2.2 Ensure 'Protect RE' Firewall Filter includes explicit terms for all Management Services | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
2.3 Ensure 'Protect RE' Firewall filter includes Rate-Limiting for Management Services terms | SYSTEM AND COMMUNICATIONS PROTECTION |
2.4 Ensure 'Protect RE' Firewall Filter includes explicit terms for all Protocols | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
2.5 Ensure firewall filters contain explicit deny and log term | SYSTEM AND COMMUNICATIONS PROTECTION |
2.6 Ensure firewall filters contain explicit deny and log term | SYSTEM AND COMMUNICATIONS PROTECTION |
2.7 Ensure internal sources are blocked on external networks | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
3.1.3 Forbid Dial in Access | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY |
3.2.1 Ensure VRRP authentication-key is set | CONFIGURATION MANAGEMENT |
3.2.2 Ensure authentication-type is set to MD5 | IDENTIFICATION AND AUTHENTICATION |
3.5 Ensure proxy-arp is disabled | SYSTEM AND COMMUNICATIONS PROTECTION |
3.8 Ensure Loopback interface address is set | CONFIGURATION MANAGEMENT |
3.10 Ensure inbound firewall filter is set for Loopback interface | CONFIGURATION MANAGEMENT |
4.1.2 Ensure peer authentication is set to IPSEC SA | IDENTIFICATION AND AUTHENTICATION |
4.1.4 Ensure Bogon Filtering is set (where EBGP is used) | SYSTEM AND COMMUNICATIONS PROTECTION |
4.1.6 Ensure RPKI is set for Origin Validation of EBGP peers | SYSTEM AND COMMUNICATIONS PROTECTION |
4.2.2 Ensure IS-IS neighbor authentication is set to SHA1 | IDENTIFICATION AND AUTHENTICATION |
4.3.2 Ensure OSPF authentication is set to IPSEC SA with SHA | IDENTIFICATION AND AUTHENTICATION |
4.6.1 Ensure BFD Authentication is Set | CONFIGURATION MANAGEMENT |
4.6.2 Ensure BFD Authentication is Not Set to Loose-Check | CONFIGURATION MANAGEMENT |
4.7.2 Ensure authentication is set to AES-CMAC | IDENTIFICATION AND AUTHENTICATION |
4.9.1 Ensure Secure Neighbor Discovery is configured | IDENTIFICATION AND AUTHENTICATION |
4.12.1 Ensure LLDP is Disabled if not Required | CONFIGURATION MANAGEMENT |
4.12.2 Ensure LLDP-MED is Disabled if not Required | CONFIGURATION MANAGEMENT |
5.5 Ensure SNMP Write Access is not set | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
5.6 Ensure AES128 is set for all SNMPv3 users | SYSTEM AND COMMUNICATIONS PROTECTION |
5.7 Ensure SHA1 is set for SNMPv3 authentication | IDENTIFICATION AND AUTHENTICATION |
5.9 Ensure SNMP is set to OOB management only | SYSTEM AND COMMUNICATIONS PROTECTION |
6.1.4 Recommend Accounting of Interactive Commands (where External AAA is used) | AUDIT AND ACCOUNTABILITY |
6.2.1 Ensure Archive on Commit | CONTINGENCY PLANNING |
6.2.2 Ensure at least one SCP Archive Site is configured | CONTINGENCY PLANNING |
6.5.1 Ensure ICMPv4 rate-limit is Set | CONFIGURATION MANAGEMENT |
6.5.2 Ensure ICMPv6 rate-limit is Set | CONFIGURATION MANAGEMENT |
6.6.7 Ensure Remote Login Class for Authorization through External AAA - login class | IDENTIFICATION AND AUTHENTICATION |
6.6.7 Ensure Remote Login Class for Authorization through External AAA - remote class | IDENTIFICATION AND AUTHENTICATION |
6.6.14 Ensure Multi-Factor is used with External AAA | IDENTIFICATION AND AUTHENTICATION |
6.7.2 Ensure Multiple External NTP Servers are set | AUDIT AND ACCOUNTABILITY |
6.7.3 Ensure NTP Boot-Server is set | AUDIT AND ACCOUNTABILITY |
6.7.5 Ensure Authentication Keys are used for all NTP Servers | AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION |
6.7.6 Ensure Different Authentication Keys for each NTP Server | AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION |
6.7.7 Ensure Strong Authentication Methods are used for NTP Authentication | AUDIT AND ACCOUNTABILITY |
6.10.1.7 Ensure Only Suite B Ciphers are set for SSH - ciphers restriction | IDENTIFICATION AND AUTHENTICATION |
6.10.1.7 Ensure Only Suite B Ciphers are set for SSH - weak ciphers | IDENTIFICATION AND AUTHENTICATION |
6.10.1.10 Ensure Only Suite B Key Exchange Methods are set for SSH - key-exchange restriction | IDENTIFICATION AND AUTHENTICATION |
6.10.1.10 Ensure Only Suite B Key Exchange Methods are set for SSH - weak key-exchange | IDENTIFICATION AND AUTHENTICATION |
6.10.1.12 Ensure Only Suite B Based Key Signing Algorithms are set for SSH - DSA keys | IDENTIFICATION AND AUTHENTICATION |
6.10.1.12 Ensure Only Suite B Based Key Signing Algorithms are set for SSH - ECDSA Key | IDENTIFICATION AND AUTHENTICATION |
6.10.1.13 Ensure SSH Key Authentication is Disabled | IDENTIFICATION AND AUTHENTICATION |
6.10.2.3 Ensure Web-Management is Set to use PKI Certificate for HTTPS | IDENTIFICATION AND AUTHENTICATION |
6.10.2.7 Ensure Web-Management Interface Restriction is set to OOB Management | SYSTEM AND COMMUNICATIONS PROTECTION |
6.10.3.2 Ensure XNM-SSL Connection Limit is Set | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |