kriterion 0.0.1

data/standards/stig_network_devices.json

@@ -0,0 +1,389 @@
+{
+  "name": "stig_network_devices",
+  "date": "2018-02-27",
+  "description": "Network Devices Security Technical Implementation Guide",
+  "title": "Network Devices Security Technical Implementation Guide",
+  "version": "8",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-14646",
+      "title": "Alerts must be automatically generated to notify the administrator when log storage reaches seventy-five percent or more of its maximum capacity.",
+      "description": "Configuring the network device or syslog server to provide alerts to the administrator in the event of modification or audit log capacity being exceeded ensures administrative staff is aware of critical alerts.  Without this type of notification setup, logged audits and events could potentially fill to capacity, causing subsequent records to not be recorded and dropped without any knowledge by the administrative staff.  Other unintended consequences of filling the log storage to capacity may include a denial of service of the device itself without proper notification.",
+      "severity": "low"
+    },
+    {
+      "id": "V-14671",
+      "title": "Network devices must authenticate all NTP messages received from NTP servers and peers.",
+      "description": "Since NTP is used to ensure accurate log file time stamp information, NTP could pose a security risk if a malicious user were able to falsify NTP information. To launch an attack on the NTP infrastructure, a hacker could inject time that would be accepted by NTP clients by spoofing the IP address of a valid NTP server. To mitigate this risk, the time messages must be authenticated by the client before accepting them as a time source. \n\nTwo NTP-enabled devices can communicate in either client-server mode or peer-to-peer mode (aka \"symmetric mode\"). The peering mode is configured manually on the device and indicated in the outgoing NTP packets. The fundamental difference is the synchronization behavior: an NTP server can synchronize to a peer with better stratum, whereas it will never synchronize to its client regardless of the client's stratum. From a protocol perspective, NTP clients are no different from the NTP servers. The NTP client can synchronize to multiple NTP servers, select the best server and synchronize with it, or synchronize to the averaged value returned by the servers.\n\nA hierarchical model can be used to improve scalability. With this implementation, an NTP client can also become an NTP server providing time to downstream clients at a higher stratum level and of decreasing accuracy than that of its upstream server. To increase availability, NTP peering can be used between NTP servers. In the event the device loses connectivity to its upstream NTP server, it will be able to choose time from one of its peers. \n\nThe NTP authentication model is opposite of the typical client-server authentication model. NTP authentication enables an NTP client or peer to authenticate time received from their servers and peers. It is not used to authenticate NTP clients because NTP servers do not care about the authenticity of their clients, as they never accept any time from them.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-14717",
+      "title": "The network device must not allow SSH Version 1 to be used for administrative access.",
+      "description": "SSH Version 1 is a protocol that has never been defined in a standard. Since SSH-1 has inherent design flaws which make it vulnerable to attacks, e.g., man-in-the-middle attacks, it is now generally considered obsolete and should be avoided by explicitly disabling fallback to SSH-1.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15433",
+      "title": "The IAO/NSO will ensure the AAA authentication method implements user authentication.",
+      "description": "Group accounts are not permitted.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15434",
+      "title": "The emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.",
+      "description": "The emergency administration account is to be configured as a local account on the network devices. It is to be used only when the authentication server is offline or not reachable via the network. The emergency account must be set to an appropriate authorization level to perform necessary administrative functions during this time.",
+      "severity": "high"
+    },
+    {
+      "id": "V-17821",
+      "title": "The network devices OOBM interface must be configured with an OOBM network address.",
+      "description": "The OOBM access switch will connect to the management interface of the managed network device. The management interface of the managed network device will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the OOBM interface does not have an IP address from the managed network address space, it will not have reachability from the NOC using scalable and normal control plane and forwarding mechanisms.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17822",
+      "title": "The network devices management interface must be configured with both an ingress and egress ACL.",
+      "description": "The OOBM access switch will connect to the management interface of the managed network device. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network device will be directly connected to the OOBM network.\n\nAn OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic does not leak into the managed network and that production traffic does not leak into the management network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17840",
+      "title": "The communications server is not configured to use PPP encapsulation and PPP authentication EAP for the async or AUX port used for dial in. ",
+      "description": "A communications server (aka terminal server) can be used to provide interconnectivity between all managed network elements and the OOBM gateway router for administrative access to the device’s console port. In the event the OOBM network is not able to provide connectivity due to an outage, the communications server can provide a dial-up PPP connection to access a network element. The auxiliary port, consol port, as well as any slow-speed async serial port with an analog modem connected to the managed device also provides the capability for direct dial-up administrative access for infrastructures that do not have a communications server for management access.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17841",
+      "title": "The communications server is not configured to require AAA authentication for PPP connections using a RADIUS or TACACS+ authentication server in conjunction with 2-factor authentication.",
+      "description": "A communications server (aka terminal server) can be used to provide interconnectivity between all managed network elements and the OOBM gateway router for administrative access to the device’s console port. In the event the OOBM network is not able to provide connectivity due to an outage, the communications server can provide a dial-up PPP connection to access a network element. The auxiliary port, consol port, as well as any slow-speed async serial port with an analog modem connected to the managed device also provides the capability for direct dial-up administrative access for infrastructures that do not have a communications server for management access.",
+      "severity": "low"
+    },
+    {
+      "id": "V-17842",
+      "title": "The communications server is not configured accept a callback request or in a secured mode so that it will not callback an unauthorized user.",
+      "description": "A communications server (aka terminal server) can be used to provide interconnectivity between all managed network elements and the OOBM gateway router for administrative access to the device’s console port. In the event the OOBM network is not able to provide connectivity due to an outage, the communications server can provide a dial-up PPP connection to access a network element. The auxiliary port, consol port, as well as any slow-speed async serial port with an analog modem connected to the managed device also provides the capability for direct dial-up administrative access for infrastructures that do not have a communications server for management access.",
+      "severity": "low"
+    },
+    {
+      "id": "V-17843",
+      "title": "The AAA server is not compliant with respective OS STIG.",
+      "description": "Using standardized authentication protocols such as RADIUS, TACACS+, and Kerberos, an authentication server provides centralized and robust authentication services for the management of network components. An authentication server is very scalable as it supports many user accounts and authentication sessions with the network components. It is critical that the AAA server’s operating system is secured and other methods are used to ensure that the server is not compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17844",
+      "title": "The AAA server is not configured with a unique key to be used for communication (i.e. RADIUS, TACACS+) with any client requesting authentication services.",
+      "description": "Using standardized authentication protocols such as RADIUS, TACACS+, and Kerberos, an authentication server provides centralized and robust authentication services for the management of network components. An authentication server is very scalable as it supports many user accounts and authentication sessions with the network components. It is critical that the AAA server’s operating system is secured and other methods are used to ensure that the server is not compromised.",
+      "severity": "low"
+    },
+    {
+      "id": "V-17845",
+      "title": "An HIDS has not been implemented on the AAA server",
+      "description": "Using standardized authentication protocols such as RADIUS, TACACS+, and Kerberos, an authentication server provides centralized and robust authentication services for the management of network components. An authentication server is very scalable as it supports many user accounts and authentication sessions with the network components. It is critical that the AAA server’s operating system is secured and other methods are used to ensure that the server is not compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17848",
+      "title": "The NTP server is not compliant with the OS STIG",
+      "description": "NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of failure for the NTP infrastructure are eliminated. Knowing the correct time is not only crucial for proper network functioning but also for security. Compromising an NTP server opens the door to more sophisticated attacks that include NTP poisoning, replay attacks, and denial of service. To provide security through separation and isolation, the NTP server should only be connected to the management network. This enables the NTP server to provide time to the managed devices using a secured as well as a preferred path. If the NTP server is not an appliance, it is critical that the system is secured by maintaining compliance with the appropriate OS STIG as well as implementing an HIDS. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-17849",
+      "title": "An HIDS has not been implemented on the NTP server.  ",
+      "description": "NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of failure for the NTP infrastructure are eliminated. Knowing the correct time is not only crucial for proper network functioning but also for security. Compromising an NTP server opens the door to more sophisticated attacks that include NTP poisoning, replay attacks, and denial of service. To provide security through separation and isolation, the NTP server should only be connected to the management network. This enables the NTP server to provide time to the managed devices using a secured as well as a preferred path. If the NTP server is not an appliance, it is critical that the system is secured by maintaining compliance with the appropriate OS STIG as well as implementing an HIDS. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-17850",
+      "title": "Two independent sources of time reference are not being utilized. ",
