800-53|SC-7(16)

Title

PREVENT DISCOVERY OF COMPONENTS / DEVICES

Description

The information system prevents discovery of specific system components composing a managed interface.

Supplemental

This control enhancement protects network addresses of information system components that are part of managed interfaces from discovery through common tools and techniques used to identify devices on networks. Network addresses are not available for discovery (e.g., network address not published or entered in domain name systems), requiring prior knowledge for access. Another obfuscation technique is to periodically change network addresses.

Reference Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: BOUNDARY PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Audit Items

View all Reference Audit Items

NamePluginAudit Name
3.1.2 Set 'no ip proxy-arp'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.1.2 Set 'no ip proxy-arp'CiscoCIS Cisco IOS 17 L2 v1.0.0
3.1.4 Set 'ip verify unicast source reachable-via'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.1.4 Set 'ip verify unicast source reachable-via'CiscoCIS Cisco IOS 17 L1 v1.0.0
7.2.5 Enable Ignore Broadcast RequestsUnixCIS Debian Linux 7 L1 v1.0.0
7.2.5 Enable Ignore Broadcast RequestsUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
7.2.6 Enable Bad Error Message ProtectionUnixCIS Debian Linux 7 L1 v1.0.0
7.2.6 Enable Bad Error Message ProtectionUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
Big Sur - Enable Firewall Stealth ModeUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Enable Firewall Stealth ModeUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Enable Firewall Stealth ModeUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Enable Firewall Stealth ModeUnixNIST macOS Big Sur v1.4.0 - 800-171
Big Sur - Enable Firewall Stealth ModeUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Enable Firewall Stealth ModeUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Enable Firewall Stealth ModeUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Enable Firewall Stealth ModeUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Enable Firewall Stealth ModeUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Low
Catalina - Enable Firewall Stealth ModeUnixNIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Enable Firewall Stealth ModeUnixNIST macOS Catalina v1.5.0 - 800-53r5 Low
Catalina - Enable Firewall Stealth ModeUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Enable Firewall Stealth ModeUnixNIST macOS Catalina v1.5.0 - 800-171
Catalina - Enable Firewall Stealth ModeUnixNIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Enable Firewall Stealth ModeUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Enable Firewall Stealth ModeUnixNIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Enable Firewall Stealth ModeUnixNIST macOS Catalina v1.5.0 - 800-53r4 Low
Catalina - Enable Firewall Stealth ModeUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
Ensure 'noproxyarp' is enabled for untrusted interfacesCisco_FirepowerTenable Cisco Firepower Threat Defense Best Practices Audit
Ensure ICMP is restricted for untrusted interfacesCisco_FirepowerTenable Cisco Firepower Threat Defense Best Practices Audit
Front panel securityArubaOSArubaOS Switch 16.x Hardening Guide v1.0.0
Monterey - Enable Firewall Stealth ModeUnixNIST macOS Monterey v1.0.0 - 800-171
Monterey - Enable Firewall Stealth ModeUnixNIST macOS Monterey v1.0.0 - 800-53r5 Moderate
Monterey - Enable Firewall Stealth ModeUnixNIST macOS Monterey v1.0.0 - 800-53r4 Moderate
Monterey - Enable Firewall Stealth ModeUnixNIST macOS Monterey v1.0.0 - All Profiles
Monterey - Enable Firewall Stealth ModeUnixNIST macOS Monterey v1.0.0 - 800-53r5 Low
Monterey - Enable Firewall Stealth ModeUnixNIST macOS Monterey v1.0.0 - 800-53r4 High
Monterey - Enable Firewall Stealth ModeUnixNIST macOS Monterey v1.0.0 - 800-53r5 High
Monterey - Enable Firewall Stealth ModeUnixNIST macOS Monterey v1.0.0 - 800-53r4 Low
Monterey - Enable Firewall Stealth ModeUnixNIST macOS Monterey v1.0.0 - CNSSI 1253
NET-IPV6-004 - IPv6 Router Advertisements must be suppressed.CiscoDISA STIG Cisco Perimeter L3 Switch v8r32
NET-IPV6-004 - IPv6 Router Advertisements must be suppressed.CiscoDISA STIG Cisco Perimeter Router v8r32
NET-IPV6-004 - Router advertisements must be suppressed on all external-facing IPv6-enabled interfaces.JuniperDISA STIG Juniper Perimeter Router V8R32
NET-IPV6-004 - Router advertisements must be suppressed on all external-facing IPv6-enabled interfaces.CiscoDISA STIG Cisco Firewall v8r25
NET-IPV6-016 - ICMPv6 unreachable notifications and redirects must be disabled - 'no ipv6 redirects'CiscoDISA STIG Cisco Perimeter L3 Switch v8r32
NET-IPV6-016 - ICMPv6 unreachable notifications and redirects must be disabled - 'no ipv6 redirects'CiscoDISA STIG Cisco Perimeter Router v8r32
NET-IPV6-016 - ICMPv6 unreachable notifications and redirects must be disabled - 'no ipv6 unreachables'CiscoDISA STIG Cisco Perimeter L3 Switch v8r32
NET-IPV6-016 - ICMPv6 unreachable notifications and redirects must be disabled - 'no ipv6 unreachables'CiscoDISA STIG Cisco Perimeter Router v8r32
NET-IPV6-016 - ICMPv6 unreachable notifications and redirects must be disabled - 'Null0 - no ipv6 unreachables'CiscoDISA STIG Cisco Perimeter L3 Switch v8r32
NET-IPV6-016 - ICMPv6 unreachable notifications and redirects must be disabled - 'Null0 - no ipv6 unreachables'CiscoDISA STIG Cisco Perimeter Router v8r32
NET-IPV6-034 - IPv6 Egress Outbound Spoofing Filter - 'ipv6 verify unicast source reachable-via rx OUTBOUND_TO_BACKBONE'CiscoDISA STIG Cisco Perimeter Router v8r32
NET-IPV6-034 - IPv6 Egress Outbound Spoofing Filter - 'ipv6 verify unicast source reachable-via rx OUTBOUND_TO_BACKBONE'CiscoDISA STIG Cisco Infrastructure L3 Switch v8r29