800-53|SC-7(15)

Title

ROUTE PRIVILEGED NETWORK ACCESSES

Description

The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-2,AC-3,AU-2,SI-4

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: BOUNDARY PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMP	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSH	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPS	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.2 Restrict Access to VTY Sessions - line vty access-class	Cisco	CIS Cisco NX-OS L2 v1.0.0
1.2.2 Restrict Access to VTY Sessions - line vty access-class	Cisco	CIS Cisco NX-OS L1 v1.0.0
1.2.2 Restrict Access to VTY Sessions - VTY ACL	Cisco	CIS Cisco NX-OS L1 v1.0.0
1.2.2 Restrict Access to VTY Sessions - VTY ACL	Cisco	CIS Cisco NX-OS L2 v1.0.0
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.4.2 If SNMPv2 is in use, set Restrictions on Access - ACL	Cisco	CIS Cisco NX-OS L1 v1.0.0
1.4.2 If SNMPv2 is in use, set Restrictions on Access - snmp-server	Cisco	CIS Cisco NX-OS L1 v1.0.0
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - logging	Cisco	CIS Cisco NX-OS L2 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - logging	Cisco	CIS Cisco NX-OS L1 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - ntp	Cisco	CIS Cisco NX-OS L2 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - ntp	Cisco	CIS Cisco NX-OS L1 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server host	Cisco	CIS Cisco NX-OS L1 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server host	Cisco	CIS Cisco NX-OS L2 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server traps/informs	Cisco	CIS Cisco NX-OS L1 v1.0.0
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative Functions - snmp-server traps/informs	Cisco	CIS Cisco NX-OS L2 v1.0.0
2.3 Ensure that User-ID is only enabled for internal trusted interfaces	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
2.3 Ensure that User-ID is only enabled for internal trusted interfaces	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
3.1 Enable the Firewall Stealth Rule	CheckPoint	CIS Check Point Firewall L2 v1.1.0
3.1.1 Ensure Caller ID is set	Juniper	CIS Juniper OS Benchmark v2.1.0 L1
3.1.2 Ensure access profile is set to use CHAP	Juniper	CIS Juniper OS Benchmark v2.1.0 L1
3.2 Ensure SharePoint implements an information system isolation boundary that minimizes the number of non-security functions included within the boundary containing security functions.	Windows	CIS Microsoft SharePoint 2019 OS v1.0.0
3.3 Ensure SharePoint implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.	Windows	CIS Microsoft SharePoint 2019 OS v1.0.0
3.5.2.6 Ensure nftables loopback traffic is configured - lo	Unix	CIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
3.5.2.6 Ensure nftables loopback traffic is configured - lo	Unix	CIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
3.5.2.8 Ensure nftables default deny firewall policy - forward	Unix	CIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
3.5.2.8 Ensure nftables default deny firewall policy - forward	Unix	CIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
3.5.2.8 Ensure nftables default deny firewall policy - input	Unix	CIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
3.5.2.8 Ensure nftables default deny firewall policy - input	Unix	CIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
3.5.2.8 Ensure nftables default deny firewall policy - output	Unix	CIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
3.5.2.8 Ensure nftables default deny firewall policy - output	Unix	CIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
5.1 Ensure Common SNMP Community Strings are NOT used	Juniper	CIS Juniper OS Benchmark v2.1.0 L1
5.3 Ensure a client list is set for SNMPv1/v2 communities	Juniper	CIS Juniper OS Benchmark v2.1.0 L1
5.8 Ensure interface restrictions are set for SNMP	Juniper	CIS Juniper OS Benchmark v2.1.0 L1
5.9 Ensure SNMP is set to OOB management only	Juniper	CIS Juniper OS Benchmark v2.1.0 L2
6.10.2.6 Ensure Web-Management Interface Restriction is Set	Juniper	CIS Juniper OS Benchmark v2.1.0 L1
6.10.2.7 Ensure Web-Management Interface Restriction is set to OOB Management	Juniper	CIS Juniper OS Benchmark v2.1.0 L2
6.11 Ensure a route table for the public subnets is created	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
6.12 Ensure a route table for the private subnets is created	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
6.13 Ensure Routing Table associated with Web tier ELB subnet have the default route (0.0.0.0/0) defined to allow connectivity	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
6.14 Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
6.15 Ensure Routing Table associated with App tier subnet have the default route (0.0.0.0/0) defined to allow connectivity	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
6.16 Ensure Routing Table associated with Data tier subnet have NO default route (0.0.0.0/0) defined to allow connectivity	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
Authorized IP managers	ArubaOS	ArubaOS Switch 16.x Hardening Guide v1.0.0

Detections

Analytics

800-53|SC-7(15)

Title

Description

Reference Item Details

Audit Items