Free DISA STIG and SRG Library | Vaulted

IPSec VPN Gateway Security Technical Implementation Guide

Compare Summary

Compare V1R16 to V1R13
  • All
  • Updated 3
  • Added 0
  • Removed 0

Vulnerabilities (85)

Network devices must authenticate all NTP messages received from NTP servers and peers.

Finding ID
NET0813
Rule ID
SV-15327r6_rule15327r5_rule
Severity
Cat II
CCE
(None)
Group Title
NTP messages are not authenticated.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Since NTP is used to ensure accurate log file time stamp information, NTP could pose a security risk if a malicious user were able to falsify NTP information. To launch an attack on the NTP infrastructure, a hacker could inject time that would be accepted by NTP clients by spoofing the IP address of a valid NTP server. To mitigate this risk, the time messages must be authenticated by the client before accepting them as a time source. Two NTP-enabled devices can communicate in either client-server mode or peer-to-peer mode (aka "symmetric mode"). The peering mode is configured manually on the device and indicated in the outgoing NTP packets. The fundamental difference is the synchronization behavior: an NTP server can synchronize to a peer with better stratum, whereas it will never synchronize to its client regardless of the client's stratum. From a protocol perspective, NTP clients are no different from the NTP servers. The NTP client can synchronize to multiple NTP servers, select the best server and synchronize with it, or synchronize to the averaged value returned by the servers. A hierarchical model can be used to improve scalability. With this implementation, an NTP client can also become an NTP server providing time to downstream clients at a higher stratum level and of decreasing accuracy than that of its upstream server. To increase availability, NTP peering can be used between NTP servers. In the event the device loses connectivity to its upstream NTP server, it will be able to choose time from one of its peers. The NTP authentication model is opposite of the typical client-server authentication model. NTP authentication enables an NTP client or peer to authenticate time received from their servers and peers. It is not used to authenticate NTP clients because NTP servers do not care about the authenticity of their clients, as they never accept any time from them.

Fix Text

Configure the device to authenticate all received NTP messages using either PKI (supported in NTP v4) or a FIPS-approved message authentication code algorithm.

Check Content

Review the network element configuration and verify that it is authenticating NTP messages received from the NTP server or peer using either PKI or a FIPS-approved message authentication code algorithm. FIPS-approved algorithms for authentication are the cipher-based message authentication code (CMAC) and the keyed-hash message authentication code (HMAC). AES and 3DES are NIST-approved CMAC algorithms. The following are NIST-approved HMAC algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. Downgrade: If the network device is not capable of authenticating the NTP server or peer using a FIPS-approved message authentication code algorithm, then MD5 can be utilized for NTP message authentication and the finding can be downgraded to a CAT III. If the network element is not configured to authenticate received NTP messages using PKI or a FIPS-approved message authentication code algorithm, this is a finding. A downgrade can be determined based on the criteria above.

Network devices must display the DoD-approved logon banner warning.

Finding ID
NET0340
Rule ID
SV-3013r5_rule3013r4_rule
Severity
Cat II
CCE
(None)
Group Title
Login banner is non-existent or not DOD-approved.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

All network devices must present a DoD-approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear and unequivocal notice to both authorized and unauthorized personnel that access to the device is subject to monitoring to detect unauthorized usage. Failure to display the required logon warning banner prior to logon attempts will limit DoD's ability to prosecute unauthorized access and also presents the potential to give rise to criminal and civil liability for systems administrators and information systems managers. In addition, DISA's ability to monitor the device's usage is limited unless a proper warning banner is displayed. DoD CIO has issued new, mandatory policy standardizing the wording of "notice and consent" banners and matching user agreements for all Secret and below DoD information systems, including stand-alone systems by releasing DoD CIO Memo, "Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement", dated 9 May 2008. The banner is mandatory and deviations are not permitted except as authorized in writing by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. Implementation of this banner verbiage is further directed to all DoD components for all DoD assets via USCYBERCOM CTO 08-008A.

Fix Text

Configure all management interfaces to the network device to display the DoD-mandated warning banner verbiage at logon regardless of the means of connection or communication. The required banner verbiage that must be displayed verbatim is as follows: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: "I've read & consent to terms in IS user agreem't."

Check Content

Review the device configuration or request that the administrator logon to the device and observe the terminal. Verify either Option A or Option B (for systems with character limitations) of the Standard Mandatory DoD Notice and Consent Banner is displayed at logon. The required banner verbiage follows and must be displayed verbatim: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: "I've read & consent to terms in IS user agreem't." If the device configuration does not have a logon banner as stated above, this is a finding.

Responsibility

Information Assurance Officer

Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.

Finding ID
NET0465
Rule ID
SV-3057r6_rule3057r5_rule
Severity
Cat II
CCE
(None)
Group Title
Accounts assigned least privileges necessary to perform duties.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

By not restricting authorized accounts to their proper privilege level, access to restricted functions may be allowed before authorized personnel are trained or experienced enough to use those functions. Network disruptions or outages may occur due to mistakes made by inexperienced persons using accounts with greater privileges than necessary.

Fix Text

Configure authorized accounts with the least privilege rule. Each user will have access to only the privileges they require to perform their assigned duties.

Check Content

Review the accounts authorized for access to the network device. Determine if the accounts are assigned the lowest privilege level necessary to perform assigned duties. User accounts must be set to a specific privilege level which can be mapped to specific commands or a group of commands. Authorized accounts should have the leastgreatest privilege level unless deemed necessary for assigned duties. If it is determined that authorized accounts are assigned to greater privileges than necessary, this is a finding.

Responsibility

Information Assurance Officer

Network devices must be configured with rotating keys used for authenticating IGP peers that have a duration of 180 days or less.

Finding ID
NET0422
Rule ID
SV-15301r4_rule
Severity
Cat III
CCE
(None)
Group Title
Key expiration exceeds 180 days.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect routes and redirecting traffic. Changing the keys frequently reduces the risk of them eventually being guessed. When configuring authentication for routing protocols that provide key chains, configure two rotating keys with overlapping expiration dates, both with 180-day or less expirations.

Fix Text

Configure the device so rotating keys expire at 180 days or less.

Check Content

Review device configuration for key expirations of 180 days or less. If rotating keys are not configured to expire at 180 days or less, this is a finding.

Network devices must have BSDr commands disabled.

Finding ID
NET0744
Rule ID
SV-15313r3_rule
Severity
Cat II
CCE
(None)
Group Title
BSDr commands are not disabled.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Berkeley Software Distribution (BSD) "r" commands allow users to execute commands on remote systems using a variety of protocols. The BSD "r" commands (e.g., rsh, rlogin, rcp, rdump, rrestore, and rdist) are designed to provide convenient remote access without passwords to services such as remote command execution (rsh), remote login (rlogin), and remote file copy (rcp and rdist). The difficulty with these commands is they use address-based authentication. An attacker who convinces a server that he is coming from a "trusted" machine can essentially get complete and unrestricted access to a system. The attacker can convince the server by impersonating a trusted machine and using IP address, by confusing DNS so that DNS thinks that the attacker's IP address maps to a trusted machine's name, or by any of a number of other methods.

Fix Text

Configure the device to disable BSDr command services.

Check Content

Review the device configuration and verify there are no BSDr commands (e.g., rsh, rlogin, rcp, rdump, rrestore, and rdist) enabled. If BSDr commands are enabled, this is a finding.

Responsibility

Information Assurance Officer

The network device must use its loopback or OOB management interface address as the source address when originating authentication services traffic.

Finding ID
NET0897
Rule ID
SV-15336r3_rule
Severity
Cat III
CCE
(None)
Group Title
Authentication traffic does not use loopback address or OOB Management interface.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses. TACACS+, RADIUS messages sent to management servers should use the loopback address as the source address.

Fix Text

Configure the device to use its loopback or OOB management interface address as the source address when originating authentication services traffic.

Check Content

Review the device configuration and determine if authentication services are using the loopback or OOB management interface as the source address. If the loopback or OOB management interface isn't being used as the source address for authentications services, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The network device must use its loopback or OOB management interface address as the source address when originating syslog traffic.

Finding ID
NET0898
Rule ID
SV-15339r3_rule
Severity
Cat III
CCE
(None)
Group Title
Syslog traffic is not using loopback address or OOB management interface.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses. Syslog messages sent to management servers should use the loopback address as the source address.

Fix Text

Configure the device to use its loopback or OOB management interface address as the source address when originating syslog traffic.

Check Content

Review the configuration and verify the loopback interface address is used as the source address when originating syslog traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for syslog traffic, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The network device must use its loopback or OOB management interface address as the source address when originating NTP traffic.

Finding ID
NET0899
Rule ID
SV-15342r3_rule
Severity
Cat III
CCE
(None)
Group Title
NTP traffic is not using loopback address or OOB Management interface.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses. NTP messages sent to management servers should use the loopback address as the source address.

Fix Text

Configure the device to use its loopback or OOB management interface address as the source address when originating NTP traffic.

Check Content

Review the configuration and verify the loopback interface address is used as the source address when originating NTP traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for NTP traffic, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The network device must use its loopback or OOB management interface address as the source address when originating SNMP traffic.

Finding ID
NET0900
Rule ID
SV-15345r3_rule
Severity
Cat III
CCE
(None)
Group Title
SNMP traffic does not use loopback address or OOB Management interface.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses. SNMP messages sent to management servers should use the loopback address as the source address.

Fix Text

Configure the device to use its loopback or OOB management interface address as the source address when originating SNMP traffic.

Check Content

Review the configuration and verify the loopback interface address is used as the source address when originating SNMP traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for SNMP traffic, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The network device must use its loopback or OOB management interface address as the source address when originating IP Flow/NetFlow traffic.

Finding ID
NET0901
Rule ID
SV-15348r3_rule
Severity
Cat III
CCE
(None)
Group Title
Netflow traffic is not using loopback address.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses. NetFlow messages sent to management servers should use the loopback address as the source address.

Fix Text

Configure the device to use its loopback or OOB management interface address as the source address when originating IP Flow/NetFlow traffic.

Check Content

Review the configuration and verify the loopback interface address is used as the source address when originating NetFlow traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for IP Flow/NetFlow traffic, this is a finding.

Responsibility

Information Assurance Officer

The network device must use its loopback or OOB management interface address as the source address when originating TFTP or FTP traffic.

Finding ID
NET0902
Rule ID
SV-15351r4_rule
Severity
Cat III
CCE
(None)
Group Title
FTP/TFTP traffic does not use loopback address or OOB Management interface.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of network devices. It is easier to construct appropriate ingress filters for management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses. TFTP and FTP messages sent to management servers should use the loopback address as the source address.

Fix Text

Configure the network device to use a loopback or OOB management interface address as the source address when originating TFTP or FTP traffic.

Check Content

Review the device configuration to verify the loopback interface address is used as the source address when originating TFTP or FTP traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for TFTP or FTP traffic, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The network device must use its loopback interface address as the source address for all iBGP peering sessions.

