Detections
Analytics

Tenable ZTE ROSNG

Audit Details

Name: Tenable ZTE ROSNG

Updated: 12/27/2023

Authority: TNS

Plugin: ZTE_ROSNG

Revision: 1.5

Estimated Item Count: 52

File Details

Filename: Tenable-ZTE_ROSNG-Best-Practice-v1.0.0.audit

Size: 129 kB

MD5: 9f6cded649d0efb9084d25aa78c487e2
SHA256: 6dd5c7d8a1398fe0cd32e085257ec301cef0ac24db9a69cd49bb96b05eeb989d

Audit Changelog

 
Revision 1.5

Dec 27, 2023

Informational Update
  • 1.1 Secure Login and Telnet Disabling - Disable telnet server
  • 1.1 Secure Login and Telnet Disabling - Enable SSH server
  • 1.2 Password Security Policy - a) The default password length shouldn't be below 8 characters
  • 1.2 Password Security Policy - b) The password must include either three of 'number', 'capital', 'lowercase', 'special-character' or set the 'character-set-num' value to 3-4
  • 1.2 Password Security Policy - c) Configure 'strong-password dictionary' and 'same-consecutive' to avoid weak password - same-consecutive
  • 1.2 Password Security Policy - c) Configure 'strong-password dictionary' and 'same-consecutive' to avoid weak password - strong-password dictionary
  • 1.2 Password Security Policy - d) Check either of the following words exist in configuration file
  • 1.2 Password Security Policy - e) Check for strong-password max-length
  • 1.2 Password Security Policy - e) Check for strong-password max-length - strong-password date-check enable
  • 1.2 Password Security Policy - e) Check for strong-password max-length - strong-password username-related-chk inverse
  • 1.2 Password Security Policy - f) The validity period of an account can be configured
  • 1.3 Account Anti-riot Attack
  • 1.4 SNMP Security - a) SNMP Community Security
  • 1.4 SNMP Security - b) SNMP server
  • 1.4 SNMP Security - c) SNMP Security Protection Function
  • 1.5 FTP/SFTP Access Authorization
  • 1.5 FTP/SFTP Access Authorization - login-type-allowed
  • 1.5 FTP/SFTP Access Authorization - sftp top-directory
  • 1.6 Support Web Access Security - a) ciphersuite
  • 1.6 Support Web Access Security - b) ssl-context field
  • 1.6 Support Web Access Security - c) version
  • 1.7 Log Auditing
  • 1.8 SSH Strong Algorithm - a) Disable encryption none
  • 1.8 SSH Strong Algorithm - b) Disable encryption 3des-cbc
  • 1.8 SSH Strong Algorithm - c) Disable encryption aes128-cbc
  • 1.8 SSH Strong Algorithm - d) Disable encryption aes192-cbc
  • 1.8 SSH Strong Algorithm - e) Disable encryption aes256-cbc
  • 1.8 SSH Strong Algorithm - f) Disable encryption blowfish-cbc
  • 1.8 SSH Strong Algorithm - g) Disable hmac md5
  • 1.8 SSH Strong Algorithm - h) Disable hmac none
  • 1.8 SSH Strong Algorithm - i) Disable diffie-hellman group-exchange-sha1
  • 1.8 SSH Strong Algorithm - j) Disable diffie-hellman group1-sha1
  • 1.8 SSH Strong Algorithm - k) Disable hmac sha1
  • 1.9 SSL Strong Algorithm - a) Version
  • 1.9 SSL Strong Algorithm - b) ciphersuite
  • 1.9 SSL Strong Algorithm - c) pki-profile
  • 1.9 SSL Strong Algorithm - d) renegotiate
  • 2.1 Protection Policy for the CPS Control Engine
  • 2.2 NTP Security Protection - a) Enable NTP
  • 2.2 NTP Security Protection - b) NTP access-group
  • 2.2 NTP Security Protection - c) NTP Auth-key encrypted
  • 2.3 Disable the Proxy ARP Function - a) No proxy
  • 2.3 Disable the Proxy ARP Function - b) No inter-vlan-proxy
  • 2.3 Disable the Proxy ARP Function - c) No proxy local
  • 2.3 Disable the Proxy ARP Function - d) No local-proxy-arp
  • 2.4 Disable the IP Unreachable Function
  • 2.5 Product Default Banner
  • 3.1 Authentication and Verification of OSPF Routing Protocols - authentication message-digest
  • 3.1 Authentication and Verification of OSPF Routing Protocols - message-digest-key
  • 3.2 Authentication and Verification of ISIS Routing Protocols - authentication
  • 3.2 Authentication and Verification of ISIS Routing Protocols - authentication-type hmac-md5
  • 3.3 Authentication and Verification of BGP Routing Protocols
Miscellaneous
  • Metadata updated.
Revision 1.4

