STIGQter STIGQter: STIG Summary: Layer 2 Switch Security Technical Implementation Guide

Version: 8

Release: 27 Benchmark Date: 25 Jan 2019

SV-3012r4_ruleNetwork devices must be password protected.
SV-3013r5_ruleNetwork devices must display the DoD-approved logon banner warning.
SV-3014r4_ruleThe network devices must timeout management connections for administrative access after 10 minutes or less of inactivity.
SV-3020r3_ruleNetwork devices must have DNS servers defined if it is configured as a client resolver.
SV-3021r3_ruleNetwork devices must only allow SNMP access from addresses belonging to the management network.
SV-3043r4_ruleThe network device must use different SNMP community names or groups for various levels of read and write access.
SV-3056r7_ruleGroup accounts must not be configured for use on the network device.
SV-3057r6_ruleAuthorized accounts must be assigned the least privilege level necessary to perform assigned duties.
SV-3058r5_ruleUnauthorized accounts must not be configured for access to the network device.
SV-3062r4_ruleNetwork devices must be configured to ensure passwords are not viewable when displaying configuration information.
SV-3069r5_ruleManagement connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
SV-3070r4_ruleNetwork devices must log all attempts to establish a management connection for administrative access.
SV-3072r3_ruleThe running configuration must be synchronized with the startup configuration after changes have been made and implemented.
SV-3079r3_ruleNetwork devices must have the Finger service disabled.
SV-3085r4_ruleNetwork devices must have HTTP service for administrative access disabled.
SV-3143r4_ruleNetwork devices must not have any default manufacturer passwords.
SV-3160r4_ruleNetwork devices must be running a current and supported operating system with all IAVMs addressed.
SV-3175r5_ruleThe network device must require authentication prior to establishing a management connection for administrative access.
SV-3196r4_ruleThe network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.
SV-3210r4_ruleThe network device must not use the default or well-known SNMP community strings public and private.
SV-3966r6_ruleIn the event the authentication server is unavailable, the network device must have a single local account of last resort defined.
SV-3967r4_ruleThe network devices must time out access to the console port at 10 minutes or less of inactivity.
SV-3969r5_ruleNetwork devices must only allow SNMP read-only access.
SV-3971r2_ruleVLAN 1 must not be used for user VLANs.
SV-3972r2_ruleVLAN 1 must be pruned from all trunk and access ports that do not require it.
SV-3973r2_ruleDisabled switch ports must be placed in an unused VLAN (do not use VLAN1).
SV-3984r2_ruleAccess switchports must not be assigned to the native VLAN.
SV-4582r5_ruleThe network device must require authentication for console access.
SV-4584r3_ruleThe network device must log all messages except debugging and send all log data to a syslog server.
SV-5611r5_ruleThe network devices must only allow management connections for administrative access from hosts residing in the management network.
SV-5612r4_ruleThe network devices must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
SV-5613r4_ruleThe network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface.
SV-5622r2_ruleThe native VLAN must be assigned to a VLAN ID other than the default VLAN for all 802.1q trunk links.
SV-5623r2_rulePort trunking must be disabled on all access ports (do not configure trunk on, desirable, non-negotiate, or auto--only off).
SV-5626r5_ruleThe switch must be configured to use 802.1x authentication on host facing access switch ports.
SV-5628r2_ruleA dedicated management VLAN or VLANs must be configured to keep management traffic separate from user data and control plane traffic.
SV-7365r4_ruleThe auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
SV-15313r3_ruleNetwork devices must have BSDr commands disabled.
SV-15327r6_ruleNetwork devices must authenticate all NTP messages received from NTP servers and peers.
SV-15459r4_ruleThe network device must not allow SSH Version 1 to be used for administrative access.
SV-16259r4_ruleNetwork devices must use two or more authentication servers for the purpose of granting administrative access.
SV-16261r5_ruleThe emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.
SV-19074r1_ruleThe OOBM access switch is not physically connected to the managed network element OOBM interface.
SV-19075r4_ruleThe network devices OOBM interface must be configured with an OOBM network address.
SV-19078r1_ruleThe management interface is an access switchport and has not been assigned to a separate management VLAN.
SV-19079r1_ruleAn address has not been configured for the management VLAN from space belonging to the OOBM network assigned to that site.
SV-19080r1_ruleThe access switchport connecting to the OOBM access switch is not the only port with membership to the management VLAN.
SV-19081r1_ruleThe management VLAN is not pruned from any VLAN trunk links belonging to the managed network’s infrastructure.
SV-19090r2_ruleThe management VLAN must be configured with an IP address from the management network address block.
SV-20088r2_rulePrinters must be assigned to a VLAN that is not shared by unlike devices.
SV-20109r1_ruleThe IAO will ensure that all switchports configured using MAC port security will shutdown upon receiving a frame with a different layer 2 source address than what has been configured or learned for port security.
SV-20110r3_ruleThe switch must only allow a maximum of one registered MAC address per access port.
SV-28651r4_ruleNetwork devices must use at least two NTP servers to synchronize time.
SV-36774r5_ruleA service or feature that calls home to the vendor must be disabled.