Finding ID
NET0903
Rule ID
SV-15357r3_rule
Severity
Cat III
CCE
(None)
Group Title
Loopback address is not used as the iBGP source IP.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability. It is easier to construct appropriate filters for control plane traffic. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses.

Fix Text

Configure the network device's loopback address as the source address for iBGP peering.

Check Content

Review the configuration and verify iBGP peering uses the devices loopback interface address as the source address. If the loopback interface isn't being used as the source address for iBGP peering, this is a finding.

Responsibility

Information Assurance Officer

The network device must not allow SSH Version 1 to be used for administrative access.

Finding ID
NET1647
Rule ID
SV-15459r4_rule
Severity
Cat II
CCE
(None)
Group Title
The network element must not allow SSH Version 1.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

SSH Version 1 is a protocol that has never been defined in a standard. Since SSH-1 has inherent design flaws which make it vulnerable to attacks, e.g., man-in-the-middle attacks, it is now generally considered obsolete and should be avoided by explicitly disabling fallback to SSH-1.

Fix Text

Configure the network device to use SSH version 2.

Check Content

Review the configuration and verify SSH Version 1 is not being used for administrative access. If the device is using an SSHv1 session, this is a finding.

Responsibility

Information Assurance Officer

Network devices must use two or more authentication servers for the purpose of granting administrative access.

Finding ID
NET0433
Rule ID
SV-16259r4_rule
Severity
Cat II
CCE
(None)
Group Title
The device is not authenticated using a AAA server.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The use of Authentication, Authorization, and Accounting (AAA) affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the routers in conjunction with an authentication server such as TACACS+ or RADIUS, the administrators can easily add or remove user accounts, add or remove command authorizations, and maintain a log of user activity. The use of an authentication server provides the capability to assign router administrators to tiered groups that contain their privilege level that is used for authorization of specific commands. For example, user mode would be authorized for all authenticated administrators while configuration or edit mode should only be granted to those administrators that are permitted to implement router configuration changes.

Fix Text

Configure the device to use two separate authentication servers.

Check Content

Verify an authentication server is required to access the device and that there are two or more authentication servers defined. If the device is not configured for two separate authentication servers, this is a finding.

Responsibility

Information Assurance Officer

The emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.

Finding ID
NET0441
Rule ID
SV-16261r5_rule
Severity
Cat I
CCE
(None)
Group Title
Emergency administration account privilege level is not set.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The emergency administration account is to be configured as a local account on the network devices. It is to be used only when the authentication server is offline or not reachable via the network. The emergency account must be set to an appropriate authorization level to perform necessary administrative functions during this time.

Fix Text

Assign a privilege level to the emergency administration account to allow the administrator to perform necessary administrative functions when the authentication server is not online.

Check Content

Review the emergency administration account configured on the network devices and verify that it has been assigned to a privilege level that will enable the administrator to perform necessary administrative functions when the authentication server is not online. If the emergency administration account is configured for more access than needed to troubleshoot issues, this is a finding.

Responsibility

Information Assurance Officer

The network devices OOBM interface must be configured with an OOBM network address.

Finding ID
NET0991
Rule ID
SV-19075r4_rule
Severity
Cat II
CCE
(None)
Group Title
The OOBM interface not configured correctly.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The OOBM access switch will connect to the management interface of the managed network device. The management interface of the managed network device will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the OOBM interface does not have an IP address from the managed network address space, it will not have reachability from the NOC using scalable and normal control plane and forwarding mechanisms.

Fix Text

Configure the OOB management interface with an IP address from the address space belonging to the OOBM network.

Check Content

Review the device configuration to determine if the OOB management interface is assigned an appropriate IP address from the authorized OOB management network. If an IP address assigned to the interface is not from an authorized OOB management network, this is a finding.

Responsibility

System Administrator

The network devices management interface must be configured with both an ingress and egress ACL.

Finding ID
NET0992
Rule ID
SV-19076r4_rule
Severity
Cat II
CCE
(None)
Group Title
The management interface does not have an ACL.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The OOBM access switch will connect to the management interface of the managed network device. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network device will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic does not leak into the managed network and that production traffic does not leak into the management network.

Fix Text

If the management interface is a routed interface, it must be configured with both an ingress and egress ACL. The ingress ACL should block any transit traffic, while the egress ACL should block any traffic that was not originated by the managed network device.

Check Content

Step 1: Verify the managed interface has an inbound and outbound ACL or filter. Step 2: Verify the ingress ACL blocks all transit traffic--that is, any traffic not destined to the router itself. In addition, traffic accessing the managed elements should be originated at the NOC. Step 3: Verify the egress ACL blocks any traffic not originated by the managed element. If management interface does not have an ingress and egress filter configured and applied, this is a finding.

Responsibility

System Administrator

The management interface must be configured as passive for the IGP instance deployed in the managed network.

Finding ID
NET0993
Rule ID
SV-19077r3_rule
Severity
Cat III
CCE
(None)
Group Title
The management interface is not IGP passive.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The OOBM access switch will connect to the management interface of the managed network devices. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network devices will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic, both data plane and control plane, does not leak into the managed network and that production traffic does not leak into the management network.

Fix Text

Configure the management interface as passive for the IGP instance configured for the managed network. Depending on the platform and routing protocol, this may simply require that the interface or its IP address is not included in the IGP configuration.

Check Content

Review the configuration to verify the management interface is configured as passive for the IGP instance for the managed network. Depending on the platform and routing protocol, this may simply require that the interface or its IP address is not included in the IGP configuration. If the management interface is not configured to be passive for IGP instances, this is a finding.

Responsibility

System Administrator

The network device must have control plane protection enabled.

Finding ID
NET0966
Rule ID
SV-21027r3_rule
Severity
Cat II
CCE
(None)
Group Title
Control plane protection is not enabled.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Route Processor (RP) is critical to all network operations as it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Hence, any disruption to the RP or the control and management planes can result in mission critical network outages. In addition to control plane and management plane traffic that is in the router's receive path, the RP must also handle other traffic that must be punted to the RP--that is, the traffic must be fast or process switched. This is the result of packets that must be fragmented, require an ICMP response (TTL expiration, unreachable, etc.) have IP options, etc. A DoS attack targeting the RP can be perpetrated either inadvertently or maliciously involving high rates of punted traffic resulting in excessive RP CPU and memory utilization. To maintain network stability, the router must be able to securely handle specific control plane and management plane traffic that is destined to it, as well as other punted traffic. Using the ingress filter on forwarding interfaces is a method that has been used in the past to filter both forwarding path and receiving path traffic. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grow. Control plane policing can be used to increase security of routers and multilayer switches by protecting the RP from unnecessary or malicious traffic. Filtering and rate limiting the traffic flow of control plane packets can be implemented to protect routers against reconnaissance and DoS attacks allowing the control plane to maintain packet forwarding and protocol states despite an attack or heavy load on the router or multilayer switch.

Fix Text

Implement control plane protection by classifying traffic types based on importance levels and configure filters to restrict and rate limit the traffic punted to the route processor as according to each class.

Check Content

Determine if control plane protection has been implemented on the device by verifying traffic types have been classified based on importance levels and a policy has been configured to filter and rate limit the traffic according to each class. If the device doesn't have any control plane protection configured on the device, this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1

Network devices must use at least two NTP servers to synchronize time.

Finding ID
NET0812
Rule ID
SV-28651r4_rule
Severity
Cat III
CCE
(None)
Group Title
Two NTP servers are not used to synchronize time.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. If logs cannot be successfully compared between each of the routers, switches, and firewalls, it will be very difficult to determine the exact events that resulted in a network breach incident. NTP provides an efficient and scalable method for network devices to synchronize to an accurate time source.

Fix Text

Configure the device to use two separate NTP servers.

Check Content

Review the configuration and verify two NTP servers have been defined. If the device is not configured to use two separate NTP servers, this is a finding.

Responsibility

System Administrator

The network device must log all interface access control lists (ACL) deny statements.

Finding ID
NET1020
Rule ID
SV-3000r4_rule
Severity
Cat III
CCE
(None)
Group Title
Interface ACL deny statements are not logged.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, attempted to be done, and by whom in order to compile an accurate risk assessment. Auditing the actions on network devices provides a means to recreate an attack, or identify a configuration mistake on the device.

Fix Text

Configure interface ACLs to log all deny statements.

Check Content

Review the network device interface ACLs to verify all deny statements are logged. If deny statements are not logged, this is a finding.

Responsibility

Information Assurance Officer

Network devices must be password protected.

Finding ID
NET0230
Rule ID
SV-3012r4_rule
Severity
Cat I
CCE
(None)
Group Title
Network element is not password protected.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Access to the network must be categorized as administrator, user, or guest so the appropriate authorization can be assigned to the user requesting access to the network or a network device. Authorization requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multi-factor authentication, some combination thereof. Lack of authentication enables anyone to gain access to the network or possibly a network device providing opportunity for intruders to compromise resources within the network infrastructure.

Fix Text

Configure the network devices so it will require a password to gain administrative access to the device.

Check Content

Review the network devices configuration to determine if administrative access to the device requires some form of authentication--at a minimum a password is required. If passwords aren't used to administrative access to the device, this is a finding.

Responsibility

Information Assurance Officer

The network devices must timeout management connections for administrative access after 10 minutes or less of inactivity.

Finding ID
NET1639
Rule ID
SV-3014r4_rule
Severity
Cat II
CCE
(None)
Group Title
Management connection does not timeout.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled between the managed network device and a PC or terminal server when the later has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed network device as well as reduce the risk of a management session from being hijacked. Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.

Fix Text

Configure the network devices to ensure the timeout for unattended administrative access connections is no longer than 10 minutes.

Check Content

Review the management connection for administrative access and verify the network device is configured to time-out the connection at 10 minutes or less of inactivity. If the device does not terminate inactive management connections at 10 minutes or less, this is a finding.

Responsibility

Information Assurance Officer

Network devices must have DNS servers defined if it is configured as a client resolver.

Finding ID
NET0820
Rule ID
SV-3020r3_rule
Severity
Cat III
CCE
(None)
Group Title
DNS servers must be defined for client resolver.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The susceptibility of IP addresses to spoofing translates to DNS host name and IP address mapping vulnerabilities. For example, suppose a source host wishes to establish a connection with a destination host and queries a DNS server for the IP address of the destination host name. If the response to this query is the IP address of a host operated by an attacker, the source host will establish a connection with the attacker's host, rather than the intended target. The user on the source host might then provide logon, authentication, and other sensitive data.

Fix Text

Configure the device to include DNS servers or disable domain lookup.

Check Content

Review the device configuration to ensure DNS servers have been defined if it has been configured as a client resolver (name lookup). If the device is configured as a client resolver and DNS servers are not defined, this is a finding.

Responsibility

Information Assurance Officer

Network devices must only allow SNMP access from addresses belonging to the management network.