Dec 22, 2023

Miscellaneous
  • Metadata updated.
Revision 1.3

Mar 7, 2023

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.2

Apr 25, 2022

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.1

Jun 25, 2021

Functional Update
  • 1.3 Account Anti-riot Attack
Informational Update
  • 1.1 Secure Login and Telnet Disabling - Disable telnet server
  • 1.1 Secure Login and Telnet Disabling - Enable SSH server
  • 1.3 Account Anti-riot Attack
  • 1.5 FTP/SFTP Access Authorization
  • 1.5 FTP/SFTP Access Authorization - login-type-allowed
  • 1.5 FTP/SFTP Access Authorization - sftp top-directory
  • 1.7 Log Auditing
  • 2.1 Protection Policy for the CPS Control Engine
  • 2.4 Disable the IP Unreachable Function
Miscellaneous
  • Metadata updated.
  • References updated.
Added
  • 1.2 Password Security Policy - a) The default password length shouldn't be below 8 characters
  • 1.2 Password Security Policy - b) The password must include either three of 'number', 'capital', 'lowercase', 'special-character' or set the 'character-set-num' value to 3-4
  • 1.2 Password Security Policy - c) Configure 'strong-password dictionary' and 'same-consecutive' to avoid weak password - same-consecutive
  • 1.2 Password Security Policy - c) Configure 'strong-password dictionary' and 'same-consecutive' to avoid weak password - strong-password dictionary
  • 1.2 Password Security Policy - d) Check either of the following words exist in configuration file
  • 1.2 Password Security Policy - e) Check for strong-password max-length
  • 1.2 Password Security Policy - e) Check for strong-password max-length - strong-password date-check enable
  • 1.2 Password Security Policy - e) Check for strong-password max-length - strong-password username-related-chk inverse
  • 1.2 Password Security Policy - f) The validity period of an account can be configured
  • 1.4 SNMP Security - a) SNMP Community Security
  • 1.4 SNMP Security - b) SNMP server
  • 1.4 SNMP Security - c) SNMP Security Protection Function
  • 1.6 Support Web Access Security - a) ciphersuite
  • 1.6 Support Web Access Security - b) ssl-context field
  • 1.6 Support Web Access Security - c) version
  • 1.8 SSH Strong Algorithm - a) Disable encryption none
  • 1.8 SSH Strong Algorithm - b) Disable encryption 3des-cbc
  • 1.8 SSH Strong Algorithm - c) Disable encryption aes128-cbc
  • 1.8 SSH Strong Algorithm - d) Disable encryption aes192-cbc
  • 1.8 SSH Strong Algorithm - e) Disable encryption aes256-cbc
  • 1.8 SSH Strong Algorithm - f) Disable encryption blowfish-cbc
  • 1.8 SSH Strong Algorithm - g) Disable hmac md5
  • 1.8 SSH Strong Algorithm - h) Disable hmac none
  • 1.8 SSH Strong Algorithm - i) Disable diffie-hellman group-exchange-sha1
  • 1.8 SSH Strong Algorithm - j) Disable diffie-hellman group1-sha1
  • 1.8 SSH Strong Algorithm - k) Disable hmac sha1
  • 1.9 SSL Strong Algorithm - a) Version
  • 1.9 SSL Strong Algorithm - b) ciphersuite
  • 1.9 SSL Strong Algorithm - c) pki-profile
  • 1.9 SSL Strong Algorithm - d) renegotiate
  • 2.2 NTP Security Protection - a) Enable NTP
  • 2.2 NTP Security Protection - b) NTP access-group
  • 2.2 NTP Security Protection - c) NTP Auth-key encrypted
  • 2.3 Disable the Proxy ARP Function - a) No proxy
  • 2.3 Disable the Proxy ARP Function - b) No inter-vlan-proxy
  • 2.3 Disable the Proxy ARP Function - c) No proxy local
  • 2.3 Disable the Proxy ARP Function - d) No local-proxy-arp
  • 2.5 Product Default Banner
  • 3.1 Authentication and Verification of OSPF Routing Protocols - authentication message-digest
  • 3.1 Authentication and Verification of OSPF Routing Protocols - message-digest-key
  • 3.2 Authentication and Verification of ISIS Routing Protocols - authentication