+      "description": "NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of failure for the NTP infrastructure are eliminated. Knowing the correct time is not only crucial for proper network functioning but also for security. Compromising an NTP server opens the door to more sophisticated attacks that include NTP poisoning, replay attacks, and denial of service. Hence, it is imperative  that at least two independent sources of time reference are used.",
+      "severity": "low"
+    },
+    {
+      "id": "V-17852",
+      "title": "The NTP server is not configured with a symmetric key that is unique from any key configured on any other NTP server. ",
+      "description": "NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of failure for the NTP infrastructure are eliminated. Knowing the correct time is not only crucial for proper network functioning but also for security. Compromising an NTP server opens the door to more sophisticated attacks that include NTP poisoning, replay attacks, and denial of service. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-17854",
+      "title": "The SNMP manager is not compliant with the OS STIG",
+      "description": "The SNMP manager provides the interface between the network management personnel and the managed network. On the other hand, the SNMP agent provides the interface between the manager and the device being managed. The manager is the collector of alarm information via SNMP traps as well as statistical and historical management information retrieved by polling the agents within the managed network. This information is vital for real time monitoring and alarm management as well as for strategic planning and performance management. IA measures must be implemented to mitigate the risk of the SNMP manager being compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17855",
+      "title": "An HIDS has not been implemented on the SNMP manager",
+      "description": "The SNMP manager provides the interface between the network management personnel and the managed network. On the other hand, the SNMP agent provides the interface between the manager and the device being managed. The manager is the collector of alarm information via SNMP traps as well as statistical and historical management information retrieved by polling the agents within the managed network. This information is vital for real time monitoring and alarm management as well as for strategic planning and performance management.  In addition to the SNMP safeguards outlined in section 2, IA measures must be implemented to mitigate the risk of the SNMP manager being compromised.",
+      "severity": "low"
+    },
+    {
+      "id": "V-17856",
+      "title": "The SNMP manager is not connected to only the management network.",
+      "description": "The SNMP manager provides the interface between the network management personnel and the managed network. On the other hand, the SNMP agent provides the interface between the manager and the device being managed. The manager is the collector of alarm information via SNMP traps as well as statistical and historical management information retrieved by polling the agents within the managed network. This information is vital for real time monitoring and alarm management as well as for strategic planning and performance management. To provide security through separation and isolation, the SNMP manager should only be connected to the management network. This enables the SNMP manager to provide management services to the managed devices using a secured as well as a preferred path.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17857",
+      "title": "SNMP messages are stored for a minimum of 30 days and then archived. ",
+      "description": "The SNMP manager provides the interface between the network management personnel and the managed network. On the other hand, the SNMP agent provides the interface between the manager and the device being managed. The manager is the collector of alarm information via SNMP traps as well as statistical and historical management information retrieved by polling the agents within the managed network. This information is vital for real time monitoring and alarm management as well as for strategic planning and performance management.",
+      "severity": "low"
+    },
+    {
+      "id": "V-18555",
+      "title": "The production VLAN assigned from the AAA server contains IP segments not intended for untrusted resources.",
+      "description": "When policy assessment and remediation have been implemented and the advanced AAA server dynamic VLAN is mis-configured, logical separation of the production VLAN may not be assured.\n\nNon-trusted resources are resources that are not authenticated in a NAC solution implementing only the authentication component of NAC. Non-trusted resources could become resources that have been authenticated but have not had a successful policy assessment when the automated policy assessment component has been implemented.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18558",
+      "title": "The IAO/NSO will ensure the network access control policy contains all non-authenticated network access requests in an Unauthorized VLAN with limited access.",
+      "description": "Devices having an IP address that do not pass authentication can be used to attack compliant devices if they share vlans. When devices proceed into the NAC AAA (radius) functions they must originate in the Unauthorized VLAN by default. If the device fails authentication it should be denied IP capability and movement to other dynamic VLANs used in the NAC process flow or moved to a VLAN that has limited capability such as a Guest VLAN with internet access, but without access to production assets.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-23747",
+      "title": "Network devices must use at least two NTP servers to synchronize time.",
+      "description": "Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. If logs cannot be successfully compared between each of the routers, switches, and firewalls, it will be very difficult to determine the exact events that resulted in a network breach incident. NTP provides an efficient and scalable method for network devices to synchronize to an accurate time source.",
+      "severity": "low"
+    },
+    {
+      "id": "V-23749",
+      "title": "The IAO will ensure the syslog server is only connected to the management network.",
+      "description": "A syslog server provides the network administrator the ability to configure all of the communication devices on a network to send log messages to a centralized host for review, correlation, reporting, and storage. This implementation provides for easier management of network events and is an effective facility for monitoring and the automatic generation of alert notification. The repository of messages facilitates troubleshooting functions when problems are encountered and can assist in performing root cause analysis.\n\nA malicious user or intruder could attempt to cover his tracks by polluting the syslog data or even force the server to crash. Disabling the syslog server would eliminate visibility of the network infrastructure that security analysts depend on. The first line of defense is to ensure that the syslog server will only accept syslog packets from known managed devices and administrative access from trusted management workstations. Because syslog messages are sent from managed devices to the syslog server in clear text an attacker on the network can easily sniff the messages. Furthermore, the syslog protocol uses UDP; thereby, making it relatively easy to spoof a managed device. Placing the syslog server on a separate subnet such as the management network isolated from general access and transient traffic will assist in reducing these risks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-23750",
+      "title": "The IAO will ensure the syslog servers are configured IAW the appropriate OS STIG.",
+      "description": "A syslog server provides the network administrator the ability to configure all of the communication devices on a network to send log messages to a centralized host for review, correlation, reporting, and storage. This implementation provides for easier management of network events and is an effective facility for monitoring and the automatic generation of alert notification. The repository of messages facilitates troubleshooting functions when problems are encountered and can assist in performing root cause analysis.\n\nA malicious user or intruder could attempt to cover his tracks by polluting the syslog data or even force the server to crash. Disabling the syslog server would eliminate visibility of the network infrastructure that security analysts depend on. The first line of defense is to ensure that the syslog server will only accept syslog packets from known managed devices and administrative access from trusted management workstations. Because syslog messages are sent from managed devices to the syslog server in clear text an attacker on the network can easily sniff the messages. Furthermore, the syslog protocol uses UDP; thereby, making it relatively easy to spoof a managed device. Placing the syslog server on a separate subnet such as the management network isolated from general access and transient traffic will assist in reducing these risks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25883",
+      "title": "The NTP server is connected to a network other than the management network.",
+      "description": "NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of failure for the NTP infrastructure are eliminated. Knowing the correct time is not only crucial for proper network functioning but also for security. Compromising an NTP server opens the door to more sophisticated attacks that include NTP poisoning, replay attacks, and denial of service. To provide security through separation and isolation, the NTP server should only be connected to the management network. This enables the NTP server to provide time to the managed devices using a secured as well as a preferred path.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25894",
+      "title": "The IAO will ensure all AAA authentication services are configured to use two-factor authentication .",
+      "description": "AAA network security services provide the primary framework through which a network administrator can set up access control on network points of entry or network access servers, which is usually the function of a router or access server. Authentication identifies a user; authorization determines what that user can do; and accounting monitors the network usage. Without AAA, unauthorized users may gain access and possibly control of the routers. If the router network is compromised, large portions of the network could be incapacitated with only a few commands. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-25895",
+      "title": "The IAO will ensure the authentication server is configured to use tiered authorization groups for various levels of access.",
+      "description": "The foundation of a good security scheme in the network is the protection of the user interfaces of the networking devices from unauthorized access. Protecting access to the user interfaces on your network devices prevents unauthorized users from making configuration changes that can disrupt the stability of your network or compromise your network security.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25896",
+      "title": "The IAO will ensure the authentication server is connected to the management network.",
+      "description": "Using standardized authentication protocols such as RADIUS, TACACS+, and Kerberos, an authentication server provides centralized and robust authentication services for the management of network components. In order to control access to the servers as well as monitor traffic to them, the authentication servers should only be connected to the management network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-28784",
+      "title": "A service or feature that calls home to the vendor must be disabled.",
+      "description": "Call home services or features will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting.  The risk that transmission of sensitive data sent to unauthorized persons could result in data loss or downtime due to an attack.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3008",
+      "title": "The IAO will ensure IPSec VPNs are established as tunnel type VPNs when transporting management traffic across an ip backbone network.",
+      "description": "Using dedicated paths, the OOBM backbone connects the OOBM gateway routers located at the premise of the managed networks and at the NOC.  Dedicated links can be deployed using provisioned circuits (ATM, Frame Relay, SONET, T-carrier, and others or VPN technologies such as subscribing to MPLS Layer 2 and Layer 3 VPN services) or implementing a secured path with gateway-to-gateway IPsec tunnel.  The tunnel mode ensures that the management traffic will be logically separated from any other traffic traversing the same path.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3012",
+      "title": "Network devices must be password protected.",
+      "description": "Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Access to the network must be categorized as administrator, user, or guest so the appropriate authorization can be assigned to the user requesting access to the network or a network device. Authorization requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multi-factor authentication, some combination thereof. Lack of authentication enables anyone to gain access to the network or possibly a network device providing opportunity for intruders to compromise resources within the network infrastructure.",
+      "severity": "high"
+    },
+    {
+      "id": "V-3013",
+      "title": "Network devices must display the DoD-approved logon banner warning.",
+      "description": "All network devices must present a DoD-approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear and unequivocal notice to both authorized and unauthorized personnel that access to the device is subject to monitoring to detect unauthorized usage. Failure to display the required logon warning banner prior to logon attempts will limit DoD's ability to prosecute unauthorized access and also presents the potential to give rise to criminal and civil liability for systems administrators and information systems managers. In addition, DISA's ability to monitor the device's usage is limited unless a proper warning banner is displayed.\n\nDoD CIO has issued new, mandatory policy standardizing the wording of \"notice and consent\" banners and matching user agreements for all Secret and below DoD information systems, including stand-alone systems by releasing DoD CIO Memo, \"Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement\", dated 9 May 2008. The banner is mandatory and deviations are not permitted except as authorized in writing by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. Implementation of this banner verbiage is further directed to all DoD components for all DoD assets via USCYBERCOM CTO 08-008A.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3014",
+      "title": "The network devices must timeout management connections for administrative access after 10 minutes or less of inactivity.",
+      "description": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled between the managed network device and a PC or terminal server when the later has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed network device as well as reduce the risk of a management session from being hijacked. Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3031",
+      "title": "The syslog administrator will configure the syslog sever to collect syslog messages from levels 0 through 6.",
+      "description": "Logging is a critical part of router security.  Maintaining an audit trail of system activity can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network. Syslog levels 0-6 are the levels required to collect the necessary information to help in the recovery process. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-3046",
+      "title": "The IAO/NSO will ensure that security alarms are set up within the managed network's framework.  At a minimum, these will include the following:\n\t\n-  Integrity Violation:  Indicates that network contents or objects have been illegally modified, deleted, or added.\n\n-  Operational Violation:  Indicates that a desired object or service could not be used.\n\n-  Physical Violation:  Indicates that a physical part of the network (such as a cable) has been damaged or modified without authorization.\n\n-  Security Mechanism Violation:  Indicates that the network's security system has been compromised or breached.\n\n-  Time Domain Violation:  Indicates that an event has happened outside its allowed or typical time slot.\n",
+      "description": "Without the proper categories of security alarms being defined on the NMS, responding to critical outages or attacks on the network may not be coordinated correctly with the right personnel, hardware, software or vendor maintenance.   Delays will inevitably occur which will cause network outages to last longer than necessary or expose the network to larger, more extensive attacks or outages.\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-3047",
+      "title": "The IAO/NSO will ensure that alarms are categorized by severity using the following guidelines:\n\t\n-  Critical and major alarms are given when a condition that affects service has arisen. For a critical alarm, steps must be taken immediately in order to restore the service that has been lost completely.\n\n-  A major alarm indicates that steps must be taken as soon as possible because the affected service has degraded drastically and is in danger of being lost completely.\n\n-  A minor alarm indicates a problem that does not yet affect service, but may do so if the problem is not corrected.\n\n-  A warning alarm is used to signal a potential problem that may affect service.\n\n-  An indeterminate alarm is one that requires human intervention to decide its severity.\n",
+      "description": "Without the proper categories of severity levels being defined on the NMS, outages or attacks may not be responded to by order of criticality. If a critical attack or outage is not responded to first, then there will be a delay in fixing the problem, which may cause network outages to last longer than necessary or expose the network to larger more extensive attacks or outages.\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-3050",
+      "title": "The IAO/NSO will ensure a record is maintained of all logons and transactions processed by the management station.\n\nNOTE:  Include time logged in and out, devices that were accessed and modified, and other activities performed.\n",
+      "description": "Logging is a critical part of network security.  Maintaining an audit trail of system activity logs can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network.  Audit logs are also necessary to provide a trail of evidence in case the network is compromised.  Without an audit trail that provides a when, where, who and how set of information, repeat offenders could continue attacks against the network indefinitely.  With this information, the network administrator can devise ways to block the attack and possibly identify and prosecute the attacker.   \n  \n",
+      "severity": "low"
+    },
+    {
+      "id": "V-3051",
+      "title": "The IAO/NSO will ensure access to the NMS is restricted to authorized users with individual userids and passwords.",
+      "description": "If unauthorized users gain access to the NMS they could change device configurations and SNMP variables that can cause disruptions and even denial of service conditions.",
+      "severity": "high"
+    },
+    {
+      "id": "V-3056",
+      "title": "Group accounts must not be configured for use on the network device.",
+      "description": "Group accounts configured for use on a network device do not allow for accountability or repudiation of individuals using the shared account.  If group accounts are not changed when someone leaves the group, that person could possibly gain control of the network device.  Having group accounts does not allow for proper auditing of who is accessing or changing the network.",
+      "severity": "high"
+    },
+    {
+      "id": "V-3057",
+      "title": "Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.",
+      "description": "By not restricting authorized accounts to their proper privilege level, access to restricted functions may be allowed before authorized personnel are trained or experienced enough to use those functions. Network disruptions or outages may occur due to mistakes made by inexperienced persons using accounts with greater privileges than necessary.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3058",
+      "title": "Unauthorized accounts must not be configured for access to the network device.",
+      "description": "A malicious user attempting to gain access to the network device may compromise an account that may be unauthorized for use.  The unauthorized account may be a temporary or inactive account that is no longer needed to access the device.  Denial of Service, interception of sensitive information, or other destructive actions could potentially take place if an unauthorized account is configured to access the network device.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3069",
+      "title": "Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.",
+      "description": "Administration and management connections performed across a network are inherently dangerous because anyone with a packet sniffer and access to the right LAN segment can acquire the network device account and password information.  With this intercepted information they could gain access to the router and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3070",
+      "title": "Network devices must log all attempts to establish a management connection for administrative access.",
+      "description": "Audit logs are necessary to provide a trail of evidence in case the network is compromised.  Without an audit trail that provides a when, where, who and how set of information, repeat offenders could continue attacks against the network indefinitely.  With this information, the network administrator can devise ways to block the attack and possibly identify and prosecute the attacker.",
+      "severity": "low"
+    },
+    {
+      "id": "V-3143",
+      "title": "Network devices must not have any default manufacturer passwords.",
+      "description": "Network devices not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing network outage or denial of service. Many default vendor passwords are well-known; hence, not removing them prior to deploying the network devices into production provides an opportunity for a malicious user to gain unauthorized access to the device.",
+      "severity": "high"
+    },
+    {
+      "id": "V-3160",
+      "title": "Network devices must be running a current and supported operating system with all IAVMs addressed.",
+      "description": "Network devices not running the latest tested and approved versions of software are vulnerable to network attacks. Running the most current, approved version of system and device software helps the site maintain a stable base of security fixes and patches, as well as enhancements to IP security. Viruses, denial of service attacks, system weaknesses, back doors and other potentially harmful situations could render a system vulnerable, allowing unauthorized access to DoD assets.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3175",
+      "title": "The network device must require authentication prior to establishing a management connection for administrative access.",
+      "description": "Network devices with no password for administrative access via a management connection provide the opportunity for anyone with network access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.",
+      "severity": "high"
+    },
+    {
+      "id": "V-3184",
+      "title": "The IAO/NSO will ensure all accounts are assigned the lowest possible level of access/rights necessary to perform their jobs.",
+      "description": "Without a formal personnel approval process, unauthorized users may gain access to critical DoD systems. It is imperitive that only the required access to the required systems and information be provided to each individual.\n\nThe lack of a password protection for communications devices provides anyone access to the device, which opens a backdoor opportunity for intruders to attack and manipulate or compromise network resources. Vendors often assign default passwords to communication devices.  These default passwords are well known to the hacker community and are extremely dangerous if left unchanged.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3196",
+      "title": "The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.",
+      "description": "SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain access to network management information used to launch an attack against the network.",
+      "severity": "high"
+    },
+    {
+      "id": "V-3210",
+      "title": "The network device must not use the default or well-known SNMP community strings public and private.",
+      "description": "Network devices may be distributed by the vendor pre-configured with an SNMP agent using the well-known SNMP community strings public for read only and private for read and write authorization. An attacker can obtain information about a network device using the read community string \"public\". In addition, an attacker can change a system configuration using the write community string \"private\".",
+      "severity": "high"
+    },
+    {
+      "id": "V-3966",
+      "title": "In the event the authentication server is unavailable, the network device must have a single local account of last resort defined.",
+      "description": "Authentication for administrative access to the device is required at all times. A single account of last resort can be created on the device's local database for use in an emergency such as when the authentication server is down or connectivity between the device and the authentication server is not operable. The console or local account of last resort logon credentials must be stored in a sealed envelope and kept in a safe.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3967",
+      "title": "The network devices must time out access to the console port at 10 minutes or less of inactivity.",
+      "description": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed network device. Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3982",
+      "title": "L2TP must not pass into the private network of an enclave.",
+      "description": "Unlike GRE (a simple encapsulating header) L2TP is a full-fledged communications protocol with control channel, data channels, and a robust command structure. In addition to PPP, other link layer types (called pseudowires) can be and are defined for delivery in L2TP by separate RFC documents. Further complexity is created by the capability to define vender-specific parameters beyond those defined in the L2TP specifications.\n\nThe endpoint devices of an L2TP connection can be an L2TP Access Concentrator (LAC) in which case it inputs/outputs the layer 2 protocol to/from the L2TP tunnel. Otherwise it is an L2TP Network Server (LNS), in which case it inputs/outputs the layer 3 (IP) protocol to/from the L2TP tunnel. The specifications describe three reference models: LAC-LNS, LAC-LAC, and LNS-LNS, the first of which is the most common case. The LAC-LNS model allows a remote access user to reach his home network or ISP from a remote location. The remote access user either dials (or otherwise connects via layer 2) to a LAC device which tunnels his connection home to an awaiting LNS. The LAC could also be located on the remote user's laptop which connects to an LNS at home using some generic internet connection. The other reference models may be used for more obscure scenarios.\n\nAlthough the L2TP protocol does not contain encryption capability, it can be operated over IPSEC which would provide authentication and confidentiality. A remote user in the LAC-LNS model would most likely obtain a dynamically assigned IP address from the home network to ultimately use through the tunnel back to the home network. Secondly, the outer IP source address used to send the L2TP tunnel packet to the home network is likely to be unknown or highly variable. Thirdly, since the LNS provides the remote user with a dynamic IP address to use, the firewall at the home network would have to be dynamically updated to accept this address in conjunction with the outer tunnel address. Finally, there is also the issue of authentication of the remote user prior to divulging an acceptable IP address. As a result of all of these complications, the strict filtering rules applied to the IP-in-IP and GRE tunneling cases will likely not be possible in the L2TP scenario.\n\nIn addition to the difficulty of enforcing addresses and endpoints (as explained above), the L2TP protocol itself is a security concern if allowed through a security boundary. In particular: \n\n1) L2TP potentially allows link layer protocols to be delivered from afar. These protocols were intended for link-local scope only, are less defended, and not as well-known \n2) The L2TP tunnels can carry IP packets that are very difficult to see and filter because of the additional layer 2 overhead\n3) L2TP is highly complex and variable (vender-specific variability) and therefore would be a viable target that is difficult to defend. It is better left outside of the main firewall where less damage occurs if the L2TP-processing node is compromised.\n4) Filtering cannot be used to detect and prevent other unintended layer 2 protocols from being tunneled. The strength of the application layer code would have to be relied on to achieve this task.\n5) Regardless of whether the L2TP is handled inside or outside of the main network, a secondary layer of IP filtering is required, therefore bringing it inside doesn't save resources.\n\nTherefore, it is not recommended to allow unencrypted L2TP packets across the security boundary into the network's protected areas. Reference the Backbone Transport STIG for additional L2TP guidance and use.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-4582",
+      "title": "The network device must require authentication for console access.",
+      "description": "Network devices with no password for administrative access via the console provide the opportunity for anyone with physical access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.",
+      "severity": "high"
+    },
+    {
+      "id": "V-4613",
+      "title": "All in-band sessions to the NMS must be secured using FIPS 140-2 approved encryption and hashing algorithms.",
+      "description": "Without the use of FIPS 140-2 encryption to in-band management connections, unauthorized users may gain access to the NMS enabling them to change device configurations and SNMP variables that can cause disruptions and even denial of service conditions.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-5611",
+      "title": "The network devices must only allow management connections for administrative access from hosts residing in the management network.",
+      "description": "Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment could acquire the device account and password information. With this intercepted information they could gain access to the infrastructure and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-5612",
+      "title": "The network devices must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.",
+      "description": "An attacker may attempt to connect to the device using SSH by guessing the authentication method, encryption algorithm, and keys. Limiting the amount of time allowed for authenticating and negotiating the SSH session reduces the window of opportunity for the malicious user attempting to make a connection to the network device.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-5613",
+      "title": "The network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface.",
+      "description": "An attacker may attempt to connect to the device using SSH by guessing the authentication method and authentication key or shared secret. Setting the authentication retry to 3 or less strengthens against a Brute Force attack.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-5644",
+      "title": "The TFTP server used to store network element configurations and images must be only connected to the management network.",
+      "description": "TFTP that contains network element configurations and images must only be connected to the management network to enforce restricted and limited access.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-5646",
+      "title": "The network device must drop half-open TCP connections through filtering thresholds or timeout periods.",
+      "description": "A TCP connection consists of a three-way handshake message sequence. A connection request is transmitted by the originator, an acknowledgement is returned from the receiver, and then an acceptance of that acknowledgement is sent by the originator.\n\nAn attacker's goal in this scenario is to cause a denial of service to the network or device by initiating a high volume of TCP packets, then never sending an acknowledgement, leaving connections in a half-opened state. Without the device having a connection or time threshold for these half-opened sessions, the device risks being a victim of a denial of service attack. Setting a TCP timeout threshold will instruct the device to shut down any incomplete connections. Services such as SSH, BGP, SNMP, LDP, etc. are some services that may be prone to these types of denial of service attacks. If the router does not have any BGP connections with BGP neighbors across WAN links, values could be set to even tighter constraints.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-7011",
+      "title": "The auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.",
+      "description": "The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network.  Additional war dial attacks on the device could degrade the device and the production network.\n\nSecured modem devices must be able to authenticate users and must negotiate a key exchange before full encryption takes place.  The modem will provide full encryption capability (Triple DES) or stronger.  The technician who manages these devices will be authenticated using a key fob and granted access to the appropriate maintenance port, thus the technician will gain access to the managed device (router, switch, etc.).  The token provides a method of strong (two-factor) user authentication.  The token works in conjunction with a server to generate one-time user passwords that will change values at second intervals.  The user must know a personal identification number (PIN) and possess the token to be allowed access to the device.",
+      "severity": "low"
+    },
+    {
+      "id": "V-7542",
+      "title": "The IAO will ensure that 802.1x is implemented using a secure EAP such as EAP-TLS, EAP-TTLS or PEAP.",
+      "description": "EAP methods/types are continually being proposed, however, the three being considered secure are \nEAP-TLS, EAP-TTLS, and PEAP.\n\nPEAP is the preferred EAP type to be used in DoD because of its ability to support a greater number of operating systems and its capability to transmit statement of health information, per NSA NAC study.\n\nLightweight EAP (LEAP) is a CISCO proprietary protocol providing an easy-to-deploy one password authentication. LEAP is vulnerable to dictionary attacks. A \"man in the middle\" can capture traffic, identify a password, and then use it to access a WLAN. LEAP is inappropriate and does not provide sufficient security for use on DOD networks.\n\nEAP-MD5 is functionally similar to CHAP and is susceptible to eavesdropping because the password credentials are sent as a hash (not encrypted). In addition, server administrators would be required to store unencrypted passwords on their servers violating other security policies. EAP-MD5 is inappropriate and does not provide sufficient security for use on DOD networks.\n",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_network_infrastructure_policy.json

@@ -0,0 +1,455 @@
+{
+  "name": "stig_network_infrastructure_policy",
+  "date": "2017-12-07",
+  "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "Network Infrastructure Policy Security Technical Implementation Guide",
+  "version": "9",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-11796",
