| V-92263 | High | The SEL-2740S must uniquely identify all network-connected endpoint devices before establishing any connection. | Controlling LAN access via identification of connecting hosts can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the... |
| V-92279 | Medium | The SEL-2740S must be configured to capture all packets without flow rule match criteria. | The OTSDN switch must be capable of capturing frames that are not engineered to be in the network and send them to a Security Information and Event Manager (SIEM) or midpoint sensor for analysis. |
| V-92283 | Medium | The SEL-2740S must be configured to forward only frames from allowed network-connected endpoint devices. | By only allowing frames to be forwarded from known end-points mitigates risks associated with broadcast, unknown unicast, and multicast traffic storms. |
| V-92281 | Medium | The SEL-2740S must be configured with backup flows for all host and switch flows to ensure proper failover scheme is in place for the network. | The SEL-2740S must be capable of multiple fast failover, backup and in cases isolation of the traffic from a detected threat in the system. |
| V-94587 | Medium | The SEL-2740S must authenticate all network-connected endpoint devices before establishing any connection. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
For distributed architectures (e.g., service-oriented architectures),... |
| V-92277 | Medium | The SEL-2740S must be configured to mitigate the risk of ARP cache poisoning attacks. | The SEL-2740S must deter ARP cache poisoning attacks and configure the specific ARP flows that are only necessary to the control system network. |
| V-92319 | Medium | The SEL-2740S must be configured to capture flows for real-time visualization tools. | Without the capability to remotely view/hear all content related to a user session, investigations into suspicious user activity would be hampered. Real-time monitoring allows authorized personnel... |
| V-92325 | Medium | The SEL-2740S must be configured with ARP flow rules that are statically created with valid IP-to-MAC address bindings. | DAI intercepts Address Resolution Protocol (ARP) requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and before forwarding... |
| V-92313 | Medium | The SEL-2740S must be configured to permit the allowed and necessary ports, functions, protocols, and services. | A compromised switch introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of... |
| V-92315 | Medium | The SEL-2740S -must be configured to limit excess bandwidth and denial of service (DoS) attacks. | Denial of service is a condition when a resource is not available for legitimate users. Packet flooding DDoS attacks are referred to as volumetric attacks and have the objective of overloading a... |
| V-92321 | Medium | The SEL-2740S must be configured to prevent packet flooding and bandwidth saturation. | Access layer switches use the Content Addressable Memory (CAM) table to direct traffic to specific ports based on the VLAN number and the destination MAC address of the frame. When a router has an... |
| V-92317 | Medium | The SEL-2740S must be configured to packet capture flows. | Without the capability to select a user session to capture/record or view/hear, investigations into suspicious or harmful events would be hampered by the volume of information captured. The volume... |
| V-92323 | Medium | SEL-2740S flow rules must include the host IP addresses that are bound to designated SEL-2740S ports for ensuring trusted host access. | IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature... |