Finding ID
NET0890
Rule ID
SV-3021r3_rule
Severity
Cat II
CCE
(None)
Group Title
SNMP access is not restricted by IP address.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Detailed information about the network is sent across the network via SNMP. If this information is discovered by attackers it could be used to trace the network, show the networks topology, and possibly gain access to network devices.

Fix Text

Configure the network devices to only allow SNMP access from only addresses belonging to the management network.

Check Content

Review the device configuration and verify it is configured to only allow SNMP access from addresses belonging to the management network. If the device is not configured to filter SNMP from the management network only, this is a finding.

Responsibility

Information Assurance Officer

Network devices must authenticate all IGP peers.

Finding ID
NET0400
Rule ID
SV-3034r3_rule
Severity
Cat II
CCE
(None)
Group Title
Interior routing protocols are not authenticated.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A rogue router could send a fictitious routing update to convince a site's premise router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information of the site's network, or merely used to disrupt the network's ability to effectively communicate with other networks.

Fix Text

Configure authentication for all IGP peers.

Check Content

Review the device configuration to determine if authentication is configured for all IGP peers. If authentication is not configured for all IGP peers, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The network device must use different SNMP community names or groups for various levels of read and write access.

Finding ID
NET1675
Rule ID
SV-3043r4_rule
Severity
Cat II
CCE
(None)
Group Title
SNMP privileged and non-privileged access.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Numerous vulnerabilities exist with SNMP; therefore, without unique SNMP community names, the risk of compromise is dramatically increased. This is especially true with vendors default community names which are widely known by hackers and other networking experts. If a hacker gains access to these devices and can easily guess the name, this could result in denial of service, interception of sensitive information, or other destructive actions.

Fix Text

Configure the SNMP community strings on the network device and change them from the default values. SNMP community strings and user passwords must be unique and not match any other network device passwords. Different community strings (V1/2) or groups (V3) must be configured for various levels of read and write access.

Check Content

Review the SNMP configuration of all managed nodes to ensure different community names (V1/2) or groups/users (V3) are configured for read-only and read-write access. If unique community strings or accounts are not used for SNMP peers, this is a finding.

Responsibility

Information Assurance Officer

Group accounts must not be configured for use on the network device.

Finding ID
NET0460
Rule ID
SV-3056r7_rule
Severity
Cat I
CCE
(None)
Group Title
Group accounts are defined.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Group accounts configured for use on a network device do not allow for accountability or repudiation of individuals using the shared account. If group accounts are not changed when someone leaves the group, that person could possibly gain control of the network device. Having group accounts does not allow for proper auditing of who is accessing or changing the network.

Fix Text

Configure individual user accounts for each authorized person then remove any group accounts.

Check Content

Review the network device configuration and validate there are no group accounts configured for access. If a group account is configured on the device, this is a finding.

Responsibility

Information Assurance Officer

Unauthorized accounts must not be configured for access to the network device.

Finding ID
NET0470
Rule ID
SV-3058r5_rule
Severity
Cat II
CCE
(None)
Group Title
Unauthorized accounts are configured to access device.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A malicious user attempting to gain access to the network device may compromise an account that may be unauthorized for use. The unauthorized account may be a temporary or inactive account that is no longer needed to access the device. Denial of Service, interception of sensitive information, or other destructive actions could potentially take place if an unauthorized account is configured to access the network device.

Fix Text

Remove any account configured for access to the network device that is not defined in the organization's responsibilities list.

Check Content

Review the organization's responsibilities list and reconcile the list of authorized accounts with those accounts defined for access to the network device. If an unauthorized account is configured for access to the device, this is a finding.

Responsibility

Information Assurance Officer

Network devices must be configured to ensure passwords are not viewable when displaying configuration information.

Finding ID
NET0600
Rule ID
SV-3062r4_rule
Severity
Cat I
CCE
(None)
Group Title
Passwords are viewable when displaying the config.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Many attacks on information systems and network devices are launched from within the network. Hence, it is imperative that all passwords are encrypted so they cannot be intercepted by viewing the console or printout of the configuration.

Fix Text

Configure the network devices to ensure passwords are not viewable when displaying configuration information.

Check Content

Review the network devices configuration to determine if passwords are viewable. If passwords are viewable in plaintext, this is a finding.

Responsibility

Information Assurance Officer

Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.

Finding ID
NET1638
Rule ID
SV-3069r5_rule
Severity
Cat II
CCE
(None)
Group Title
Management connections must be secured by FIPS 140-2.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Administration and management connections performed across a network are inherently dangerous because anyone with a packet sniffer and access to the right LAN segment can acquire the network device account and password information. With this intercepted information they could gain access to the router and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.

Fix Text

Configure the network device to use secure protocols with FIPS 140-2 validated cryptographic modules.

Check Content

Review the network device configuration to verify only secure protocols using FIPS 140-2 validated cryptographic modules are used for any administrative access. Some of the secure protocols used for administrative and management access are listed below. This list is not all inclusive and represents a sample selection of secure protocols. -SSHv2 -SCP -HTTPS using TLS If management connections are established using protocols without FIPS 140-2 validated cryptographic modules, this is a finding.

Responsibility

Information Assurance Officer

Network devices must log all attempts to establish a management connection for administrative access.

Finding ID
NET1640
Rule ID
SV-3070r4_rule
Severity
Cat III
CCE
(None)
Group Title
Management connections must be logged.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Audit logs are necessary to provide a trail of evidence in case the network is compromised. Without an audit trail that provides a when, where, who and how set of information, repeat offenders could continue attacks against the network indefinitely. With this information, the network administrator can devise ways to block the attack and possibly identify and prosecute the attacker.

Fix Text

Configure the device to log all access attempts to the device to establish a management connection for administrative access.

Check Content

Review the configuration to verify all attempts to access the device via management connection are logged. If management connection attempts are not logged, this is a finding.

Responsibility

Information Assurance Officer

The running configuration must be synchronized with the startup configuration after changes have been made and implemented.

Finding ID
NET1030
Rule ID
SV-3072r3_rule
Severity
Cat III
CCE
(None)
Group Title
Running and startup configurations are not synchronized.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

If the running and startup router configurations are not synchronized properly and a router malfunctions, it will not restart with all of the recent changes incorporated. If the recent changes were security related, then the routers would be vulnerable to attack.

Fix Text

Add procedures to the standard operating procedure to keep the running configuration synchronized with the startup configuration.

Check Content

Review the running and boot configurations to determine if they are synchronized. IOS Procedure: With online editing, the "show running-config" command will only show the current running configuration settings, which are different from the IOS defaults. The "show startup-config" command will show the NVRAM startup configuration. Compare the two configurations to ensure they are synchronized. JUNOS Procedure: This will never be a finding. The active configuration is stored on flash as juniper.conf. A candidate configuration allows configuration changes while in configuration mode without initiating operational changes. The router implements the candidate configuration when it is committed; thereby, making it the new active configuration--at which time it will be stored on flash as juniper.conf and the old juniper.conf will become juniper.conf.1. If running configuration and boot configurations are not the same, this is a finding.

Responsibility

Information Assurance Officer

Network devices must have TCP and UDP small servers disabled.

Finding ID
NET0720
Rule ID
SV-3078r3_rule
Severity
Cat III
CCE
(None)
Group Title
TCP and UDP small server services are not disabled.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Cisco IOS provides the "small services" that include echo, chargen, and discard. These services, especially their User Datagram Protocol (UDP) versions, are infrequently used for legitimate purposes. However, they have been used to launch denial of service attacks that would otherwise be prevented by packet filtering. For example, an attacker might send a DNS packet, falsifying the source address to be a DNS server that would otherwise be unreachable, and falsifying the source port to be the DNS service port (port 53). If such a packet were sent to the Cisco's UDP echo port, the result would be Cisco sending a DNS packet to the server in question. No outgoing access list checks would be applied to this packet, since it would be considered locally generated by the router itself. The small services are disabled by default in Cisco IOS 12.0 and later software. In earlier software, they may be disabled using the commands no service tcp-small-servers and no service udp-small-servers.

Fix Text

Change the device configuration to include the following IOS commands: no service tcp-small-servers and no service udp-small-servers for each device running an IOS version prior to 12.0. This is the default for IOS versions 12.0 and later (i.e., these commands will not appear in the running configuration.)

Check Content

Review all Cisco device configurations to verify service udp-small-servers and service tcp-small-servers are not found. If TCP and UDP servers are not disabled, this is a finding. Note: The TCP and UDP small servers are enabled by default on Cisco IOS Software Version 11.2 and earlier. They are disabled by default on Cisco IOS Software Versions 11.3 and later.

Responsibility

Information Assurance Officer

Network devices must have the Finger service disabled.

Finding ID
NET0730
Rule ID
SV-3079r3_rule
Severity
Cat III
CCE
(None)
Group Title
The finger service is not disabled.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Finger service supports the UNIX Finger protocol, which is used for querying a host about the users that are logged on. This service is not necessary for generic users. If an attacker were to find out who is using the network, they may use social engineering practices to try to elicit classified DoD information.

Fix Text

Configure the device to disable the Finger service.

Check Content

Review the device configuration to determine if Finger has been implemented. If the Finger service is enabled, this is a finding.

Responsibility

Information Assurance Officer

The Configuration auto-loading feature must be disabled when connected to an operational network.

Finding ID
NET0760
Rule ID
SV-3080r4_rule
Severity
Cat II
CCE
(None)
Group Title
Configuration auto-loading must be disabled.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Devices can find their startup configuration either in their own NVRAM or access it over the network via TFTP or Remote Copy (rcp). Loading the image from the network is taking a security risk since the image could be intercepted by an attacker who could corrupt the image resulting in a denial of service. Configuration auto-loading can be enabled when the device is connected to a non-operational network. Once the device is connected to an operational (i.e. production) network, configuration auto-loading must be disabled.

Fix Text

Disable the configuration auto-loading feature, when connected to an operational network.

Check Content

Review the device configuration to determine if the configuration auto-loading feature is disabled. If the configuration auto-loading feature is enabled when the device is connected to an operational network, this is a finding.

IP source routing must be disabled.

Finding ID
NET0770
Rule ID
SV-3081r3_rule
Severity
Cat II
CCE
(None)
Group Title
IP Source Routing is not disabled on all routers.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Source routing is a feature of IP, whereby individual packets can specify routes. This feature is used in several different network attacks by bypassing perimeter and internal defense mechanisms.

Fix Text

Configure the router to disable IP source routing.

Check Content

Review the configuration to determine if source routing is disabled. If IP source routing is enabled, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

IP directed broadcast must be disabled on all layer 3 interfaces.