+      "title": "A deny-by-default security posture must be implemented for traffic entering and leaving the enclave.",
+      "description": "To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter.  Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known sources and only those ports, protocols, or services that are permitted and operationally necessary.\n\nApplications, protocols, TCP/UDP ports, and endpoints (specific hosts or networks) are identified and used to develop rulesets and access control lists to restrict traffic to and from an enclave.",
+      "severity": "high"
+    },
+    {
+      "id": "V-12072",
+      "title": "Unclassified wireless devices must not be allowed in a Sensitive Compartmented Information Facility (SCIF) unless approved by the SCIF Cognizant Security Authority (CSA) in accordance with Intelligence Community Directive (ICD) 503, ICD 705, DIA SCIF policy requirements, the Authorizing Official (AO) and local Special Security officer (SSO).",
+      "description": "Emanations from computing devices in the secured area may be transmitted or picked up inadvertently by wireless devices.",
+      "severity": "high"
+    },
+    {
+      "id": "V-12101",
+      "title": "All Releasable Local Area Network (REL LAN) environments must be documented in the System Security Authorization Agreement (SSAA).",
+      "description": "The ISSM will ensure Releasable Local Area Network (REL LAN) environments are documented in the SSAA.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-12102",
+      "title": "Annual reviews must be performed on all Releasable Local Area Network (REL LAN) environments.",
+      "description": "The ISSM will ensure Releasable Local Area Network (REL LAN) reviews are performed annually.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-12106",
+      "title": "Unclassified wireless devices must not be operated in Secure Spaces (as defined in DoDI 8420.01) unless required conditions are followed.",
+      "description": "The operation of electronic equipment and emanations must be controlled in and around areas where sensitive information is kept or processed.  Sites should post signs and train users to this requirement to mitigate this vulnerability.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-14634",
+      "title": "If the site has a non-DoD external connection (i.e. Approved Gateway), an Intrusion Detection and Prevention System (IDPS) must be located between the sites Approved Gateway and the perimeter router.",
+      "description": "The incorrect placement of the external IDPS may allow unauthorized access to go undetected and limit the ability of security personnel to stop malicious or unauthorized use of the network. In order to ensure that an attempted or existing attack goes unnoticed, the data from the sensors must be monitored continuously.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-14638",
+      "title": "All hosted NIPRNet-only applications must be located in a local enclave Demilitarized Zone (DMZ).",
+      "description": "Without the protection of a DMZ, production networks will be prone to outside attacks as they are allowing externally accessible services to be accessed on the internal LAN.  This can cause many undesired consequences such as access to the entire network, Denial of Service attacks, or theft of sensitive information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-14640",
+      "title": "All Internet-facing applications must be hosted in a DoD Demilitarized Zone (DMZ) Extension.",
+      "description": "Without the protection of a DMZ, production networks will be prone to outside attacks as they are allowing externally accessible services to be accessed on the internal LAN.  This can cause many undesired consequences such as access to the entire network, Denial of Service attacks, or theft of sensitive information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-14642",
+      "title": "The organization must implement a deep packet inspection solution when protecting perimeter boundaries.",
+      "description": "Deep packet inspection (DPI) examines the packet beyond the Layer 4 header by examining the payload to identify the application or service. DPI searches for illegal statements, predefined criteria, malformed packets, and malicious code, thereby enabling the IA appliances to make a more informed decision on whether to allow or not allow the packet through. DPI engines can delve into application centric information to allow different applications to be protected in different ways from different threats. Examples of DPI appliances include next-generation firewalls, application layer gateways as well as specific gateways for web, email and SSL traffic.",
+      "severity": "high"
+    },
+    {
+      "id": "V-14716",
+      "title": "An Out-of-Band (OOB) management network must be deployed for MAC I systems or 24x7 personnel must have console access for device management.",
+      "description": "From an architectural point of view, providing Out-Of-Band (OOB) management of network systems is the best first step in any management strategy. No production traffic resides on an out-of-band network. The biggest advantage to implementation of an OOB network is providing support and maintenance to the network that has become degraded or compromised.  During an outage or degradation period the in band management link may not be available.  The consequences of loss of availability of a MAC I system is unacceptable and could include the immediate and sustained loss of mission effectiveness.  Mission Assurance Category I systems require the most stringent protection measures.  Maintenance support for key IT assets must be available to respond 24x7 immediately upon failure.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-14723",
+      "title": "Two-factor authentication must be implemented to restrict access to all network elements.",
+      "description": "Without secure management implemented with authenticated access controls, strong two-factor authentication, encryption of the management session and audit logs, unauthorized users may gain access to network managed devices compromised, large parts of the network could be incapacitated with only a few commands.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-14737",
+      "title": "Encapsulated and/or encrypted traffic received from another enclave must not bypass the network perimeter defense without being terminated and inspected before entering the enclaves private network.",
+      "description": "Allowing encapsulated traffic to bypass the enclave's network perimeter without being filtered and inspected leaves the enclave vulnerable to malicious traffic that could result in compromise and denial of service. The destination of these packets could be servers that provide mission critical services and data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-14738",
+      "title": "Tunneling of classified traffic across an unclassified IP transport network or service provider backbone must be documented in the enclaves security authorization package and an Approval to Connect (ATC), or an Interim ATC must be issued by DISA prior to implementation.",
+      "description": "CJCSI 6211.02E instruction establishes policy and responsibilities for the connection of any information systems to the Defense Information Systems Network (DISN) provided transport. Enclosure E mandates that the CC/S/A document all IP tunnels transporting classified communication traffic in the enclave’s security authorization package prior to implementation. An ATC or IATC amending the current connection approval must be in place prior to implementation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-14740",
+      "title": "DSAWG approval must be obtained before tunneling classified traffic outside the components local area network boundaries across a non-DISN or OCONUS DISN unclassified IP wide area network transport infrastructure.",
+      "description": "CJCSI 6211.02E instruction establishes policy and responsibilities for the connection of any information systems to the Defense Information Systems Network (DISN) provided transport. Enclosure E mandates that the CC/S/A obtain DSAWG approval before tunneling classified data outside component’s local area network boundaries across a non-DISN or OCONUS DISN unclassified IP-wide area transport infrastructure.",
+      "severity": "high"
+    },
+    {
+      "id": "V-14741",
+      "title": "Enabling a connection that extends DISN IP network connectivity (e.g., NIPRNet and SIPRNet) to any DoD Vendor, Foreign, or Federal Mission Partner enclave or network without a signed DoD CIO approved sponsorship memo is prohibited. For classified connectivity it must be to a DSS approved contractor facility or DoD Component approved foreign government facility.",
+      "description": "Having a circuit provisioned that connects the SIPRNet enclave to a non-DoD, foreign, or contractor network puts the enclave and the entire SIPRNet at risk. If the termination point is not operated by the government, there is no control to ensure that the network element at the remote facility is not compromised or connected to another network.",
+      "severity": "high"
+    },
+    {
+      "id": "V-14742",
+      "title": "Command and Control (C2) and non-C2 exceptions of SIPRNet must be documented in the enclaves accreditation package and an Authority to Connect (ATC) or Interim ATC  amending the connection approval received prior to implementation.",
+      "description": "Any exception to use SIPRNet must be documented in an update to the enclave’s accreditation package and an Authority to Connect (ATC) or Interim ATC  amending the connection approval received prior to implementation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-14743",
+      "title": "Tunneling of classified traffic across an unclassified IP transport network must employ cryptographic algorithms in accordance with CNSS Policy No. 15.",
+      "description": "When transporting classified data over an unclassified IP network, it is imperative that traffic from the classified enclave or community of interest is encrypted prior reaching the point of presence or service delivery node of the unclassified network. Confidentiality and integrity of the classified traffic must be preserved by employing cryptographic algorithms in accordance with CNSS Policy No. 15 which requires the appropriate Suite B cryptographic algorithms listed in ANNEX B or a commensurate suite of NSA-approved cryptographic algorithms.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-14745",
+      "title": "VPN gateways used to create IP tunnels to transport classified traffic across an unclassified IP network must comply with appropriate physical security protection standards for processing classified information.",
+      "description": "When transporting classified data over an unclassified IP network, it is imperative that the network elements deployed to provision the encrypted tunnels are located in a facility authorized to process the data at the proper classification level.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17772",
+      "title": "A dedicated management network must be implemented.",
+      "description": "To deploy a management network for the purpose of controlling, monitoring, and restricting management traffic, a separate management subnet must be implemented. Define a large enough address block that will enable the management network to scale in proportion to the managed network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17860",
+      "title": "Two Network Time Protocol (NTP) servers must be deployed in the management network.",
+      "description": "NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of failure for the NTP infrastructure are eliminated. Knowing the correct time is not only crucial for proper network functioning but also for security. Compromising an NTP server opens the door to more sophisticated attacks that include NTP poisoning, replay attacks, and denial of service. \n\nWhere possible, deploy multiple gateways with diverse paths to the NTP servers. An alternative design is to have one server connected to a reference clock and the other server reference an external stratum-1 server. With this scenario, the NTP clients should be configured to prefer the stratum-1 server over the stratum-2 server.\n\nThe NTP servers should be configured to easily scale by creating a hierarchy of lower level (stratum-2 to stratum-15) servers to accommodate the workload. The width and depth of the hierarchy is dependent on the number of NTP clients as well as the amount of redundancy that is required.",
