, EAP-TTLS, and PEAP.
PEAP is the preferred EAP type to be used in DoD because of its... |
V-3160 | Medium | Network devices must be running a current and supported operating system with all IAVMs addressed. | Network devices not running the latest tested and approved versions of software are vulnerable to network attacks. Running the most current, approved version of system and device software helps... |
V-3982 | Medium | L2TP must not pass into the private network of an enclave. | Unlike GRE (a simple encapsulating header) L2TP is a full-fledged communications protocol with control channel, data channels, and a robust command structure. In addition to PPP, other link layer... |
V-3008 | Medium | The IAO will ensure IPSec VPNs are established as tunnel type VPNs when transporting management traffic across an ip backbone network. | Using dedicated paths, the OOBM backbone connects the OOBM gateway routers located at the premise of the managed networks and at the NOC. Dedicated links can be deployed using provisioned... |
V-5613 | Medium | The network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface. | An attacker may attempt to connect to the device using SSH by guessing the authentication method and authentication key or shared secret. Setting the authentication retry to 3 or less strengthens... |
V-5612 | Medium | The network devices must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions. | An attacker may attempt to connect to the device using SSH by guessing the authentication method, encryption algorithm, and keys. Limiting the amount of time allowed for authenticating and... |
V-25896 | Medium | The IAO will ensure the authentication server is connected to the management network. | Using standardized authentication protocols such as RADIUS, TACACS+, and Kerberos, an authentication server provides centralized and robust authentication services for the management of network... |
V-3014 | Medium | The network devices must timeout management connections for administrative access after 10 minutes or less of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled between the managed network... |
V-17855 | Low | An HIDS has not been implemented on the SNMP manager | The SNMP manager provides the interface between the network management personnel and the managed network. On the other hand, the SNMP agent provides the interface between the manager and the... |
V-17857 | Low | SNMP messages are stored for a minimum of 30 days and then archived. | The SNMP manager provides the interface between the network management personnel and the managed network. On the other hand, the SNMP agent provides the interface between the manager and the... |
V-17850 | Low | Two independent sources of time reference are not being utilized. | NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time... |
V-3046 | Low | The IAO/NSO will ensure that security alarms are set up within the managed network's framework. At a minimum, these will include the following:
- Integrity Violation: Indicates that network contents or objects have been illegally modified, deleted, or added.
- Operational Violation: Indicates that a desired object or service could not be used.
- Physical Violation: Indicates that a physical part of the network (such as a cable) has been damaged or modified without authorization.
- Security Mechanism Violation: Indicates that the network's security system has been compromised or breached.
- Time Domain Violation: Indicates that an event has happened outside its allowed or typical time slot.
| Without the proper categories of security alarms being defined on the NMS, responding to critical outages or attacks on the network may not be coordinated correctly with the right personnel,... |
V-3047 | Low | The IAO/NSO will ensure that alarms are categorized by severity using the following guidelines:
- Critical and major alarms are given when a condition that affects service has arisen. For a critical alarm, steps must be taken immediately in order to restore the service that has been lost completely.
- A major alarm indicates that steps must be taken as soon as possible because the affected service has degraded drastically and is in danger of being lost completely.
- A minor alarm indicates a problem that does not yet affect service, but may do so if the problem is not corrected.
- A warning alarm is used to signal a potential problem that may affect service.
- An indeterminate alarm is one that requires human intervention to decide its severity.
| Without the proper categories of severity levels being defined on the NMS, outages or attacks may not be responded to by order of criticality. If a critical attack or outage is not responded to... |
V-17841 | Low | The communications server is not configured to require AAA authentication for PPP connections using a RADIUS or TACACS+ authentication server in conjunction with 2-factor authentication. | A communications server (aka terminal server) can be used to provide interconnectivity between all managed network elements and the OOBM gateway router for administrative access to the device’s... |
V-23747 | Low | Network devices must use at least two NTP servers to synchronize time. | Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. If logs cannot be successfully compared between each of the routers, switches,... |
V-3031 | Low | The syslog administrator will configure the syslog sever to collect syslog messages from levels 0 through 6. | Logging is a critical part of router security. Maintaining an audit trail of system activity can help identify configuration errors, understand past intrusions, troubleshoot service disruptions,... |
V-14646 | Low | Alerts must be automatically generated to notify the administrator when log storage reaches seventy-five percent or more of its maximum capacity. | Configuring the network device or syslog server to provide alerts to the administrator in the event of modification or audit log capacity being exceeded ensures administrative staff is aware of... |
V-3050 | Low | The IAO/NSO will ensure a record is maintained of all logons and transactions processed by the management station.
NOTE: Include time logged in and out, devices that were accessed and modified, and other activities performed.
| Logging is a critical part of network security. Maintaining an audit trail of system activity logs can help identify configuration errors, understand past intrusions, troubleshoot service... |
V-17842 | Low | The communications server is not configured accept a callback request or in a secured mode so that it will not callback an unauthorized user. | A communications server (aka terminal server) can be used to provide interconnectivity between all managed network elements and the OOBM gateway router for administrative access to the device’s... |
V-17844 | Low | The AAA server is not configured with a unique key to be used for communication (i.e. RADIUS, TACACS+) with any client requesting authentication services. | Using standardized authentication protocols such as RADIUS, TACACS+, and Kerberos, an authentication server provides centralized and robust authentication services for the management of network... |
V-17848 | Low | The NTP server is not compliant with the OS STIG | NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time... |
V-17849 | Low | An HIDS has not been implemented on the NTP server. | NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time... |
V-17852 | Low | The NTP server is not configured with a symmetric key that is unique from any key configured on any other NTP server. | NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time... |
V-7011 | Low | The auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication. | The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. ... |
V-25894 | Low | The IAO will ensure all AAA authentication services are configured to use two-factor authentication . | AAA network security services provide the primary framework through which a network administrator can set up access control on network points of entry or network access servers, which is usually... |
V-25895 | Low | The IAO will ensure the authentication server is configured to use tiered authorization groups for various levels of access. | The foundation of a good security scheme in the network is the protection of the user interfaces of the networking devices from unauthorized access. Protecting access to the user interfaces on... |
V-3070 | Low | Network devices must log all attempts to establish a management connection for administrative access. | Audit logs are necessary to provide a trail of evidence in case the network is compromised. Without an audit trail that provides a when, where, who and how set of information, repeat offenders... |