800-53|SC-7(15)

Title

ROUTE PRIVILEGED NETWORK ACCESSES

Description

The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.

Reference Item Details

Related: AC-2,AC-3,AU-2,SI-4

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: BOUNDARY PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device managementPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMPPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSHPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPSPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Restrict Access to VTY Sessions - line vty access-classCiscoCIS Cisco NX-OS L2 v1.0.0
1.2.2 Restrict Access to VTY Sessions - line vty access-classCiscoCIS Cisco NX-OS L1 v1.0.0
1.2.2 Restrict Access to VTY Sessions - VTY ACLCiscoCIS Cisco NX-OS L1 v1.0.0
1.2.2 Restrict Access to VTY Sessions - VTY ACLCiscoCIS Cisco NX-OS L2 v1.0.0
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.4.2 If SNMPv2 is in use, set Restrictions on Access - ACLCiscoCIS Cisco NX-OS L1 v1.0.0
1.4.2 If SNMPv2 is in use, set Restrictions on Access - snmp-serverCiscoCIS Cisco NX-OS L1 v1.0.0
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - loggingCiscoCIS Cisco NX-OS L2 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - loggingCiscoCIS Cisco NX-OS L1 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - ntpCiscoCIS Cisco NX-OS L2 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - ntpCiscoCIS Cisco NX-OS L1 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server hostCiscoCIS Cisco NX-OS L1 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server hostCiscoCIS Cisco NX-OS L2 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server traps/informsCiscoCIS Cisco NX-OS L1 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server traps/informsCiscoCIS Cisco NX-OS L2 v1.0.0
2.3 Ensure that User-ID is only enabled for internal trusted interfacesPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
2.3 Ensure that User-ID is only enabled for internal trusted interfacesPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
3.1 Enable the Firewall Stealth RuleCheckPointCIS Check Point Firewall L2 v1.1.0
3.1.1 Ensure Caller ID is setJuniperCIS Juniper OS Benchmark v2.1.0 L1
3.1.2 Ensure access profile is set to use CHAPJuniperCIS Juniper OS Benchmark v2.1.0 L1
3.2 Ensure SharePoint implements an information system isolation boundary that minimizes the number of non-security functions included within the boundary containing security functions.WindowsCIS Microsoft SharePoint 2019 OS v1.0.0
3.3 Ensure SharePoint implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.WindowsCIS Microsoft SharePoint 2019 OS v1.0.0
3.5.2.6 Ensure nftables loopback traffic is configured - loUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
3.5.2.6 Ensure nftables loopback traffic is configured - loUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
3.5.2.8 Ensure nftables default deny firewall policy - forwardUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
3.5.2.8 Ensure nftables default deny firewall policy - forwardUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
3.5.2.8 Ensure nftables default deny firewall policy - inputUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
3.5.2.8 Ensure nftables default deny firewall policy - inputUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
3.5.2.8 Ensure nftables default deny firewall policy - outputUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
3.5.2.8 Ensure nftables default deny firewall policy - outputUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
5.1 Ensure Common SNMP Community Strings are NOT usedJuniperCIS Juniper OS Benchmark v2.1.0 L1
5.3 Ensure a client list is set for SNMPv1/v2 communitiesJuniperCIS Juniper OS Benchmark v2.1.0 L1
5.8 Ensure interface restrictions are set for SNMPJuniperCIS Juniper OS Benchmark v2.1.0 L1
5.9 Ensure SNMP is set to OOB management onlyJuniperCIS Juniper OS Benchmark v2.1.0 L2
6.10.2.6 Ensure Web-Management Interface Restriction is SetJuniperCIS Juniper OS Benchmark v2.1.0 L1
6.10.2.7 Ensure Web-Management Interface Restriction is set to OOB ManagementJuniperCIS Juniper OS Benchmark v2.1.0 L2
6.11 Ensure a route table for the public subnets is createdamazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
6.12 Ensure a route table for the private subnets is createdamazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
6.13 Ensure Routing Table associated with Web tier ELB subnet have the default route (0.0.0.0/0) defined to allow connectivityamazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
6.14 Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivityamazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
6.15 Ensure Routing Table associated with App tier subnet have the default route (0.0.0.0/0) defined to allow connectivityamazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
6.16 Ensure Routing Table associated with Data tier subnet have NO default route (0.0.0.0/0) defined to allow connectivityamazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
Authorized IP managersArubaOSArubaOS Switch 16.x Hardening Guide v1.0.0