+      "severity": "low"
+    },
+    {
+      "id": "V-18490",
+      "title": "An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor all Demilitarized Zone (DMZ) segments housing public servers.",
+      "description": "The initial step in IDPS deployment is determining where sensors should be placed. Because attacks originate at the enclave perimeter and within the enclave boundary an IDPS implementation at the enclave perimeter only will not suffice. By placing IDPS technology throughout the Enterprise Regional enclaves and stand-alone enclaves, system administrators can track the spread of attacks and take corrective actions to prevent attacks reaching critical resources.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18492",
+      "title": "An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor the network segment hosting web, application, and database servers.",
+      "description": "Attacks can originate within the enclave boundary. Hence, deploying an IDPS on the network segment hosting web, application, and database servers is imperative. The servers are critical resource and the network segment hosting them will receive the most traffic within the enclave.  Deploying IDPS on this network is promotes defense-in-depth principles that will enable operations to detect attacks quickly and take corrective actions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18493",
+      "title": "An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor network segments that house network security management servers.",
+      "description": "The initial step in IDPS deployment is determining where sensors should be placed. Because attacks originate at the enclave perimeter and within the enclave boundary an IDPS implementation at the enclave perimeter only will not suffice. By placing IDPS technology throughout the Enterprise Regional enclaves and stand-alone enclaves, system administrators can track the spread of attacks and take corrective actions to prevent attacks reaching critical resources.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18496",
+      "title": "Sensor traffic in transit must be protected at all times via an Out-of-Band (OOB) network or an encrypted tunnel between site locations.",
+      "description": "User interface services must be physically or logically separated from data storage and management services. Data from IDS sensors must be protected by confidentiality controls; from being lost and altered.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18497",
+      "title": "Intrusion Detection and Prevention System (IDPS) traffic between the sensor and the security management or sensor data collection servers must traverse a dedicated Virtual Local Area Network (VLAN) logically separating IDPS traffic from all other enclave traffic.",
+      "description": "All IDPS data collected by agents in the enclave at required locations must also be protected by logical separation when in transit from the agent to the management or database servers located on the Network Management subnet.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18504",
+      "title": "Products collecting baselines for anomaly-based detection must have their baselines rebuilt based on changes to mission requirements such as Information Operations Conditions (INFOCON) levels and when the traffic patterns are expected to change significantly.",
+      "description": "Administrators should ensure that any products collecting baselines for anomaly-based detection have their baselines rebuilt periodically as needed to support accurate detection. \n\nThe ISSM is required to have the enclave prepared for readiness by raising INFOCON levels prior to an activity to ensure the network is as ready as possible when the operation or exercise begins. Because system and network administrators implement many of the INFOCON measures over a period of time in a pre-determined operational rhythm, commanders should raise INFOCON levels early enough to ensure completion of at least one cycle before the operational activity begins.  \n\nRecommendations for possible INFOCON changes should be written into Operation Plans (OPLAN) and Concept Plans (CONPLAN). Guidelines can be found in Strategic Command Directive (SD) 527-1.",
+      "severity": "low"
+    },
+    {
+      "id": "V-18506",
+      "title": "If a Secure File Transfer Protocol (SFTP) server is used to provide updates to the sensors, the server must be configured to allow read-only access to the files within the directory on which the signature packs are placed.",
+      "description": "In a large scale IDPS deployment, it is common to have an automated update process implemented. This is accomplished by having the updates downloaded on a dedicated SFTP server within the management network. The SFTP server should be configured to allow read-only access to the files within the directory on which the signature packs are placed, and then only from the account that the sensors will use. The sensors can then be configured to automatically check the SFTP server periodically to look for the new signature packs and to update themselves once they have been tested.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18507",
+      "title": "If an automated scheduler is used to provide updates to the sensors, an account on the file server must be defined that will provide access to the signatures only to the sensors.",
+      "description": "In a large scale IDPS deployment, it is common to have an automated update process implemented. This is accomplished by having the updates downloaded on a dedicated secure file server within the management network. The file server should be configured to allow read-only access to the files within the directory on which the signature packs are placed, and then only from the account that the sensors will use. The sensors can then be configured to automatically check the secure file server periodically to look for the new signature packs and to update themselves.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18510",
+      "title": "The Intrusion Detection and Prevention System (IDPS) configuration must be backed up before applying software or signature updates, or when making changes to the configuration.",
+      "description": "There are two types of IDPS updates: software updates and signature updates. Software updates fix bugs in the IDPS software or add new functionality, while signature updates add new detection capabilities or refine existing detection capabilities (e.g., reducing false positives). For many IDPSs, signature updates cause program code to be altered or replaced, so they are really a specialized form of software update. For other IDPSs, signatures are not written in code, so a signature update is a change to the configuration data for the IDPS. \n\nSoftware updates can include any or all IDPS components, including sensors, agents, management servers, and consoles. Software updates for sensors and management servers, particularly appliance-based devices, are often applied by replacing an existing IDPS CD with a new one and rebooting the device. Many IDPSs run the software directly from the CD, so that no software installation is required. Other components, such as agents, require an administrator to install software or apply patches, either manually on each host or automatically through IDPS management software. Some vendors make software and signature updates available for download from their Web sites or other servers; often, the administrator interfaces for IDPSs have features for downloading and installing such updates. \n\nAdministrators should verify the integrity of updates before applying them, because updates could have been inadvertently or intentionally altered or replaced. The recommended verification method depends on the update’s format, as follows:\n\nFiles downloaded from a Web site or FTP site. Administrators should compare file checksums provided by the vendor with checksums that they compute for the downloaded files. \n\nUpdate downloaded automatically through the IDPS user interface. If an update is downloaded as a single file or a set of files, either checksums provided by the vendor should be compared to checksums generated by the administrator, or the IDPS user interface itself should perform some sort of integrity check. In some cases, updates might be downloaded and installed as one action, precluding checksum verification; the IDPS user interface should check each update’s integrity as part of this. \n\nRemovable media (e.g., CD, DVD). Vendors may not provide a specific method for customers to verify the legitimacy of removable media apparently sent by the vendors. If media verification is a concern, administrators should contact their vendors to determine how the media can be verified, such as comparing vendor-provided checksums to checksums computed for files on the media, or verifying digital signatures on the media’s contents to ensure they are valid. Administrators should also consider scanning the media for malware, with the caveat that false positives might be triggered by IDPS signatures for malware on the media.",
+      "severity": "low"
+    },
+    {
+      "id": "V-18511",
+      "title": "The Intrusion Detection and Prevention System (IDPS) file checksums provided by the vendor must be compared and verified with checksums computed from CD or downloaded files.",
+      "description": "There are two types of IDPS updates: software updates and signature updates. Software updates fix bugs in the IDPS software or add new functionality, while signature updates add new detection capabilities or refine existing detection capabilities (e.g., reducing false positives). For many IDPSs, signature updates cause program code to be altered or replaced, so they are really a specialized form of software update. For other IDPSs, signatures are not written in code, so a signature update is a change to the configuration data for the IDPS. \n\nSoftware updates can include any or all IDPS components, including sensors, agents, management servers, and consoles. Software updates for sensors and management servers, particularly appliance-based devices, are often applied by replacing an existing IDPS CD with a new one and rebooting the device. Many IDPSs run the software directly from the CD, so that no software installation is required. Other components, such as agents, require an administrator to install software or apply patches, either manually on each host or automatically through IDPS management software. Some vendors make software and signature updates available for download from their Web sites or other servers; often, the administrator interfaces for IDPSs have features for downloading and installing such updates. \n\nAdministrators should verify the integrity of updates before applying them, because updates could have been inadvertently or intentionally altered or replaced. The recommended verification method depends on the update’s format, as follows:\n\nFiles downloaded from a Web site or FTP site. Administrators should compare file checksums provided by the vendor with checksums that they compute for the downloaded files. \n\nUpdate downloaded automatically through the IDPS user interface. If an update is downloaded as a single file or a set of files, either checksums provided by the vendor should be compared to checksums generated by the administrator, or the IDPS user interface itself should perform some sort of integrity check. In some cases, updates might be downloaded and installed as one action, precluding checksum verification; the IDPS user interface should check each update’s integrity as part of this. \n\nRemovable media (e.g., CD, DVD). Vendors may not provide a specific method for customers to verify the legitimacy of removable media apparently sent by the vendors. If media verification is a concern, administrators should contact their vendors to determine how the media can be verified, such as comparing vendor-provided checksums to checksums computed for files on the media, or verifying digital signatures on the media’s contents to ensure they are valid. Administrators should also consider scanning the media for malware, with the caveat that false positives might be triggered by IDPS signatures for malware on the media.",