Finding ID
NET0790
Rule ID
SV-3083r3_rule
Severity
Cat III
CCE
(None)
Group Title
IP directed broadcast is not disabled.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

An IP directed broadcast is a datagram sent to the broadcast address of a subnet that is not directly attached to the sending machine. The directed broadcast is routed through the network as a unicast packet until it arrives at the target subnet, where it is converted into a link-layer broadcast. Because of the nature of the IP addressing architecture, only the last router in the chain, which is connected directly to the target subnet, can conclusively identify a directed broadcast. IP directed broadcasts are used in the extremely common and popular smurf, or Denial of Service (DoS), attacks. In a smurf attack, the attacker sends ICMP echo requests from a falsified source address to a directed broadcast address, causing all the hosts on the target subnet to send replies to the falsified source. By sending a continuous stream of such requests, the attacker can create a much larger stream of replies, which can completely inundate the host whose address is being falsified. This service should be disabled on all interfaces when not needed to prevent smurf and DoS attacks. Directed broadcast can be enabled on internal facing interfaces to support services such as Wake-On-LAN. Case scenario may also include support for legacy applications where the content server and the clients do not support multicast. The content servers send streaming data using UDP broadcast. Used in conjunction with the ip multicast helper-map feature, broadcast data can be sent across a multicast topology. The broadcast streams are converted to multicast and vice versa at the first-hop routers and last-hop routers before entering leaving the multicast transit area respectively. The last-hop router must convert the multicast to broadcast. Hence, this interface must be configured to forward a broadcast packet (i.e. a directed broadcast address is converted to the all nodes broadcast address).

Fix Text

Disable IP directed broadcasts on all layer 3 interfaces.

Check Content

IP directed broadcast is disabled by default in IOS version 12.0 and higher so the command "no ip directed-broadcast" will not be displayed in the running configuration--verify that the running configuration does not contain the command "ip directed-broadcast". For versions prior to 12.0 ensure the command "no ip directed-broadcast" is displayed in the running configuration. If IP directed broadcasts are enabled on layer 3 interfaces, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

Network devices must have HTTP service for administrative access disabled.

Finding ID
NET0740
Rule ID
SV-3085r4_rule
Severity
Cat II
CCE
(None)
Group Title
HTTP server is not disabled
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The additional services the router is enabled for increases the risk for an attack since the router will listen for these services. In addition, these services provide an unsecured method for an attacker to gain access to the router. Most recent software versions support remote configuration and monitoring using the World Wide Web's HTTP protocol. In general, HTTP access is equivalent to interactive access to the router. The authentication protocol used for HTTP is equivalent to sending a clear-text password across the network, and, unfortunately, there is no effective provision in HTTP for challenge-based or one-time passwords. This makes HTTP a relatively risky choice for use across the public Internet. Any additional services that are enabled increase the risk for an attack since the router will listen for these services. The HTTPS server may be enabled for administrative access.

Fix Text

Configure the device to disable using HTTP (port 80) for administrative access.

Check Content

Review the device configuration to determine that HTTP is not enabled for administrative access. The HTTPS server may be enabled for administrative access. If the device allows the use of HTTP for administrative access, this is a finding.

BOOTP services must be disabled.

Finding ID
NET0750
Rule ID
SV-3086r3_rule
Severity
Cat III
CCE
(None)
Group Title
The Bootp service is not disabled.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

BOOTP is a user datagram protocol (UDP) that can be used by Cisco routers to access copies of Cisco IOS Software on another Cisco router running the BOOTP service. In this scenario, one Cisco router acts as a Cisco IOS Software server that can download the software to other Cisco routers acting as BOOTP clients. In reality, this service is rarely used and can allow an attacker to download a copy of a router's Cisco IOS Software.

Fix Text

Configure the device to disable all BOOTP services.

Check Content

Review the device configuration to determine if BOOTP services are enabled. If BOOTP is enabled, this is a finding.

Responsibility

Information Assurance Officer

The VPN gateway must use IKE for negotiating and establishing all IPSec security associations.

Finding ID
NET-VPN-010
Rule ID
SV-40981r1_rule
Severity
Cat I
CCE
(None)
Group Title
IKE is not used for establishing IPSec SA.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

An IPSec Security Associations (SA) is established using either Internet Key Exchange (IKE) or manual configuration. When using IKE, the security associations are established when needed and expire after a period of time or volume of traffic threshold. If manually configured, they are established as soon as the configuration is complete at both end points and they do not expire. When using IKE, the Security Parameter Index (SPI) for each security association is a pseudo-randomly derived number. Without IKE, the SPI is manually specified for each security association. IKE peers will negotiate the encryption algorithm and authentication or hashing methods as well as generate the encryption keys. With manual configuration of the IPSec security association, both the cipher key and authentication key are static. Hence, if the keys are compromised, the traffic being protected by the current IPSec tunnel can be decrypted as well as traffic in any future tunnels established by this SA. Furthermore, the peers are not authenticated prior to establishing the SA which could result in a rouge device establishing an IPSec SA with either of the VPN end points. IKE provides primary authentication to verify the identity of the remote system before negotiation begins. IKE also enables anti-replay services and will establish a lifetime for each IPSec session. These features are lost when the IPSec security associations are manually configured which results in a non-terminating session using static pre-shared keys.

Fix Text

Configure the VPN gateway to use IKE for establishing all IPSec security associations. An ISAKMP policy must be configured to define the IKE security association which will include the peer, the authentication method, encryption suite, and Diffie-Hellman group.

Check Content

Review the VPN gateway configuration to determine if there are any IPSec crypto maps enabled in manual mode. The crypto map will specify that it is manual and will define the remote peer, what traffic is to be protected, as well as the cipher key and encryption algorithm to be used for encrypting the IP packets.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway must authenticate the remote server, peer, or client prior to establishing an IPSec session.

Finding ID
NET-VPN-020
Rule ID
SV-40983r1_rule
Severity
Cat I
CCE
(None)
Group Title
The remote VPN endpoint is not authenticated.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Both IPSec endpoints must authenticate each other to ensure the identity of each by additional means besides an IP address which can easily be spoofed. The objective of IPSec is to establish a secured tunnel with privacy between the two endpoints traversing an IP backbone network. In the case of teleworkers accessing the enclave using a laptop configured with an IPSec software client, the secured path will also traverse the Internet. The secured path will grant the remote site or client access to resources within the private network; thereby establishing a level of trust. Hence, it is imperative that some form of authentication is used prior to establishing an IPSec session for transporting data to and from the enclave from a remote site.

Fix Text

Configure the VPN gateway to authenticate the remote end-point prior to establishing an IPSec session. The authentication method will be defined on the ISAKMP policy used to establish an IKE security association.

Check Content

Review the VPN gateway configuration to determine if either username/password or certificate-based authentication is used. The authentication method will be defined on the ISAKMP policy that has been configured for IKE Phase I negotiation.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway must use PKI or digital-signature for authenticating the remote server, peer, or client.

Finding ID
NET-VPN-030
Rule ID
SV-40985r1_rule
Severity
Cat II
CCE
(None)
Group Title
PKI is not used for authenticating remote endpoint.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Using shared secrets between two IPSec endpoints is easy to implement but are also easy to compromise. Regardless of the strength of the password, they can be cracked using software tools that are readily available. Furthermore, implementation using shared secrets is not scalable since all VPN gateways and software clients would need to be configured with the shared secrets. In addition, there cannot be a preshared key for every user because the VPN gateway server does not know the client’s identity (the IP address is commonly used). Hence, remote users must use a group-based preshared key for authentication. When an individual leaves the group, changing the key must be coordinated with the other users of the group. PKI mitigates the risk involved with group passwords because each user has a certificate. PKI offers a scalable way to authenticate all IPSec endpoints in a secure manner. Every VPN gateway or remote client that needs to participate in IPSec VPN is issued a digital certificate by the Certification Authority (CA). The digital certificate binds the identity information of a VPN gateway (e.g., hostname or IP address) to the device’s public key by means of digital signature. This involves the use of public key cryptography algorithms, such as RSA. Based on this binding, any device that trusts the CA certificate, i.e., trusts the signature of the CA, would accept the identity inside the signed certificate. This model enables all VPN gateways and clients that trust the same CA to authenticate each other.

Fix Text

Configure the VPN gateway to use certificate-based authentication for IPSec peers and clients. The authentication method will be defined on the ISAKMP policy used to establish an IKE security association.

Check Content

Review the VPN gateway configuration to determine if certificate-based authentication is used. The authentication method will be defined on the ISAKMP policy that has been configured for IKE Phase I negotiation.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway must only accept certificates issued by a DoD-approved Certificate Authority when using PKI for authentication.

Finding ID
NET-VPN-040
Rule ID
SV-40986r1_rule
Severity
Cat II
CCE
(None)
Group Title
DoD-approved CA is not used for PKI authentication.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

When using digital certificates, Internet Key Exchange (IKE) negotiation between peers is restricted by either manually configuring each peer with the public key for each peer to which it is allowed to connect, or enrolling each peer with a Certificate Authority (CA). All peers to which the peer is allowed to connect must enroll with the same CA server and belong to the same organization. Certificates are issued and signed by a CA. Hence, the signature on a certificate identifies the particular CA that issued a certificate. The CA in turn has a certificate that binds its identity to its public key, so the CA’s identity can be verified. The primary role of the CA is to digitally sign and publish the public key bound to a given user or device via a digital certificate. This is done using the CA's own private key, so that trust in the user’s key relies on trust in the validity of the CA's key. Hence, to establish trust in the certificate of the remote client or peer, the VPN gateway must be configured to validate the peer’s certificate with the DoD-approved CA, as well as validate the identity of the DoD-approved CA. If the peer’s certificate is not validated, there is a risk of establishing an IPSec Security Association with a malicious user or a remote client that is not authorized.

Fix Text

Configure the VPN gateway to enroll with a DoD-approved Certificate Authority.

Check Content

Review the VPN gateway configuration to determine if a CA trust point has been configured. The CA trust point will contain the URL of the CA in which the gateway has enrolled with. Verify this is a DoD or DoD-approved CA. This will ensure the gateway has enrolled and received a certificate from a trusted CA. A remote end-point’s certificate will always be validated by the gateway by verifying the signature of the CA on the certificate using the CA’s public key, which is contained in the gateways certificate it received at enrollment.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway server must enforce a policy to the software client to disallow the remote client from being able to save the logon password locally on the remote PC.

Finding ID
NET-VPN-250
Rule ID
SV-40987r1_rule
Severity
Cat II
CCE
(None)
Group Title
The VPN gateway server allows password saving.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Enabling the password save function requires users to only enter their password once when establishing the VPN tunnel. After that the software client will automatically re-enter the password when prompted for credentials by the VPN gateway.

Fix Text

Configure the ISAKMP client configuration groups used to push policy to remote software clients to disable the ability for users to save their logon password locally on the remote PC.

Check Content

Review all ISAKMP client configuration groups used to push policy to remote software clients and determine if the software client allows the users to save their logon password locally on the remote PC. Note: This vulnerability is only applicable if certificate-based authentication is not implemented.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway server must enforce a policy to the software client to display a DoD approved warning banner prior to allowing access to the VPN.