  • 3.2 Authentication and Verification of ISIS Routing Protocols - authentication-type hmac-md5
  • 3.3 Authentication and Verification of BGP Routing Protocols
Removed
  • 1.2 Password Security Policy - a) The default length is no less than 8 bytes
  • 1.2 Password Security Policy - b) Consist of digits, letters, and symbols
  • 1.2 Password Security Policy - c) Support check of simple passwords and weak passwords - strong-password dictionary
  • 1.2 Password Security Policy - c) Support check of simple passwords and weak passwords - strong-password same-consecutive
  • 1.2 Password Security Policy - d) Display password in cipher text
  • 1.2 Password Security Policy - d) Stores passwords in ciphertext in the system configuration file & e) When the login user views the system configuration, the password is displayed in cipher text
  • 1.2 Password Security Policy - g) The maximum password length is not restricted and is irrelevant to the username and date - strong-password date-check enable
  • 1.2 Password Security Policy - g) The maximum password length is not restricted and is irrelevant to the username and date - strong-password max-length
  • 1.2 Password Security Policy - g) The maximum password length is not restricted and is irrelevant to the username and date - strong-password username-related-chk inverse
  • 1.2 Password Security Policy - h) The validity period of an account can be configured
  • 1.4 SNMP Security - I) SNMP Community Security
  • 1.4 SNMP Security - II) SNMP server
  • 1.4 SNMP Security - III) SNMP Security Protection Function
  • 1.6 Support Web Access Security - I) ciphersuite
  • 1.6 Support Web Access Security - II) ssl-context field
  • 1.6 Support Web Access Security - III) version
  • 1.8 SSH Strong Algorithm - I) Disable encryption none
  • 1.8 SSH Strong Algorithm - II) Disable encryption 3des-cbc
  • 1.8 SSH Strong Algorithm - III) Disable encryption aes128-cbc
  • 1.8 SSH Strong Algorithm - IV) Disable encryption aes192-cbc
  • 1.8 SSH Strong Algorithm - IX) Disable diffie-hellman group-exchange-sha1
  • 1.8 SSH Strong Algorithm - V) Disable encryption aes256-cbc
  • 1.8 SSH Strong Algorithm - VI) Disable encryption blowfish-cbc
  • 1.8 SSH Strong Algorithm - VII) Disable hmac md5
  • 1.8 SSH Strong Algorithm - VIII) Disable hmac none
  • 1.8 SSH Strong Algorithm - X) Disable diffie-hellman group1-sha1
  • 1.8 SSH Strong Algorithm - XI) Disable hmac sha1
  • 1.9 SSL Strong Algorithm - I) Version
  • 1.9 SSL Strong Algorithm - II) ciphersuite
  • 1.9 SSL Strong Algorithm - III) pki-profile
  • 1.9 SSL Strong Algorithm - IV) renegotiate
  • 2.2 NTP Security Protection - I) Enable NTP
  • 2.2 NTP Security Protection - II) NTP access-group
  • 2.2 NTP Security Protection - III) NTP Auth-key encrypted
  • 2.3 Disable the Proxy ARP Function - I) No proxy
  • 2.3 Disable the Proxy ARP Function - II) No inter-vlan-proxy
  • 2.3 Disable the Proxy ARP Function - III) No proxy local
  • 2.3 Disable the Proxy ARP Function - IV) No local-proxy-arp
  • 2.6 Product Default Banner
  • 3.2 Authentication and Verification of OSPF Routing Protocols - message-digest-key
  • 3.3 Authentication and Verification of ISIS Routing Protocols
  • 3.3 Authentication and Verification of ISIS Routing Protocols - I) Authentication-type hmac-md5
  • 3.3 Authentication and Verification of ISIS Routing Protocols - I) Interface: Authentication-type hmac-md5
  • 3.3 Authentication and Verification of ISIS Routing Protocols - II) Authentication
  • 3.3 Authentication and Verification of ISIS Routing Protocols - II) Interface: Authentication
  • 3.4 Authentication and Verification of BGP Routing Protocols