+      "severity": "low"
+    },
+    {
+      "id": "V-18596",
+      "title": "The site must conduct continuous wireless Intrusion Detection System (IDS) scanning.",
+      "description": "DoD networks are at risk and DoD data could be compromised if wireless scanning is not conducted to identify unauthorized WLAN clients and access points connected to or attempting to connect to the network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19900",
+      "title": "The cryptography implemented by the Wireless Local Area Network (WLAN) components must be FIPS 140-2 validated.",
+      "description": "Most known security breaches of cryptography result from improper implementation of the cryptography, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance that cryptography is implemented correctly, and is required for Federal Government uses of cryptography in non-classified applications.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-23735",
+      "title": "The organization must encrypt all network device configurations while stored offline.",
+      "description": "If a network device's non-volatile memory is lost without a recent configuration stored in an offline location, it may take time to recover that segment of the network.  Users connected directly to the switch or router will be without service for a longer than acceptable time. Encrypting the configuration stored offline protects the data at rest and provides additional security to prevent tampering and potentially cause a network outage if the configuration were to be put into service.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25319",
+      "title": "DoD Components providing Internet-only guest access must use separate WLAN or logical segmentation of the host WLAN (e.g., separate service set identifier (SSID) and virtual LAN) or DoD network.",
+      "description": "If the access point or its supporting authentication server is placed in front of the perimeter firewall, then it has no firewall protection against an attack.  If the access point or its supporting authentication server is placed behind the perimeter firewall (on the internal network), then any breach of these devices could lead to attacks on other DoD information systems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30255",
+      "title": "The Wireless Local Area Network (WLAN) must be Wi-Fi Protected Access 2 (WPA2)-Enterprise certified by the Wi-Fi Alliance.",
+      "description": "The Wi-Fi Alliance WPA2-Enterprise certification means the WLAN equipment can support DoD requirements, most notably EAP-TLS and AES-CCMP.  If the equipment has not been WPA-Enterprise certified, then the equipment may not have the required security functionality to protect DoD networks and information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-31632",
+      "title": "All global address ranges used on unclassified and classified networks must be properly registered with the DoD Network Information Center (NIC).",
+      "description": "If network address space is not properly configured, managed, and controlled, the network could be accessed by unauthorized personnel resulting in security compromise of site information and resources. Allowing subscribers onto the network whose IP addresses are not registered with the .Mil NIC may allow unauthorized users access into the network. These unauthorized users could then monitor the network, steal passwords, and access classified information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-31637",
+      "title": "Network Address Translation (NAT) and private IP address space must not be deployed within the SIPRNet enclave.",
+      "description": "The DoD has an enterprise level security-focused configuration management (SecCM) requirement to support end-to-end monitoring of SIPRNet, as a National Security System (NSS). The use of NAT and private IP address space inhibits the view of specialized DISN enterprise tools in tracking client level enclave to enclave traffic, monitoring client use of enterprise level application services, and detecting anomalies and potential malicious attacks in SIPRNet client application traffic flows. Enclave nodes that communicate outside the organization’s enclave to other SIPRNet enclaves or enterprise services cannot use NATd private addresses via an enclave proxy without the permission of the SIPRNet DISN Authorizing Official, the DISA AO.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-33831",
+      "title": "A policy must be implemented to keep Bogon/Martian rulesets up to date.",
+      "description": "A Bogon route or Martian address is a type of packet that should never be routed inbound through the perimeter device.  Bogon routes and Martian addresses are commonly found as the source addresses of DDoS attacks.  By not having a policy implemented to keep these addresses up to date, the enclave will run the risk of allowing illegitimate traffic into the enclave or even blocking legitimate traffic.  Also, if there are rulesets with \"any\" as the source address then Bogons/Martians must be applied.\n\nBogons and Martian addresses can be kept up to date routinely checking the IANA website or creating an account with Team Cymru to retrieve these lists in one of many ways.\n\nhttp://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml\nhttp://www.team-cymru.org/Services/Bogons/",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66349",
+      "title": "Prior to having external connection provisioned between enclaves, a Memorandum of Agreement (MOA) or Memorandum of Understanding (MOU) must be established.",
+      "description": "Prior to establishing a connection with another activity, a Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA) must be established between the two sites prior to connecting with each other.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66351",
+      "title": "Syslog messages must be retained for a minimum of 30 days online and then stored offline for one year.",
+      "description": "Logging is a critical part of router security.  Maintaining an audit trail of system activity logs (syslog) can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network.",
+      "severity": "low"
+    },
+    {
+      "id": "V-66353",
+      "title": "Multi-Protocol Labeled Switching (MPLS) protocols deployed to build Label-Switch Path (LSP) tunnels must authenticate all messages with a hash function using the most secured cryptographic algorithm available.",
+      "description": "Spoofed TCP segments could be introduced into the connection streams for LDP sessions used to build LSPs. By configuring strict authentication between LSR peers, LDP TCP sessions can be restricted and the integrity of LSPs can be guarded using the TCP MD5 Signature Option. The LSR ignores LDP Hellos from any LSR for which a password has not been configured. This ensures that the LSR establishes LDP TCP connections only with LSRs for which the shared secret has been configured. RSVP messages are used to control resource reservations for MPLS TE tunnels inside the MPLS core. The RSVP message authentication permits neighbors to use a secure hash to digitally sign all RSVP signaling messages, thus allowing the receiver of an RSVP message to verify the sender. By protecting against corruption and spoofing of RSVP messages, the integrity of the LSPs for bandwidth provisioning, path setup, and path teardown is maintained.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66355",
+      "title": "Multi-Protocol Labeled Switching (MPLS) labels must not be exchanged between the enclaves edge routers and any external neighbor routers.",
+      "description": "MPLS label exchange via Label Distribution Protocol (LDP) or Resource Reservation Protocol (RSVP) with any external neighbor creates the risk of label spoofing that could disrupt optimum routing, or even drop packets that are encapsulated with a label that is not in the MPLS forwarding table.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66357",
+      "title": "Label Distribution Protocol (LDP) must be synchronized with the Interior Gateway Protocol (IGP) to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange.",
+      "description": "Packet loss can occur when an IGP adjacency is established and the router begins forwarding packets using the new adjacency before the LDP label exchange completes between the peers on that link. Packet loss can also occur if an LDP session closes and the router continues to forward traffic using the link associated with the LDP peer rather than an alternate pathway with a fully synchronized LDP session. The MPLS LDP-IGP Synchronization feature provides a means to synchronize LDP with OSPF or IS-IS to minimize MPLS packet loss. When an IGP adjacency is established on a link but LDP-IGP synchronization is not yet achieved or is lost, the IGP will advertise the max-metric on that link.",
+      "severity": "low"
+    },
+    {
+      "id": "V-66359",
+      "title": "VLAN Trunk Protocol (VTP) messages must be authenticated with a hash function using the most secured cryptographic algorithm available.",
+      "description": "VLAN Trunk Protocol (VTP) provides central management of VLAN domains, thus reducing administration in a switched network. When configuring a new VLAN on a VTP server, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. VTP pruning preserves bandwidth by preventing VLAN traffic (unknown MAC, broadcast, multicast) from being sent down trunk links when not needed, that is, there are no access switch ports in neighboring switches belonging to such VLANs. An attack can force a digest change for the VTP domain enabling a rogue device to become the VTP server, which could allow unauthorized access to previously blocked VLANs or allow the addition of unauthorized switches into the domain. Authenticating VTP messages with a cryptographic hash function can reduce the risk of the VTP domain's being compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66361",
+      "title": "Rapid Spanning Tree Protocol (STP) must be implemented at the access and distribution layers where Virtual Local Area Networks (VLANs) span multiple switches.",
+      "description": "Spanning Tree Protocol (STP) is implemented on bridges and switches to prevent Layer 2 loops when a broadcast domain spans multiple bridges and switches and when redundant links are provisioned to provide high availability in case of link failures. Convergence time can be significantly reduced using Rapid STP (802.1w) instead of STP (802.1d), resulting in improved availability. Rapid STP should be deployed by implementing either Rapid Per-VLAN-Spanning-Tree (Rapid-PVST) or Multiple Spanning-Tree Protocol (MSTP), the later scales much better when there are many VLANs.",
+      "severity": "low"
+    },
+    {
+      "id": "V-66363",
+      "title": "A Quality of Service (QoS) policy must be implemented to provide preferred treatment for Command and Control (C2) real-time services and control plane traffic.",
+      "description": "Different applications have unique requirements and toleration levels for delay, jitter, packet loss, and availability. To manage the multitude of applications and services, a network requires a Quality of Service (QoS) framework to differentiate traffic and provide a method to manage network congestion. The Differentiated Services Model (DiffServ) is based on per-hop behavior by categorizing traffic into different classes and enabling each node to enforce a forwarding treatment to each packet as dictated by a service policy. Packet markings such as IP Precedence and its successor, Differentiated Services Code Points (DSCP), were defined along with specific per-hop behaviors for key traffic types to enable a scalable QoS solution. DiffServ QoS categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment based on the classification. It is imperative that end-to-end QoS is implemented to guarantee the required bandwidth for control plane traffic and C2 real-time services during periods of congestion within the JIE WAN IP network.",
