STIGQter STIGQter: STIG Summary: Layer 2 Switch Security Technical Implementation Guide - Cisco

Version: 8

Release: 27 Benchmark Date: 25 Jan 2019

SV-3012r4_ruleNetwork devices must be password protected.
SV-3013r5_ruleNetwork devices must display the DoD-approved logon banner warning.
SV-15453r2_ruleThe network element must timeout management connections for administrative access after 10 minutes or less of inactivity.
SV-15330r2_ruleThe network element must have DNS servers defined if it is configured as a client resolver.
SV-15332r2_ruleThe network element must only allow SNMP access from addresses belonging to the management network.
SV-3043r4_ruleThe network device must use different SNMP community names or groups for various levels of read and write access.
SV-3056r7_ruleGroup accounts must not be configured for use on the network device.
SV-3057r6_ruleAuthorized accounts must be assigned the least privilege level necessary to perform assigned duties.
SV-3058r5_ruleUnauthorized accounts must not be configured for access to the network device.
SV-41449r2_ruleThe network element must be configured to ensure passwords are not viewable when displaying configuration information.
SV-15451r4_ruleManagement connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
SV-15455r3_ruleThe network element must log all attempts to establish a management connection for administrative access.
SV-3072r3_ruleThe running configuration must be synchronized with the startup configuration after changes have been made and implemented.
SV-3078r3_ruleNetwork devices must have TCP and UDP small servers disabled.
SV-15305r2_ruleThe network element must have the Finger service disabled.
SV-41467r2_ruleThe network element must have HTTP service for administrative access disabled.
SV-3143r4_ruleNetwork devices must not have any default manufacturer passwords.
SV-15302r2_ruleThe network element must be running a current and supported operating system with all IAVMs addressed.
SV-15448r4_ruleThe network devices must require authentication prior to establishing a management connection for administrative access.
SV-3196r4_ruleThe network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.
SV-3210r4_ruleThe network device must not use the default or well-known SNMP community strings public and private.
SV-15469r6_ruleIn the event the authentication server is unavailable, the network device must have a single local account of last resort defined.
SV-15444r2_ruleThe network element must time out access to the console port after 10 minutes or less of inactivity.
SV-30086r3_ruleThe network device must only allow SNMP read-only access.
SV-3971r2_ruleVLAN 1 must not be used for user VLANs.
SV-3972r2_ruleVLAN 1 must be pruned from all trunk and access ports that do not require it.
SV-3973r2_ruleDisabled switch ports must be placed in an unused VLAN (do not use VLAN1).
SV-3984r2_ruleAccess switchports must not be assigned to the native VLAN.
SV-19270r4_ruleThe network device must require authentication for console access.
SV-15476r2_ruleThe network element must log all messages except debugging and send all log data to a syslog server.
SV-15449r3_ruleThe network element must only allow management connections for administrative access from hosts residing in to the management network.
SV-15457r2_ruleThe network element must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
SV-15458r2_ruleThe network element must be configured for a maximum number of unsuccessful SSH login attempts set at 3 before resetting the interface.
SV-5614r3_ruleNetwork devices must have the PAD service disabled.
SV-5615r3_ruleNetwork devices must have TCP Keep-Alives enabled for TCP sessions.
SV-5622r2_ruleThe native VLAN must be assigned to a VLAN ID other than the default VLAN for all 802.1q trunk links.
SV-5623r2_rulePort trunking must be disabled on all access ports (do not configure trunk on, desirable, non-negotiate, or auto--only off).
SV-42190r5_ruleThe switch must be configured to use 802.1x authentication on host facing access switch ports.
SV-5628r2_ruleA dedicated management VLAN or VLANs must be configured to keep management traffic separate from user data and control plane traffic.
SV-15446r2_ruleThe network element’s auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
SV-15314r2_ruleThe administrator must ensure BSD r command services are disabled.
SV-15327r6_ruleNetwork devices must authenticate all NTP messages received from NTP servers and peers.
SV-15460r2_ruleThe network element must not use SSH Version 1 for administrative access.
SV-16259r4_ruleNetwork devices must use two or more authentication servers for the purpose of granting administrative access.
SV-16261r5_ruleThe emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.
SV-19074r1_ruleThe OOBM access switch is not physically connected to the managed network element OOBM interface.
SV-25881r2_ruleManaged NE OOBM interface is not configured with an OOBM network address.
SV-19337r1_ruleThe management interface is an access switchport and has not been assigned to a separate management VLAN.
SV-19338r1_ruleAn address has not been configured for the management VLAN from space belonging to the OOBM network assigned to that site.
SV-19339r1_ruleThe access switchport connecting to the OOBM access switch is not the only port with membership to the management VLAN.
SV-19340r1_ruleThe management VLAN is not pruned from any VLAN trunk links belonging to the managed network’s infrastructure.
SV-19702r1_ruleThe management VLAN is not configured with an IP address from the management network address block.
SV-20088r2_rulePrinters must be assigned to a VLAN that is not shared by unlike devices.
SV-20109r1_ruleThe IAO will ensure that all switchports configured using MAC port security will shutdown upon receiving a frame with a different layer 2 source address than what has been configured or learned for port security.
SV-49133r1_ruleThe switch must only allow a maximum of one registered MAC address per access port.
SV-41497r1_ruleThe network element must use two or more NTP servers to synchronize time.
SV-38003r3_ruleA service or feature that calls home to the vendor must be disabled.