V-4582 | High | The IAO will ensure that all OOB management connections to the device require authentication. | Devices protected with weak password schemes or no password at all, provide the opportunity for anyone to crack the password or gain access to the device and cause network, device, or information... |
V-3056 | High | The IAO/NSO will ensure each user accessing the device locally have their own account with username and password. | Without passwords on user accounts, one level of complexity is removed from gaining access to the network device. If a default userid has not been changed or is guessed by an attacker, the... |
V-3143 | High | The IAO/NSO will ensure all default manufacturer passwords are changed. | Devices not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing network, device, or information damage, or... |
V-3210 | High | The IAO/NSO will ensure that all SNMP community strings are changed from the default values. | Community strings default to the name PUBLIC. This is known by those wishing to exert an attack against the devices in the network. This must be changed to something that is in compliance with... |
V-3175 | High | The IAO will ensure that all in-band management connections to the device require authentication. | Devices protected with weak password schemes or no password at all, provide the opportunity for anyone to crack the password or gain access to the device and cause network, device, or information... |
V-3069 | Medium | The system administrator will ensure in-band management access to the device is secured using FIPS 140-2 approved encryption or hash algorithms such as AES, 3DES, SSH, or TLS / SSL. | Remote administration using non-FIPS 140-2 compliant encryption is inherently dangerous because anyone with a sniffer and access to the right LAN segment can acquire the device's account and... |
V-14671 | Medium | The IAO will ensure all NTP-enabled devices authenticate received NTP messages. | Since NTP is used to ensure accurate log file timestamp information, NTP could pose a security risk if a malicious user were able to falsify NTP information. To launch an attack on the NTP... |
V-14717 | Medium | The system administrator will ensure SSH version 2 is implemented. | SSH Version 1 is a protocol that has never been defined in a standard. Since SSH-1 has inherent design flaws which make it vulnerable to, e.g., man-in-the-middle attacks, it is now generally... |
V-30255 | Medium | The WLAN must be WPA2-Enterprise certified. | The Wi-Fi Alliance WPA2-Enterprise certification means the WLAN equipment can support DoD requirements, most notably EAP-TLS and AES-CCMP. If the equipment has not been WPA-Enterprise certified,... |
V-30257 | Medium | WLAN EAP-TLS implementation must use CAC authentication to connect to DoD networks. | DoD CAC authentication is strong, two-factor authentication that relies on on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with DoD CAC could have... |
V-3057 | Medium | The IAO/NSO will ensure all user accounts are assigned the lowest privilege level that allows them to perform their duties. | By not restricting administrators and operations personnel to their proper privilege levels, access to restricted functions may be allowed before they are trained or experienced enough to use... |
V-19900 | Medium | The WLAN implementation of EAP-TLS must be FIPS 140-2 validated. | Most known security breaches of cryptography result from improper implementation of the cryptography, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance... |
V-3014 | Medium | The system administrator will ensure the timeout for administrative access is set for no longer than 10 minutes. | Setting the timeout of the session to ten minutes or less increases the level of protection afforded critical network components. |
V-14886 | Medium | Wireless access points and bridges must be placed in dedicated subnets outside the enclave’s perimeter. | If an adversary is able to compromise an access point or controller that is directly connected to an enclave network, then the adversary can easily surveil and attack other devices from that... |
V-28784 | Medium | A service or feature that calls home to the vendor must be disabled.
| Call home services or features will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. The risk that... |
V-3967 | Medium | The system administrator will ensure the console port is configured to time out after 10 minutes or less of inactivity. | Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network devices. |
V-17821 | Medium | Managed NE OOBM interface is not configured with an OOBM network address. | The OOBM access switch will connect to the management interface of the managed network elements. The management interface of the managed network element will be directly connected to the OOBM... |
V-17822 | Medium | The management interface is not configured with both an ingress and egress ACL. | The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the... |
V-14888 | Medium | The WLAN inactive session timeout must be set for 30 minutes or less. | A WLAN session that never terminates due to inactivity may allow an opening for an adversary to highjack the session to obtain access to the network. |
V-19894 | Medium | The WLAN implementation of AES-CCMP must be FIPS 140-2 validated. | Most known security breaches of cryptography result from improper implementation of the cryptography, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance... |
V-3692 | Medium | WLAN must use EAP-TLS. | EAP-TLS provides strong cryptographic mutual authentication and key distribution services not found in other EAP methods, and thus provides significantly more protection against attacks than other... |
V-3515 | Medium | The WLAN must use AES-CCMP to protect data-in-transit. | AES-CCMP provides all required WLAN security services for data in transit. The other encryption protocol available for IEEE 802.11i compliant robust security networks and WPA2 certified solutions... |
V-5613 | Medium | The system administrator will ensure the maximum number of unsuccessful SSH login attempts is set to three, locking access to the network device. | Setting the authentication retry to 3 or less strengthens against a Brute Force attack. |
V-5612 | Medium | The system administrator will ensure SSH timeout value is set to 60 seconds or less, causing incomplete SSH connections to shut down after 60 seconds or less. | Reducing the broken telnet session expiration time to 60 seconds or less strengthens the device from being attacked by use of an expired session. |
V-5611 | Medium | The system administrator will ensure that the device only allows in-band management sessions from authorized IP addresses from the internal network. | Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment, can acquire the device account and password information. With this intercepted... |
V-14004 | Low | WLAN equipment obtained through acquisition programs must be JITC interoperability certified. | Interoperability certification assures that warfighters can communicate effectively in joint, combined, coalition, and interagency environments. There is some degree of risk that systems without... |
V-23747 | Low | The IAO/NSO will ensure all managed network elements are configured to use two or more NTP servers to synchronize time. | Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. If you cannot successfully compare logs between each of your routers, switches,... |
V-14846 | Low | WLAN SSIDs must be changed from the manufacturer’s default to a pseudo random word that does not identify the unit, base, organization, etc. | An SSID identifying the unit, site or purpose of the WLAN or is set to the manufacturer default may cause an OPSEC vulnerability. |
V-14844 | Low | The relevant U.S. Forces Command (USFORSCOM) or host nation must approve the use of wireless equipment prior to operation of such equipment outside the United States and Its Possessions (US&P). | When using a wireless system outside of the US&P, host nation wireless spectrum regulations must be followed. Otherwise the system could interfere with or be disrupted by host nation... |
V-7011 | Low | The system administrator will ensure that the device auxiliary port is disabled if a secured modem providing encryption and authentication is not connected. | The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. ... |
V-3070 | Low | The system administrator will configure the ACL that is bound to the inband interface to log permitted and denied access attempts. | Audit logs are necessary to provide a trail of evidence in case the network is compromised. Without an audit trail that provides a when, where, who and how set of information, repeat offenders... |
V-14889 | Low | WLAN signals must not be intercepted outside areas authorized for WLAN access. | Vulnerability Discussion: Most commercially-available WLAN equipment is pre-configured for signal power appropriate to most applications of the WLAN equipment. In some cases, this may permit the... |
V-19895 | Low | The Information Assurance component of the WLAN system must be NIAP Common Criteria certified for basic or medium robustness for data in transit. | Common criteria certification provides a high level of assurance the manufacturer has properly implemented the product’s security functionality. Products that do not have a common criteria... |