UCF STIG Viewer Logo

Network Devices Security Technical Implementation Guide



Findings (MAC II - Mission Support Public)

Finding ID Severity Title
V-3196 High The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.
V-4582 High The network device must require authentication for console access.
V-3056 High Group accounts must not be configured for use on the network device.
V-15434 High The emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.
V-3051 High The IAO/NSO will ensure access to the NMS is restricted to authorized users with individual userids and passwords.
V-3012 High Network devices must be password protected.
V-3143 High Network devices must not have any default manufacturer passwords.
V-3210 High The network device must not use the default or well-known SNMP community strings public and private.
V-3175 High The network device must require authentication prior to establishing a management connection for administrative access.
V-17854 Medium The SNMP manager is not compliant with the OS STIG
V-17856 Medium The SNMP manager is not connected to only the management network.
V-3069 Medium Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
V-14671 Medium Network devices must authenticate all NTP messages received from NTP servers and peers.
V-14717 Medium The network device must not allow SSH Version 1 to be used for administrative access.
V-23749 Medium The IAO will ensure the syslog server is only connected to the management network.
V-18555 Medium The production VLAN assigned from the AAA server contains IP segments not intended for untrusted resources.
V-3057 Medium Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.
V-3184 Medium The IAO/NSO will ensure all accounts are assigned the lowest possible level of access/rights necessary to perform their jobs.
V-5611 Medium The network devices must only allow management connections for administrative access from hosts residing in the management network.
V-4613 Medium All in-band sessions to the NMS must be secured using FIPS 140-2 approved encryption and hashing algorithms.
V-18558 Medium The IAO/NSO will ensure the network access control policy contains all non-authenticated network access requests in an Unauthorized VLAN with limited access.
V-3013 Medium Network devices must display the DoD-approved logon banner warning.
V-5646 Medium The network device must drop half-open TCP connections through filtering thresholds or timeout periods.
V-25883 Medium The NTP server is connected to a network other than the management network.
V-3058 Medium Unauthorized accounts must not be configured for access to the network device.
V-17843 Medium The AAA server is not compliant with respective OS STIG.
V-17840 Medium The communications server is not configured to use PPP encapsulation and PPP authentication EAP for the async or AUX port used for dial in.
V-28784 Medium A service or feature that calls home to the vendor must be disabled.
V-15433 Medium The IAO/NSO will ensure the AAA authentication method implements user authentication.
V-17845 Medium An HIDS has not been implemented on the AAA server
V-3967 Medium The network devices must time out access to the console port at 10 minutes or less of inactivity.
V-3966 Medium In the event the authentication server is unavailable, the network device must have a single local account of last resort defined.
V-23750 Medium The IAO will ensure the syslog servers are configured IAW the appropriate OS STIG.
V-17821 Medium The network devices OOBM interface must be configured with an OOBM network address.
V-17822 Medium The network devices management interface must be configured with both an ingress and egress ACL.
V-5644 Medium The TFTP server used to store network element configurations and images must be only connected to the management network.
V-7542 Medium The IAO will ensure that 802.1x is implemented using a secure EAP such as EAP-TLS, EAP-TTLS or PEAP.
V-3160 Medium Network devices must be running a current and supported operating system with all IAVMs addressed.
V-3982 Medium L2TP must not pass into the private network of an enclave.
V-3008 Medium The IAO will ensure IPSec VPNs are established as tunnel type VPNs when transporting management traffic across an ip backbone network.
V-5613 Medium The network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface.
V-5612 Medium The network devices must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
V-25896 Medium The IAO will ensure the authentication server is connected to the management network.
V-3014 Medium The network devices must timeout management connections for administrative access after 10 minutes or less of inactivity.
V-17855 Low An HIDS has not been implemented on the SNMP manager
V-17857 Low SNMP messages are stored for a minimum of 30 days and then archived.
V-17850 Low Two independent sources of time reference are not being utilized.
V-3046 Low The IAO/NSO will ensure that security alarms are set up within the managed network's framework. At a minimum, these will include the following: - Integrity Violation: Indicates that network contents or objects have been illegally modified, deleted, or added. - Operational Violation: Indicates that a desired object or service could not be used. - Physical Violation: Indicates that a physical part of the network (such as a cable) has been damaged or modified without authorization. - Security Mechanism Violation: Indicates that the network's security system has been compromised or breached. - Time Domain Violation: Indicates that an event has happened outside its allowed or typical time slot.
V-3047 Low The IAO/NSO will ensure that alarms are categorized by severity using the following guidelines: - Critical and major alarms are given when a condition that affects service has arisen. For a critical alarm, steps must be taken immediately in order to restore the service that has been lost completely. - A major alarm indicates that steps must be taken as soon as possible because the affected service has degraded drastically and is in danger of being lost completely. - A minor alarm indicates a problem that does not yet affect service, but may do so if the problem is not corrected. - A warning alarm is used to signal a potential problem that may affect service. - An indeterminate alarm is one that requires human intervention to decide its severity.
V-17841 Low The communications server is not configured to require AAA authentication for PPP connections using a RADIUS or TACACS+ authentication server in conjunction with 2-factor authentication.
V-23747 Low Network devices must use at least two NTP servers to synchronize time.
V-3031 Low The syslog administrator will configure the syslog sever to collect syslog messages from levels 0 through 6.
V-14646 Low Alerts must be automatically generated to notify the administrator when log storage reaches seventy-five percent or more of its maximum capacity.
V-3050 Low The IAO/NSO will ensure a record is maintained of all logons and transactions processed by the management station. NOTE: Include time logged in and out, devices that were accessed and modified, and other activities performed.
V-17842 Low The communications server is not configured accept a callback request or in a secured mode so that it will not callback an unauthorized user.
V-17844 Low The AAA server is not configured with a unique key to be used for communication (i.e. RADIUS, TACACS+) with any client requesting authentication services.
V-17848 Low The NTP server is not compliant with the OS STIG
V-17849 Low An HIDS has not been implemented on the NTP server.
V-17852 Low The NTP server is not configured with a symmetric key that is unique from any key configured on any other NTP server.
V-7011 Low The auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
V-25894 Low The IAO will ensure all AAA authentication services are configured to use two-factor authentication .
V-25895 Low The IAO will ensure the authentication server is configured to use tiered authorization groups for various levels of access.
V-3070 Low Network devices must log all attempts to establish a management connection for administrative access.