Finding ID
NET-VPN-240
Rule ID
SV-40988r1_rule
Severity
Cat II
CCE
(None)
Group Title
The VPN gateway server does not enforce banner warning.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

All software remote clients must present a DoD approved warning banner prior allowing access to VPN. The banner should warn any unauthorized user not to proceed. It also should provide clear and unequivocal notice to both authorized and unauthorized personnel that access to the network is subject to monitoring to detect unauthorized usage. Failure to display the required warning banner prior to logon attempts will limit the ability to prosecute unauthorized access and also presents the potential to give rise to criminal and civil liability for systems administrators and information systems managers. DoD CIO has issued new, mandatory policy standardizing the wording of “notice and consent” banners and matching user agreements for all Secret and below DoD information systems, including stand-alone systems by releasing DoD CIO Memo, “Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement”, dated 9 May 2008. The banner is mandatory and deviations are not permitted except as authorized in writing by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. Implementation of this banner verbiage is further directed to all DoD components for all DoD assets via USCYBERCOM CTO 08-008A.

Fix Text

Configure the ISAKMP client configuration groups used to push policy to remote software clients to display a DoD approved warning banner prior to allowing access to the VPN.

Check Content

Review all ISAKMP client configuration groups used to push policy to remote software clients and determine if the software client will display a DoD approved warning banner prior to allowing access to the VPN. Verify either Option A or Option B (for clients with character limitations) of the Standard Mandatory DoD Notice and Consent Banner is displayed at logon. The required banner verbiage follows and must be displayed verbatim: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the client is incapable of displaying the required banner verbiage due to its size or the server is limited as to the banner to push to the client, a smaller banner must be used. The mandatory verbiage follows:“I've read & consent to terms in IS user agreem't.”

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway must not accept certificates that have been revoked when using PKI for authentication.

Finding ID
NET-VPN-050
Rule ID
SV-40989r1_rule
Severity
Cat II
CCE
(None)
Group Title
Certificate revocation check is not enabled.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised. To achieve this, a list of certificates that have been revoked, known as a Certificate Revocation List (CRL), is sent periodically from the CA to the IPSec gateway. When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the CRL will be checked to see if the certificate is valid; if the certificate is revoked, IKE will fail and an IPSec security association will not be established for the remote end-point.

Fix Text

Configure the CA trust point to enable certificate revocation check by referencing a CRL or via OCSP.

Check Content

Examine the CA trust point defined on the VPN gateway to determine if it references a CRL and that revocation check has been enabled. An alternate mechanism for checking the validity of a certificate is the use of the Online Certificate Status Protocol (OCSP). Unlike CRLs, which provide only periodic certificate status checks, OCSP can provide timely information regarding the status of a certificate.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway server must enforce a policy to the remote software client to check for the presence of a personal firewall before enabling access to the VPN.

Finding ID
NET-VPN-230
Rule ID
SV-40990r1_rule
Severity
Cat II
CCE
(None)
Group Title
The VPN gateway server does not enforce personal firewall.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The security posture of the remote PC connecting to the enclave via VPN is vital to the overall security of the enclave. While on-site hosts are behind the enclave’s perimeter defense, a remote PC is not and therefore is exposed to many vulnerabilities existing in the Internet when connected to a service provider via dial-up or broadband connection. Though it is policy to have a firewall installed on the remote PC according to the Secure Remote Computing Endpoint STIG (SRC-EPT-405), it is imperative the VPN gateway enforce the policy to the software client to verify the firewall is active prior to enabling access to the VPN.

Fix Text

Configure the ISAKMP client configuration groups used to push policy to remote software clients to check for the presence of a personal firewall before enabling access to the VPN.

Check Content

Review all ISAKMP client configuration groups used to push policy to remote software clients and determine if the software client will check for the presence of a personal firewall before enabling access to the VPN.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway must use Secure Hash Algorithm for IKE cryptographic hashing operations required for authentication and integrity verification.

Finding ID
NET-VPN-060
Rule ID
SV-40992r1_rule
Severity
Cat I
CCE
(None)
Group Title
SHA is not being used for IKE hashing.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Because hash algorithms create a short fixed-length hash value to represent data of any size, there are far more possible input values than there are unique hash values. Hence, multiple input values exist that will produce the same hash value. This is known as a collision and for a hash function to be deemed cryptographically secure and collision resistant, it has to be hard to find two inputs that hash to the same output. Various methods have been published stating that an MD5 collision has been found in less than a minute. Therefore, MD5 is considered cryptographically broken and should be not be used—and certainly not for security-based services relying on collision resistance. Using a weak hash algorithm such as MD5 could enable a rogue device to discover the authentication key enabling it to establish an Internet Key Exchange (IKE) Security Association with either of the VPN end points. Hence, Secure Hash Algorithm (SHA) must be used for IKE cryptographic hashing operations required for authentication and integrity verification.

Fix Text

Configure all ISAKMP policies to use SHA for IKE cryptographic hashing operations.

Check Content

Examine all ISAKMP policies configured on the VPN gateway to determine what hash algorithm is being used for establishing an IKE Security Association.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway server must enforce a no split-tunneling policy to all remote clients.

Finding ID
NET-VPN-220
Rule ID
SV-40993r1_rule
Severity
Cat II
CCE
(None)
Group Title
The VPN gateway server allows split-tunneling.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A VPN hardware or software client with split tunneling enabled provides an unsecured backdoor to the enclave from the Internet. With split tunneling enabled, a remote client has access to the Internet while at the same time has established a secured path to the enclave via an IPSec tunnel. A remote client connected to the Internet that has been compromised by an attacker in the Internet, provides an attack base to the enclave’s private network via the IPSec tunnel. Hence, it is imperative that the VPN gateway enforces a no split-tunneling policy to all remote clients.

Fix Text

Disable split tunneling on all ISAKMP client configuration groups.

Check Content

Review the ISAKMP client configuration groups used to push policy to remote clients and determine if split tunneling is allowed. Split tunneling is commonly enabled by specifying an access control list within the client’s group policy. The access control list specifies what traffic flows are protected; hence, any traffic to destinations not declared in the access control list is forwarded outside of the IPSec tunnel by the remote client. If there is no access control list specified within a client configuration group, then packets for all destinations are transported within the IPSec tunnel.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway must use AES for IKE cryptographic encryption operations required to ensure privacy of the IKE session.

Finding ID
NET-VPN-070
Rule ID
SV-40994r1_rule
Severity
Cat I
CCE
(None)
Group Title
AES is not used for IKE encryption.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

While there is much debate about the security and performance of Advance Encryption Standard (AES), there is a consensus that it is significantly more secure than any of the algorithms supported by IPSec implementations today. AES is available in three key sizes: 128, 192 and 256 bits, versus the 56 bit DES. Therefore, there are approximately 1021 times more AES 128-bit keys than DES 56-bit keys. In addition, AES uses a block size of 128 bits—twice the size of DES or 3DES. To ensure the privacy of the IKE session responsible for establishing the security association and key exchange for an IPSec tunnel, it is imperative that AES is used for encryption operations.

Fix Text

Configure all ISAKMP policies to use AES for IKE cryptographic encryption operations.

Check Content

Examine all ISAKMP policies configured on the VPN gateway to determine what encryption algorithm is being used for establishing an IKE Security Association.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway peer at a remote site must receive all ingress traffic and forward all egress traffic via the IPSec tunnel or other provisoned WAN links connected to the central or remote site.

Finding ID
NET-VPN-210
Rule ID
SV-40995r1_rule
Severity
Cat II
CCE
(None)
Group Title
Remote VPN gateway leaks unprotected traffic into IP backbone.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A VPN gateway peer at the remote site provides connectivity to the central or other remote sites belonging to the enclave via an IPSec tunnel across an IP backbone network such as the NIPRNet. This creates an extension or Intranet for the enclave using IPSec tunnels in lieu of traditional or legacy WAN services (T carrier, ATM, frame relay, etc). Unless the remote site has the required enclave perimeter defense (firewall, IPS, deny by default, etc), it is imperative that all inbound and outbound traffic traverse only the IPSec tunnels or other provisioned WAN links connecting the remote site to other sites belonging to the enclave. In other words, no packets can leak out an external-facing interface as “native” IP traffic into an IP backbone (i.e. NIPRNet, Internet). In addition, the external interface must not receive any traffic that is not secured by an IPSec tunnel or other provisioned WAN links connected to the central or remote site. This not only ensures that inbound and outbound traffic does not bypass the enclave’s perimeter defense, but also eliminates any backdoor connection.

Fix Text

Configure the VPN gateway at the remote site to ensure it receives all ingress traffic and forward all egress traffic via the IPSec tunnel. All inbound and outbound traffic must be considered interesting traffic for the IPSec crypto maps bound to the external interfaces. If IPSec-protected virtual tunnel interfaces are configured, all traffic must flow through them or other provisioned WAN links connecting the remote site to other sites belonging to the enclave.

Check Content

Review the remote VPN gateway interface configurations. All external-facing interfaces connected to an IP backbone network (i.e. NIPRNet) must have an IPSec crypto map bound to it or be the source of an IPSec-protected virtual tunnel interface. All inbound traffic must either map to a crypto map bound to a physical interface or be received via the virtual tunnel interface. Likewise, all outbound traffic must either map to a crypto map bound to a physical interface or be forwarded via the virtual tunnel interface. The remote VPN client can have WAN links connecting to other remote sites and the central sites. Traffic traversing these links does not need to be encrypted as they are part of the enclave’s private network.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway must ensure traffic from a remote client with an outbound destination does not bypass the enclaves perimeter defense mechanisms deployed for egress traffic.

Finding ID
NET-VPN-200
Rule ID
SV-40996r1_rule
Severity
Cat II
CCE
(None)
Group Title
Outbound traffic from remote client bypasses the perimeter defense.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Packets from a remote client destined outbound must be inspected and proxied the same as any other traffic that will egress the enclave. Otherwise, there is the risk that the return traffic that will ingress the IPSec tunnel could compromise the remote client and possibly the remote LAN. This scenario can exist with a VPN-on-a-stick implementation that allows traffic to u-turn—that is, traffic from the remote site that traverses the IPSec tunnel is immediately forwarded out the same interface towards the NIPRNet and Internet with no upstream firewall. If a remote LAN is breached, the entire enclave could be exposed via the secured tunnel or any other provisioned link between the compromised remote LAN and other remote sites and the central site. Hence, it is imperative that traffic from the remote site that is destined outbound does not bypass the applicable inspection and proxy services deployed for the enclave’s perimeter defense.

Fix Text

Deploy the VPN gateway within a DMZ or configure the device to not permit u-turn traffic. If it must allow u-turn traffic, then deploy a firewall upstream to inspect the outbound traffic.

