|☐||SV-3008r1_rule||The IAO will ensure IPSec VPNs are established as tunnel type VPNs when transporting management traffic across an ip backbone network.|
|☐||SV-3012r4_rule||Network devices must be password protected.|
|☐||SV-3013r5_rule||Network devices must display the DoD-approved logon banner warning.|
|☐||SV-3014r4_rule||The network devices must timeout management connections for administrative access after 10 minutes or less of inactivity.|
|☐||SV-3031r1_rule||The syslog administrator will configure the syslog sever to collect syslog messages from levels 0 through 6.|
|☐||SV-3046r1_rule||The IAO/NSO will ensure that security alarms are set up within the managed network's framework. At a minimum, these will include the following:
- Integrity Violation: Indicates that network contents or objects have been illegally modified, deleted, or added.
- Operational Violation: Indicates that a desired object or service could not be used.
- Physical Violation: Indicates that a physical part of the network (such as a cable) has been damaged or modified without authorization.
- Security Mechanism Violation: Indicates that the network's security system has been compromised or breached.
- Time Domain Violation: Indicates that an event has happened outside its allowed or typical time slot.|
|☐||SV-3047r1_rule||The IAO/NSO will ensure that alarms are categorized by severity using the following guidelines:
- Critical and major alarms are given when a condition that affects service has arisen. For a critical alarm, steps must be taken immediately in order to restore the service that has been lost completely.
- A major alarm indicates that steps must be taken as soon as possible because the affected service has degraded drastically and is in danger of being lost completely.
- A minor alarm indicates a problem that does not yet affect service, but may do so if the problem is not corrected.
- A warning alarm is used to signal a potential problem that may affect service.
- An indeterminate alarm is one that requires human intervention to decide its severity.|
|☐||SV-3050r1_rule||The IAO/NSO will ensure a record is maintained of all logons and transactions processed by the management station.
NOTE: Include time logged in and out, devices that were accessed and modified, and other activities performed.|
|☐||SV-3051r1_rule||The IAO/NSO will ensure access to the NMS is restricted to authorized users with individual userids and passwords.|
|☐||SV-3056r7_rule||Group accounts must not be configured for use on the network device.|
|☐||SV-3057r6_rule||Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.|
|☐||SV-3058r5_rule||Unauthorized accounts must not be configured for access to the network device.|
|☐||SV-3069r5_rule||Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.|
|☐||SV-3070r4_rule||Network devices must log all attempts to establish a management connection for administrative access.|
|☐||SV-3143r4_rule||Network devices must not have any default manufacturer passwords.|
|☐||SV-3160r4_rule||Network devices must be running a current and supported operating system with all IAVMs addressed.|
|☐||SV-3175r5_rule||The network device must require authentication prior to establishing a management connection for administrative access.|
|☐||SV-3184r1_rule||The IAO/NSO will ensure all accounts are assigned the lowest possible level of access/rights necessary to perform their jobs.|
|☐||SV-3196r4_rule||The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.|
|☐||SV-3210r4_rule||The network device must not use the default or well-known SNMP community strings public and private.|
|☐||SV-3966r6_rule||In the event the authentication server is unavailable, the network device must have a single local account of last resort defined.|
|☐||SV-3967r4_rule||The network devices must time out access to the console port at 10 minutes or less of inactivity.|
|☐||SV-3982r3_rule||L2TP must not pass into the private network of an enclave.|
|☐||SV-4582r5_rule||The network device must require authentication for console access.|
|☐||SV-4613r2_rule||All in-band sessions to the NMS must be secured using FIPS 140-2 approved encryption and hashing algorithms.|
|☐||SV-5611r5_rule||The network devices must only allow management connections for administrative access from hosts residing in the management network.|
|☐||SV-5612r4_rule||The network devices must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.|
|☐||SV-5613r4_rule||The network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface.|
|☐||SV-5644r2_rule||The TFTP server used to store network element configurations and images must be only connected to the management network.|
|☐||SV-5646r5_rule||The network device must drop half-open TCP connections through filtering thresholds or timeout periods.|
|☐||SV-7365r4_rule||The auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.|
|☐||SV-8011r1_rule||The IAO will ensure that 802.1x is implemented using a secure EAP such as EAP-TLS, EAP-TTLS or PEAP.|
|☐||SV-15272r3_rule||Alerts must be automatically generated to notify the administrator when log storage reaches seventy-five percent or more of its maximum capacity.|
|☐||SV-15327r6_rule||Network devices must authenticate all NTP messages received from NTP servers and peers.|
|☐||SV-15459r4_rule||The network device must not allow SSH Version 1 to be used for administrative access.|
|☐||SV-16260r1_rule||The IAO/NSO will ensure the AAA authentication method implements user authentication.|
|☐||SV-16261r5_rule||The emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.|
|☐||SV-19075r4_rule||The network devices OOBM interface must be configured with an OOBM network address.|
|☐||SV-19076r4_rule||The network devices management interface must be configured with both an ingress and egress ACL.|
|☐||SV-19115r2_rule||The communications server is not configured to use PPP encapsulation and PPP authentication EAP for the async or AUX port used for dial in.|
|☐||SV-19116r1_rule||The communications server is not configured to require AAA authentication for PPP connections using a RADIUS or TACACS+ authentication server in conjunction with 2-factor authentication.|
|☐||SV-19117r1_rule||The communications server is not configured accept a callback request or in a secured mode so that it will not callback an unauthorized user.|
|☐||SV-19118r1_rule||The AAA server is not compliant with respective OS STIG.|
|☐||SV-19119r1_rule||The AAA server is not configured with a unique key to be used for communication (i.e. RADIUS, TACACS+) with any client requesting authentication services.|
|☐||SV-19120r1_rule||An HIDS has not been implemented on the AAA server|
|☐||SV-19123r1_rule||The NTP server is not compliant with the OS STIG|
|☐||SV-19124r1_rule||An HIDS has not been implemented on the NTP server.|
|☐||SV-19125r1_rule||Two independent sources of time reference are not being utilized.|
|☐||SV-19127r1_rule||The NTP server is not configured with a symmetric key that is unique from any key configured on any other NTP server.|
|☐||SV-19129r1_rule||The SNMP manager is not compliant with the OS STIG|
|☐||SV-19130r1_rule||An HIDS has not been implemented on the SNMP manager|
|☐||SV-19131r1_rule||The SNMP manager is not connected to only the management network.|
|☐||SV-19132r1_rule||SNMP messages are stored for a minimum of 30 days and then archived.|
|☐||SV-20099r1_rule||The production VLAN assigned from the AAA server contains IP segments not intended for untrusted resources.|
|☐||SV-20102r1_rule||The IAO/NSO will ensure the network access control policy contains all non-authenticated network access requests in an Unauthorized VLAN with limited access.|
|☐||SV-28651r4_rule||Network devices must use at least two NTP servers to synchronize time.|
|☐||SV-28655r1_rule||The IAO will ensure the syslog server is only connected to the management network.|
|☐||SV-28656r1_rule||The IAO will ensure the syslog servers are configured IAW the appropriate OS STIG.|
|☐||SV-32243r1_rule||The NTP server is connected to a network other than the management network.|
|☐||SV-32516r1_rule||The IAO will ensure all AAA authentication services are configured to use two-factor authentication .|
|☐||SV-32517r1_rule||The IAO will ensure the authentication server is configured to use tiered authorization groups for various levels of access.|
|☐||SV-32518r1_rule||The IAO will ensure the authentication server is connected to the management network.|
|☐||SV-36774r5_rule||A service or feature that calls home to the vendor must be disabled.|