Check Content

Deploying the VPN gateway within a DMZ or service network will eliminate any risks associated with u-turn traffic. The traffic exiting the IPSec tunnel leaving the DMZ destined to either the private network or the NIPRNet/Internet will have to pass through the DMZ firewall and therefore, be subject to the applicable policy. If the VPN gateway is a firewall, which could be either on or outside the DMZ, review the configuration and verify it is not allowing traffic received from the IPSec tunnel to u-turn back out towards the NIPRNet/Internet. To allow traffic to u-turn, the firewall would have to be configured to NAT for the pool of remote client addresses on the outside interface (PAT the same global address), as well as a configuration statement to allow traffic to egress out the same interface in which the IPSec tunnel terminates—most implementations do not allow this by default. If the firewall is configured to allow a u-turn, then there must be another firewall upstream to inspect this outbound traffic or the traffic must be forwarded (policy based routed) towards the firewall or applicable proxy to perform the stateful inspection.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

IPSec Security Association parameters must be compliant with all requirements specified for VPN Suite B when transporting classified traffic across a non-classified network.

Finding ID
NET-VPN-190
Rule ID
SV-40997r2_rule
Severity
Cat I
CCE
(None)
Group Title
The IPSec SA is not VPN Suite B compliant.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

RFC 6379 Suite B Cryptographic Suites for IPSec defines four cryptographic user interface suites for deploying IPSec. Each suite provides choices for Encapsulating Security Payload (ESP) and Internet Key Exchange (IKE). The four suites are differentiated by the choice of IKE authentication and key exchange, cryptographic algorithm strengths, and whether ESP is to provide both confidentiality and integrity or integrity only. The suite names are based on the Advanced Encryption Standard (AES) mode and AES key length specified for ESP. Two suites are defined for transporting classified information up to SECRET level—one for both confidentiality and integrity and one for integrity only. There are also two suites defined for transporting classified information up to TOP SECRET level.

Fix Text

Configure transform sets used for transporting classified packets to be compliant with Suite B requirements.

Check Content

Review all transform sets defined in IPSec profiles and crypto maps used for securing classified traffic to determine if they are compliant with Suite B requirements. According to NIST, AES with 128-bit keys, SHA-256, and ECDH and ECDSA using the 256-bit prime modulus elliptic curve (FIPS PUB 186-3) provide adequate protection for classified information up to SECRET level. AES with 356-bit keys, SHA-384, and Elliptic Curve Public Key Cryptography using the 384-bit prime modulus elliptic curve (FIPS PUB 186-3) provide adequate protection for classified information up to TOP SECRET level. Note: During the transition to the use of elliptic curve cryptography in ECDH and ECDSA, DH, DSA and RSA can be used with a 2048-bit modulus to protect classified information up to the SECRET level.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway must enable anti-replay for all IPSec security associations.

Finding ID
NET-VPN-180
Rule ID
SV-40998r1_rule
Severity
Cat II
CCE
(None)
Group Title
Anti-replay is not enabled for all IPSec security.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Replay attack is a type of injection attack when an IPSec packet is captured by an attacker and re-inserts it into the legitimate flow to disrupt service or create undesired behavior. IPSec anti-replay service can mitigate a replay attack by running sequence numbers for each end of the tunnel and incrementing it for each packet sent. If a packet that is received does not have the expected sequence number, it is dropped.

Fix Text

Enable anti-replay on all IPSec security associations either within IPSec profiles or as a global command.

Check Content

Review all IPSec Security Associations configured globally or within IPSec profiles on the VPN gateway and determine if anti-replay is enabled. If anti-replay is not configured, determine if the feature is enabled by default.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway must use IKE main mode for the purpose of negotiating an IPSec security association policy when pre-shared keys are used for authentication

Finding ID
NET-VPN-080
Rule ID
SV-40999r1_rule
Severity
Cat III
CCE
(None)
Group Title
IKE aggressive mode is used for establishing IPSec.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Aggressive mode is completed using only three messages instead of the six used in main mode. Essentially, all the information needed to generate the Diffie-Hellman secret is exchanged in the first two messages exchanged between the two peers. The identity of the peer is also exchanged in the first two packets which have been sent in the clear. There are risks to configurations that use pre-shared keys which are exaggerated when aggressive mode is used. The entire session may be intercepted and manipulated. An adversary can either use a pre-shared key to impersonate a trusted end-point or client and connect to the protected network, or it can mount a Man-in-the-Middle attack on any new session.

Fix Text

Configure the VPN gateway to ensure aggressive mode is disabled for all IKE Phase 1 security associations.

Check Content

Examine all ISAKMP profiles configured on the VPN gateway to verify aggressive mode has not been defined for IKE Phase 1 Security Association. Aggressive mode could also be configured globally which would make it applicable to all IKE sessions.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway must use a key size from Diffie-Hellman Group 14 or larger during IKE Phase 1.

Finding ID
NET-VPN-090
Rule ID
SV-41001r2_rule
Severity
Cat III
CCE
(None)
Group Title
DH Group 14 or larger not used for IKE Phase 1.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Diffie-Hellman (DH) is a public-key cryptography scheme that allows two parties to establish a shared secret over an insecure communications channel. IKE uses DH to create keys used to encrypt both the Internet Key Exchange (IKE) and IPsec communication channels. The process works by two peers both generating a private and a public key and then exchanging their public keys with each other. The peers produce the same shared secret by using each other’s public key and their own private key using the DH algorithm. The DH group is configured as part of the IKE Phase 1 key exchange settings. DH public key cryptography is used by all major VPN gateways. DH group 1 consists of a 768 bit modulus, group 2 consists of 1024 bit modulus, group 5 uses a 1536 bit modulus, and group 14 uses a 2048 bit modulus. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm in which the key was derived from. Hence, the larger the modulus, the more secure the generated key is considered to be.

Fix Text

Configure the VPN gateway to ensure Diffie-Hellman Group 14 or larger is used.

Check Content

Examine all ISAKMP policies configured on the VPN gateway to determine what Diffie-Hellman group is being used. Verify Group 14 or larger has been configured. If the group has not been configured, determine what the default for the VPN gateway is or enter the appropriate show command to display the policies. Group 1 is the default for many VPN gateways. If the Diffie-Hellman group is not set to 14 or larger, this is a finding.

The VPN gateway must specify Perfect Forward Secrecy during IKE negotiation.

Finding ID
NET-VPN-100
Rule ID
SV-41002r1_rule
Severity
Cat II
CCE
(None)
Group Title
PFS has not been specified for IKE negotiation.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Internet Key Exchange (IKE) Phase-2 (Quick Mode) Security Association (SA) is used to create an IPSec session key. Hence, its rekey or key regeneration procedure is very important. The Phase-2 rekey can be performed with or without Perfect Forward Secrecy (PFS). With PFS, every time a new IPSec Security Association is negotiated during the Quick Mode, a new Diffie-Hellman (DH) exchange occurs. The new DH shared secret will be included with original keying material (SYKEID_d, initiator nonce, and responder nonce from Phase 1) for generating a new IPSec session key. If PFS is not used, the IPSec session key will always be completely dependent on the original keying material from the Phase-1. Hence, if an older key is compromised at any time, it is possible that all new keys may be compromised. The DH exchange is performed in the same manner as was done in Phase 1 (Main or Aggressive Mode). However, the Phase-2 exchange is protected by encrypting the Phase-2 packets with the key derived from the Phase-1 negotiation. Because DH negotiations during Phase-2 are encrypted, the new IPSec session key has an added element of secrecy.

Fix Text

Configure the VPN gateway to ensure PFS is enabled.

Check Content

Review the VPN gateway configuration to determine if Perfect Forward Secrecy (PFS) is enabled. For most platforms, PFS is enabled by default. Examine all ISAKMP profiles and crypto maps to verify PFS is enabled.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway must implement IPSec security associations that terminate after one hour or less of idle time.

Finding ID
NET-VPN-170
Rule ID
SV-41003r1_rule
Severity
Cat III
CCE
(None)
Group Title
Idle IPSec security associations do not terminate.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

When a VPN gateway creates an IPSec Security Association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPSec endpoint inactivity which could result in the gateway’s inability to create new SAs for other endpoints; thereby, preventing new sessions from connecting. The IPSec SA idle timer allows SAs associated with inactive endpoints to be deleted before the SA lifetime has expired.

Fix Text

Configure an idle time value of 1 hour or less for all IPSec security associations either within IPSec profiles or as a global command.

Check Content

Review all IPSec Security Associations configured globally or within IPSec profiles on the VPN gateway and examine the configured idle time. The idle time value must be 1 hour or less. If idle time is not configured, determine the default used by the gateway.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway must implement IPSec security associations that terminate within 8 hours or less.

Finding ID
NET-VPN-160
Rule ID
SV-41004r1_rule
Severity
Cat III
CCE
(None)
Group Title
IPSec SA does not expire within 8 hours.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The IPSec SA and its corresponding key will expire either after the number of seconds or amount of traffic volume has exceeded the configured limit. A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that a new SA is ready for use when the old one expires. The longer the life time of the IPSec Security Association, the longer the life time of the session key used to protect IP traffic. The SA is less secure with a longer lifetime because an attacker has a greater opportunity to collect traffic encrypted by the same key and subject it to cryptanalysis. However, a shorter lifetime causes IPSec peers to have to renegotiate IKE Phase II more often resulting in the expenditure of additional resources. Nevertheless, it is imperative the IPSec SA lifetime terminates within 8 hours.

Fix Text

Configure a lifetime value of 8 hours or less for all IPSec security associations either within IPSec profiles or as a global command.

Check Content

Review all IPSec Security Associations configured globally or within IPSec profiles on the VPN gateway and examine the configured lifetime. The lifetime value must be 8 hours or less. If they are not configured, determine the default that used by the gateway.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway must use a key size from Diffie-Hellman Group 14 or larger during IKE Phase 2.

Finding ID
NET-VPN-110
Rule ID
SV-41005r2_rule
Severity
Cat III
CCE
(None)
Group Title
DH Group 14 or larger not used for IKE Phase 2.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Diffie-Hellman (DH) is a public -key cryptography scheme allowing two parties to establish a shared secret over an insecure communications channel. IKE uses Diffie-Hellman to create keys used to encrypt both the Internet Key Exchange (IKE) and IPsec communication channels. The process works by two peers both generating a private and a public key and then exchanging their public keys with each other. The peers produce the same shared secret by using each other’s public key and their own private key using the DH algorithm. With Perfect Forward Secrecy (PFS), every time a new IPsec SA is negotiated during the Quick Mode, a new DH exchange occurs. The new DH shared secret will be included with original keying material (SYKEID_d, initiator nonce, and responder nonce from Phase 1) for generating a new IPsec session key. If PFS is not used, the IPsec session key will always be completely dependent on the original keying material from the Phase-1. Hence, if an older key is compromised at any time, it is possible that all new keys may be compromised.

Fix Text

Configure the VPN gateway to ensure Diffie-Hellman Group 14 or larger is used when enabling PFS.

Check Content

Review the VPN gateway configuration to determine if Perfect Forward Secrecy (PFS) is enabled. If PFS is enabled, it must use DH Group 14 or larger. For most platforms, PFS is enabled by default using DH Group 1. Examine all ISAKMP profiles and crypto maps to verify PFS is enabled using DH Group 14 or larger. If the Diffie-Hellman group is not set to 14 or larger, this is a finding.

The VPN gateway must use ESP tunnel mode for establishing secured paths to transport traffic between the organization’s sites or between a gateway and remote end-stations.

Finding ID
NET-VPN-150
Rule ID
SV-41006r1_rule
Severity
Cat I
CCE
(None)
Group Title
ESP tunnel mode not used for IPSec session.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Encapsulating Security Payload (ESP) is the feature in the IPSec architecture providing confidentiality, data origin authentication, integrity, and anti-replay services. ESP can be deployed in either transport or tunnel mode. Transport mode is used to create a secured session between two hosts. It can also be used when two hosts simply want to authenticate each IP packet with IPSec authentication header (AH). With ESP transport mode, only the payload (transport layer) is encrypted; whereas with tunnel mode, the entire IP packet is encrypted and encapsulated with a new IP header. Tunnel mode is used to encrypt traffic between secure IPSec gateways, or between an IPSec gateway and an end-station running IPSec software. Hence, it is the only method to provide secured path to transport traffic between remote sites or end-stations and the central site.

Fix Text

Configure all IPSec transform sets to use ESP tunnel mode.

Check Content

Review all transform sets defined in IPSec profiles and crypto maps and verify ESP tunnel mode has been specified. If the mode is not configured, determine the default for the VPN gateway.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway must implement IKE Security Associations that terminate within 24 hours or less.

Finding ID
NET-VPN-120
Rule ID
SV-41007r1_rule
Severity
Cat III
CCE
(None)
Group Title
IKE SA lifetime is greater than 24 hours.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Security Association (SA) and its corresponding key will expire after the number of seconds has exceeded the configured limit. A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure a new SA is ready for use when the old one expires. The longer the life time of the Internet Key Exchange (IKE) Security Association, the longer the life time of the key used for the IKE session, which is the control plane for establishing IPSec Security Associations. The SA is less secure with a longer lifetime because an attacker has a greater opportunity to collect traffic encrypted by the same key and subject it to cryptanalysis. However, a shorter IKE lifetime causes IPSec peers to have to renegotiate IKE more often resulting in the expenditure of additional resources. Nevertheless, it is imperative the IKE SA lifetime terminates within 24 hours or less.

Fix Text

Configure a lifetime value of 24 hours or less for all ISAKMP polices.

Check Content

Review all ISAKMP policies configured on the VPN gateway and examine the configured lifetime. The lifetime value must be 24 hours or less. If they are not configured, determine the default that used by the gateway.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway must use AES for IPSec cryptographic encryption operations required to ensure privacy of the IPSec session.

Finding ID
NET-VPN-140
Rule ID
SV-41008r1_rule
Severity
Cat I
CCE
(None)
Group Title
AES not being used for IPSec cryptographic encrypt.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

While there is much debate about the security and performance of Advance Encryption Standard (AES), there is a consensus it is significantly more secure than any of the algorithms supported by IPSec implementations today. AES is available in three key sizes: 128, 192 and 256 bits, versus the 56 bit DES. Therefore, there are approximately 1021 times more AES 128-bit keys than DES 56-bit keys. In addition, AES uses a block size of 128 bits—twice the size of DES or 3DES. Hence, AES must be used to ensure the privacy of the IPSec tunnel.

Fix Text

Configure all IPSec transform sets to use AES for performing cryptographic encryption operations.

Check Content

Review all transform sets defined in IPSec profiles and crypto maps and verify that AES has been enabled for performing cryptographic encryption operations.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

The VPN gateway must use Secure Hash Algorithm for IPSec cryptographic hashing operations required for authentication and integrity verification.

Finding ID
NET-VPN-130
Rule ID
SV-41009r1_rule
Severity
Cat I
CCE
(None)
Group Title
SHA is not used for IPSec hashing operations.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Because hash algorithms create a short fixed-length hash value to represent data of any size, there are far more possible input values than there are unique hash values. Hence, multiple input values exist that will produce the same hash value. This is known as a collision. For a hash function to be deemed cryptographically secure and collision resistant, it has to be hard to find two inputs that hash to the same output. Various methods have been published stating that an MD5 collision has been found in less than a minute. Therefore MD5 is considered cryptographically broken and should not be used—and certainly not for security-based services relying on collision resistance. Hence Secure Hash Algorithm (SHA) must be used for IPSec cryptographic hashing operations required for authentication and integrity verification.

Fix Text

Configure all IPSec transform sets to use SHA for performing cryptographic hashing operations.

Check Content

Review all transform sets defined in IPSec profiles and crypto maps and verify SHA has been enabled for performing cryptographic hashing operations.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1

Network devices must authenticate all BGP peers within the same or between autonomous systems (AS).

Finding ID
NET0408
Rule ID
SV-41553r3_rule
Severity
Cat II
CCE
(None)
Group Title
BGP must authenticate all peers.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

As specified in RFC 793, TCP utilizes sequence checking to ensure proper ordering of received packets. RFC 793 also specifies that RST (reset) control flags should be processed immediately, without waiting for out of sequence packets to arrive. RFC 793 also requires that sequence numbers are checked against the window size before accepting data or control flags as valid. A router receiving an RST segment will close the TCP session with the BGP peer that is being spoofed; thereby, purging all routes learned from that BGP neighbor. A RST segment is valid as long as the sequence number is within the window. The TCP reset attack is made possible due to the requirements that Reset flags should be processed immediately and that a TCP endpoint must accept out of order packets that are within the range of a window size. This reduces the number of sequence number guesses the attack must make by a factor equivalent to the active window size. Each sequence number guess made by the attacker can be simply incremented by the receiving connections window size. The BGP peering session can protect itself against such an attack by authenticating each TCP segment. The TCP header options include an MD5 signature in every packet and are checked prior to the acceptance and processing of any TCP packet--including RST flags. One way to create havoc in a network is to advertise bogus routes to a network. A rogue router could send a fictitious routing update to convince a BGP router to send traffic to an incorrect or rogue destination. This diverted traffic could be analyzed to learn confidential information of the site's network, or merely used to disrupt the network's ability to effectively communicate with other networks. An autonomous system can advertise incorrect information by sending BGP updates messages to routers in a neighboring AS. A malicious AS can advertise a prefix originated from another AS and claim that it is the originator (prefix hijacking). Neighboring autonomous systems receiving this announcement will believe that the malicious AS is the prefix owner and route packets to it.

Fix Text

Configure the device to authenticate all BGP peers.

Check Content

Review the device configuration to determine if authentication is being used for all peers. A password or key should be defined for each BGP neighbor regardless of the autonomous system the peer belongs. Most vendors' command lines use a neighbor statement or keyword to specify a BGP peer. If BGP peers are not authenticated, this is a finding.

IA Controls

ECSC-1

Network devices must not have any default manufacturer passwords.

Finding ID
NET0240
Rule ID
SV-3143r4_rule
Severity
Cat I
CCE
(None)
Group Title
Devices exist with standard default passwords.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Network devices not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing network outage or denial of service. Many default vendor passwords are well-known; hence, not removing them prior to deploying the network devices into production provides an opportunity for a malicious user to gain unauthorized access to the device.

Fix Text

Remove any vendor default passwords from the network devices configuration.

Check Content

Review the network devices configuration to determine if the vendor default password is active. If any vendor default passwords are used on the device, this is a finding.

Responsibility

Information Assurance Officer

Network devices must be running a current and supported operating system with all IAVMs addressed.

Finding ID
NET0700
Rule ID
SV-3160r4_rule
Severity
Cat II
CCE
(None)
Group Title
Operating system is not at a current release level.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Network devices not running the latest tested and approved versions of software are vulnerable to network attacks. Running the most current, approved version of system and device software helps the site maintain a stable base of security fixes and patches, as well as enhancements to IP security. Viruses, denial of service attacks, system weaknesses, back doors and other potentially harmful situations could render a system vulnerable, allowing unauthorized access to DoD assets.

Fix Text

Update operating system to a supported version that addresses all related IAVMs.

Check Content

Have the administrator display the OS version in operation. The OS must be current with related IAVMs addressed. If the device is using an OS that does not meet all IAVMs or currently not supported by the vendor, this is a finding.

Responsibility

Information Assurance Officer

The network device must require authentication prior to establishing a management connection for administrative access.

Finding ID
NET1636
Rule ID
SV-3175r5_rule
Severity
Cat I
CCE
(None)
Group Title
Management connections must require passwords.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Network devices with no password for administrative access via a management connection provide the opportunity for anyone with network access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.

Fix Text

Configure authentication for all management connections.

Check Content

Review the network device configuration to verify all management connections for administrative access require authentication. If authentication isn't configured for management access, this is a finding.

Responsibility

Information Assurance Officer

The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.

Finding ID
NET1660
Rule ID
SV-3196r4_rule
Severity
Cat I
CCE
(None)
Group Title
An insecure version of SNMP is being used.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain access to network management information used to launch an attack against the network.

Fix Text

If SNMP is enabled, configure the network device to use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography (i.e., SHA authentication and AES encryption).

Check Content

Review the device configuration to verify it is configured to use SNMPv3 with both SHA authentication and privacy using AES encryption. Downgrades: If the site is using Version 1 or Version 2 with all of the appropriate patches and has developed a migration plan to implement the Version 3 Security Model, this finding can be downgraded to a Category II. If the targeted asset is running SNMPv3 and does not support SHA or AES, but the device is configured to use MD5 authentication and DES or 3DES encryption, then the finding can be downgraded to a Category III. If the site is using Version 1 or Version 2 and has installed all of the appropriate patches or upgrades to mitigate any known security vulnerabilities, this finding can be downgraded to a Category II. In addition, if the device does not support SNMPv3, this finding can be downgraded to a Category III provided all of the appropriate patches to mitigate any known security vulnerabilities have been applied and has developed a migration plan that includes the device upgrade to support Version 3 and the implementation of the Version 3 Security Model. If the device is configured to use to anything other than SNMPv3 with at least SHA-1 and AES, this is a finding. Downgrades can be determined based on the criteria above.

Responsibility

Information Assurance Officer

The network device must not use the default or well-known SNMP community strings public and private.

Finding ID
NET1665
Rule ID
SV-3210r4_rule
Severity
Cat I
CCE
(None)
Group Title
Using default SNMP community names.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Network devices may be distributed by the vendor pre-configured with an SNMP agent using the well-known SNMP community strings public for read only and private for read and write authorization. An attacker can obtain information about a network device using the read community string "public". In addition, an attacker can change a system configuration using the write community string "private".

Fix Text

Configure unique SNMP community strings replacing the default community strings.

Check Content

Review the network devices configuration and verify if either of the SNMP community strings "public" or "private" is being used. If default or well-known community strings are used for SNMP, this is a finding.

Responsibility

Information Assurance Officer

In the event the authentication server is unavailable, the network device must have a single local account of last resort defined.

Finding ID
NET0440
Rule ID
SV-3966r6_rule
Severity
Cat II
CCE
(None)
Group Title
More than one local account is defined.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Authentication for administrative access to the device is required at all times. A single account of last resort can be created on the device's local database for use in an emergency such as when the authentication server is down or connectivity between the device and the authentication server is not operable. The console or local account of last resort logon credentials must be stored in a sealed envelope and kept in a safe.

Fix Text

Configure the device to only allow one local account of last resort for emergency access and store the credentials in a secure manner.

Check Content

Review the network device configuration to determine if an authentication server is defined for gaining administrative access. If so, there must be only one account of last resort configured locally for an emergency. Verify the username and password for the local account of last resort is contained within a sealed envelope kept in a safe. If an authentication server is used and more than one local account exists, this is a finding.

The network devices must time out access to the console port at 10 minutes or less of inactivity.

Finding ID
NET1624
Rule ID
SV-3967r4_rule
Severity
Cat II
CCE
(None)
Group Title
The console port does not timeout after 10 minutes.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed network device. Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.

Fix Text

Configure the timeout for idle console connection to 10 minutes or less.

Check Content

Review the configuration and verify a session using the console port will time out after 10 minutes or less of inactivity. If console access is not configured to timeout at 10 minutes or less, this is a finding.

Responsibility

Information Assurance Officer

Network devices must only allow SNMP read-only access.

Finding ID
NET0894
Rule ID
SV-3969r5_rule
Severity
Cat II
CCE
(None)
Group Title
Network element must only allow SNMP read access.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Enabling write access to the device via SNMP provides a mechanism that can be exploited by an attacker to set configuration variables that can disrupt network operations.

Fix Text

Configure the network device to allow for read-only SNMP access when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3.

Check Content

Review the network device configuration and verify SNMP community strings are read-only when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3. If write-access is used for SNMP versions 1, 2c, or 3-noAuthNoPriv mode and there is no documented approval by the ISSO, this is a finding.

Responsibility

Information Assurance Officer

The network device must require authentication for console access.

Finding ID
NET1623
Rule ID
SV-4582r5_rule
Severity
Cat I
CCE
(None)
Group Title
Authentication required for console access.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Network devices with no password for administrative access via the console provide the opportunity for anyone with physical access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.

Fix Text

Configure authentication for console access on the network device.

Check Content

Review the network device's configuration and verify authentication is required for console access. If authentication is not configured for console access, this is a finding.

Responsibility

Information Assurance Officer

The network device must log all messages except debugging and send all log data to a syslog server.

Finding ID
NET1021
Rule ID
SV-4584r3_rule
Severity
Cat III
CCE
(None)
Group Title
The network element must log all messages except debugging.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Logging is a critical part of router security. Maintaining an audit trail of system activity logs (syslog) can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network. Syslog levels 0-6 are the levels required to collect the necessary information to help in the recovery process.

Fix Text

Configure the network device to log all messages except debugging and send all log data to a syslog server.

Check Content

Review the network device configuration to ensure all messages up to and including severity level 6 (informational) are logged and sent to a syslog server. Severity Level Message Type 0 Emergencies 1 Alerts 2 Critical 3 Errors 4 Warning 5 Notifications 6 Informational 7 Debugging If logging does not capture of up severity level 6, this is a finding.

Responsibility

Information Assurance Officer

The network devices must only allow management connections for administrative access from hosts residing in the management network.

Finding ID
NET1637
Rule ID
SV-5611r5_rule
Severity
Cat II
CCE
(None)
Group Title
Management connections are not restricted.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment could acquire the device account and password information. With this intercepted information they could gain access to the infrastructure and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.

Fix Text

Configure an ACL or filter to restrict management access to the device from only the management network.

Check Content

Review the configuration and verify management access to the device is allowed only from hosts within the management network. If management access can be gained from outside of the authorized management network, this is a finding.

The network devices must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.

Finding ID
NET1645
Rule ID
SV-5612r4_rule
Severity
Cat II
CCE
(None)
Group Title
SSH session timeout is not 60 seconds or less.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

An attacker may attempt to connect to the device using SSH by guessing the authentication method, encryption algorithm, and keys. Limiting the amount of time allowed for authenticating and negotiating the SSH session reduces the window of opportunity for the malicious user attempting to make a connection to the network device.

Fix Text

Configure the network devices so it will require a secure shell timeout of 60 seconds or less.

Check Content

Review the configuration and verify the timeout is set for 60 seconds or less. The SSH service terminates the connection if protocol negotiation (that includes user authentication) is not complete within this timeout period. If the device is not configured to drop broken SSH sessions after 60 seconds, this is a finding.

Responsibility

Information Assurance Officer

The network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface.

Finding ID
NET1646
Rule ID
SV-5613r4_rule
Severity
Cat II
CCE
(None)
Group Title
SSH login attempts value is greater than 3.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

An attacker may attempt to connect to the device using SSH by guessing the authentication method and authentication key or shared secret. Setting the authentication retry to 3 or less strengthens against a Brute Force attack.

Fix Text

Configure the network device to require a maximum number of unsuccessful SSH logon attempts at 3.

Check Content

Review the configuration and verify the number of unsuccessful SSH logon attempts is set at 3. If the device is not configured to reset unsuccessful SSH logon attempts at 3, this is a finding.

Responsibility

Information Assurance Officer

Network devices must have the PAD service disabled.

Finding ID
NET0722
Rule ID
SV-5614r3_rule
Severity
Cat III
CCE
(None)
Group Title
The PAD service is enabled.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Packet Assembler Disassembler (PAD) is an X.25 component seldom used. It collects the data transmissions from the terminals and gathers them into a X.25 data stream and vice versa. PAD acts like a multiplexer for the terminals. If enabled, it can render the device open to attacks. Some voice vendors use PAD on internal routers.

Fix Text

Configure the device to disable the PAD service.

Check Content

Review the device configuration to determine if the PAD service is enabled. If the PAD service is enabled, this is a finding.

Responsibility

Information Assurance Officer

Network devices must have TCP Keep-Alives enabled for TCP sessions.

Finding ID
NET0724
Rule ID
SV-5615r3_rule
Severity
Cat III
CCE
(None)
Group Title
TCP Keep-Alives must be enabled.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Idle TCP sessions can be susceptible to unauthorized access and hijacking attacks. By default, routers do not continually test whether a previously connected TCP endpoint is still reachable. If one end of a TCP connection idles out or terminates abnormally, the opposite end of the connection may still believe the session is available. These "orphaned" sessions use up valuable router resources and can also be hijacked by an attacker. To mitigate this risk, routers must be configured to send periodic keepalive messages to check that the remote end of a session is still connected. If the remote device fails to respond to the keepalive message, the sending router will clear the connection and free resources allocated to the session.

Fix Text

Configure the device to enable TCP Keep-Alives.

Check Content

Review the device configuration to verify the "service tcp-keepalives-in" command is configured. If TCP Keep-Alives are not enabled, this is a finding.

Responsibility

Information Assurance Officer

Network devices must have identification support disabled.

Finding ID
NET0726
Rule ID
SV-5616r3_rule
Severity
Cat III
CCE
(None)
Group Title
Identification support is enabled.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Identification support allows one to query a TCP port for identification. This feature enables an unsecured protocol to report the identity of a client initiating a TCP connection and a host responding to the connection. Identification support can connect a TCP port on a host, issue a simple text string to request information, and receive a simple text-string reply. This is another mechanism to learn the router vendor, model number, and software version being run.

Fix Text

Configure the device to disable identification support.

Check Content

Review the device configuration to verify that identification support is not enabled via "ip identd" global command. It is disabled by default. If identifications support is enabled, this is a finding.

Responsibility

Information Assurance Officer

Gratuitous ARP must be disabled.

Finding ID
NET0781
Rule ID
SV-5618r3_rule
Severity
Cat II
CCE
(None)
Group Title
Gratuitous ARP must be disabled.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A gratuitous ARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used to inform the network about a host IP address. A spoofed gratuitous ARP message can cause network mapping information to be stored incorrectly, causing network malfunction.

Fix Text

Disable gratuitous ARP on the device.

Check Content

Review the configuration to determine if gratuitous ARP is disabled. If gratuitous ARP is enabled, this is a finding.

Responsibility

Information Assurance Officer

The network device must drop half-open TCP connections through filtering thresholds or timeout periods.

Finding ID
NET0965
Rule ID
SV-5646r5_rule
Severity
Cat II
CCE
(None)
Group Title
Devices not configured to filter and drop half-open connections.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A TCP connection consists of a three-way handshake message sequence. A connection request is transmitted by the originator, an acknowledgement is returned from the receiver, and then an acceptance of that acknowledgement is sent by the originator. An attacker's goal in this scenario is to cause a denial of service to the network or device by initiating a high volume of TCP packets, then never sending an acknowledgement, leaving connections in a half-opened state. Without the device having a connection or time threshold for these half-opened sessions, the device risks being a victim of a denial of service attack. Setting a TCP timeout threshold will instruct the device to shut down any incomplete connections. Services such as SSH, BGP, SNMP, LDP, etc. are some services that may be prone to these types of denial of service attacks. If the router does not have any BGP connections with BGP neighbors across WAN links, values could be set to even tighter constraints.

Fix Text

Configure the device to drop half-open TCP connections through threshold filtering or timeout periods.

Check Content

Review the device configuration to determine if threshold filters or timeout periods are set for dropping excessive half-open TCP connections. For timeout periods, the time should be set to 10 seconds or less. If the device cannot be configured for 10 seconds or less, it should be set to the least amount of time allowable in the configuration. Threshold filters will need to be determined by the organization for optimal filtering. If the device is not configured in a way to drop half-open TCP connections using filtering or timeout periods, this is a finding.

Responsibility

Information Assurance Officer

The auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.

Finding ID
NET1629
Rule ID
SV-7365r4_rule
Severity
Cat III
CCE
(None)
Group Title
The auxiliary port is not disabled.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. Additional war dial attacks on the device could degrade the device and the production network. Secured modem devices must be able to authenticate users and must negotiate a key exchange before full encryption takes place. The modem will provide full encryption capability (Triple DES) or stronger. The technician who manages these devices will be authenticated using a key fob and granted access to the appropriate maintenance port, thus the technician will gain access to the managed device (router, switch, etc.). The token provides a method of strong (two-factor) user authentication. The token works in conjunction with a server to generate one-time user passwords that will change values at second intervals. The user must know a personal identification number (PIN) and possess the token to be allowed access to the device.

Fix Text

Disable the auxiliary port. If used for out-of-band administrative access, the port must be connected to a secured modem providing encryption and authentication.

Check Content

Review the configuration and verify the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected. If the auxiliary port is enabled without the use of a secured modem, this is a finding.

Responsibility

Information Assurance Officer