+      "severity": "low"
+    },
+    {
+      "id": "V-66365",
+      "title": "Protocol Independent Multicast (PIM) must be disabled on all router interfaces that are not required to support multicast routing.",
+      "description": "PIM is a routing protocol that is used by the IP core for forwarding multicast traffic. PIM operates independent of any particular IP routing protocol but makes use of the IP unicast routing table--PIM does not keep a separate multicast routing table. The multicast tree is built by first allowing a flood of traffic from the source to every dense mode router in the network. For a brief time, unnecessary traffic is allowed. As each router receives traffic for the group, it will decide whether it has active recipients wanting to receive the multicast data. If so, the router will let the flow continue. If no hosts have registered for the multicast group, the router sends a prune message to its neighbor toward the source. That branch of the tree is then pruned off so that the unnecessary traffic does not continue. Dense mode is viewed as a \"flood and prune\" implementation. With PIM Sparse Mode (PIM-SM), the multicast tree is not extended to a router unless a local host has already joined the group. The multicast tree is built by beginning with group members at the end leaf nodes and extending back toward a central root point--the tree is built from the bottom up. In either case, if an interface is not going to be supporting any of the multicast traffic--that is, join a multicast tree, PIM should be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66367",
+      "title": "A Protocol Independent Multicast (PIM) neighbor filter must be implemented to restrict and control multicast traffic.",
+      "description": "Protocol Independent Multicast (PIM) is a routing protocol that is used by the IP core for forwarding multicast traffic. PIM traffic must be limited to only known PIM neighbors by configuring and binding a PIM neighbor filter to those interfaces that have PIM enabled.",
+      "severity": "low"
+    },
+    {
+      "id": "V-66369",
+      "title": "The multicast domain must block inbound and outbound administratively-scoped multicast traffic at the edge.",
+      "description": "A multicast boundary must be established to ensure that administratively-scoped multicast traffic does not flow into or out of the IP core. The multicast boundary can be created by ensuring that COI-facing interfaces on all PIM routers are configured to block inbound and outbound administratively-scoped multicast traffic.",
+      "severity": "low"
+    },
+    {
+      "id": "V-66371",
+      "title": "The multicast domain must block inbound and outbound Auto-RP discovery and announcement messages at the edge.",
+      "description": "With static RP, the RP address for any multicast group must be consistent across all routers in a multicast domain. A static configuration is simple and convenient. However, if the statically defined RP router becomes unreachable, there is no automatic failover to another RP router. Auto-RP distributes information to routers as to which RP address must be used for various multicast groups. Auto-RP eliminates inconsistencies and enables scalability and automatic failover. All PIM-enabled routers join the RP discovery group (224.0.1.40), which allows them to receive all group-to-RP mapping information. This information is distributed by an entity called RP mapping agent. Mapping agents themselves join the RP announce group (224.0.1.39). All candidate RPs advertise themselves periodically using the RP announce group address. The mapping agent listens to all RP candidate announcements and determines which routers will be used for each multicast group. It then advertises the RP and its associate multicast groups to all PIM routers in the network using an RP discovery message. Auto-RP announcement and discovery messages provide information (i.e., IP addresses of the RP candidates, multicast groups, etc.) vital to the multicast domain and should not be leaked out of the multicast domain. Using this information, a malicious user could disrupt multicast services by attacking the RP or flooding bogus traffic destined to the learned multicast groups.",
+      "severity": "low"
+    },
+    {
+      "id": "V-66373",
+      "title": "Protocol Independent Multicast (PIM) register messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups.",
+      "description": "Customer networks that do not maintain a multicast domain and only require the IP multicast service will be required to stand up a PIM-SM router that will be incorporated into the JIE shared tree structure by establishing a peering session with an RP router. Both of these implementations expose several risks that must be mitigated to provide a secured IP core network. All RP routers that are peering with customer PIM-SM routers must implement a PIM import policy to block multicast registration requests for reserved or any other undesirable multicast groups.",
+      "severity": "low"
+    },
+    {
+      "id": "V-66375",
+      "title": "Protocol Independent Multicast (PIM) join messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups.",
+      "description": "Customer networks that do not maintain a multicast domain and only require the IP multicast service will be required to stand up a PIM-SM router that will be incorporated into the JIE shared tree structure by establishing a peering session with an RP router. Both of these implementations expose several risks that must be mitigated to provide a secure IP core network. All RP routers that are peering with customer PIM-SM routers must implement a PIM import policy to block multicast join requests for reserved or any other undesirable multicast groups.",
+      "severity": "low"
+    },
+    {
+      "id": "V-66379",
+      "title": "Multicast register messages must be rate limited per each source-group (S, G) entry.",
+      "description": "When a new source starts transmitting in a PIM Sparse Mode network, the DR will encapsulate the multicast packets into register messages and forward them to the Rendezvous Point (RP) using unicast. This process can be taxing on the CPU for both the DR and the RP if the source is running at a high data rate and there are many new sources starting at the same time. This scenario can potentially occur immediately after a network failover. The rate limit for the number of register messages should be set to a relatively low value based on the known number of multicast sources within the multicast domain.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66381",
+      "title": "Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) report messages must be filtered to allow hosts to join only those multicast groups that have been approved by the organization.",
+      "description": "Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (e.g., someone doing a file download here or there), whereas multicast can have broader impact on bandwidth consumption resulting in extreme network congestion. Hence, it is imperative that there is multicast admission control to restrict which multicast groups that hosts are allowed to join via IGMP (IPv4) or MLD (IPv6).",
+      "severity": "low"
+    },
+    {
+      "id": "V-66389",
+      "title": "The number of mroute states resulting from Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) membership reports must be limited.",
+      "description": "The current multicast paradigm can let any host join any multicast group at any time by sending an Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) membership report to the Designated Router (DR). In a PIM Sparse Mode network, the DR will send a PIM Join message for the group to the Rendezvous Point (RP). Without any form of admission control, this can pose a security risk to the entire multicast domain, specifically the multicast routers along the shared tree from the DR to the RP that must maintain the mroute state information for each group join request. Hence, it is imperative that the DR is configured to limit the number of mroute state information that must be maintained to mitigate the risk of IGMP (IPv4) or MLD (IPv6) flooding.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66391",
+      "title": "The number of source-group (SG) states must be limited within the multicast topology where Any Source Multicast (ASM) is deployed.",
+      "description": "Any Source Multicast (ASM) can have many sources for the same groups (many-to-many). For many receivers, the path via the Rendezvous Point (RP) may not be ideal compared with the shortest path from the source to the receiver. By default, the last-hop router will initiate a switch from the shared tree to a source-specific shortest-path tree (SPT) to obtain lower latencies. This is accomplished by the last-hop router sending an (S, G) PIM Join towards S (the source). When the last-hop router begins to receive traffic for the group from the source via the SPT, it will send a PIM Prune message to the RP for the (S, G). The RP will then send a Prune message towards the source. The SPT switchover becomes a scaling issue for large multicast topologies that have many receivers and many sources for many groups because (S, G) entries require more memory than (*, G). Hence, it is imperative to minimize the amount of (S, G) state to be maintained by increasing the threshold that determines when the SPT switchover occurs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66393",
+      "title": "Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping must be implemented within the network access layer.",
+      "description": "The last-hop router sends the multicast packet out the interface towards the LAN containing interested receivers. The default behavior for a Layer 2 switch is to forward all multicast traffic out every access switch port that belongs to the VLAN. IGMP snooping is a mechanism used by \"Layer 3 aware\" switches to maintain a Layer 2 multicast table by examining all IGMP join and leave messages (destined to the all router's multicast address 224.0.0.2) sent between hosts and the multicast routers on the LAN. This will enable the switch to only forward multicast packets out the access switch ports that have connected hosts that have subscribed to the multicast group, thereby reducing the load on the switching backplane as well as eliminating unwanted traffic to uninterested hosts.",
+      "severity": "low"
+    },
+    {
+      "id": "V-66397",
+      "title": "First-hop redundancy services must be configured to delay any preempt to provide enough time for the Internet Gateway Protocol (IGP) to stabilize.",
+      "description": "The Layer 2 connection between the nodes providing first-hop redundancy comes up quickly. If the preemption takes effect prior to the routing protocol converging, traffic is black holed. Traffic will go to the active router that does not have full routing information. It may take several seconds for the IGP to exchange all the routes, longer than the Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), or Gateway Load Balancing Protocol (GLPB) transition. The recommended practice is to delay the preemption action until after the IGP has a chance to stabilize.",
+      "severity": "low"
+    },
+    {
+      "id": "V-8046",
+      "title": "Network topology diagrams for the enclave must be maintained and up to date at all times.",
+      "description": "To assist in the management, auditing, and security of the network infrastructure facility drawings and topology maps are a necessity.  Topology maps are important because they show the overall layout of the network infrastructure and where devices are physically located.  They also show the relationship and interconnectivity between devices and where possible intrusive attacks could take place.  Having up to date network topology diagrams will also help show what the security, traffic, and physical impact of adding a new user(s) will be on the network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-8047",
+      "title": "All external connections must be validated and approved by the Authorizing Official (AO) and the Connection Approval Office (CAO) and meeting Connection Approval Process (CAP) requirements.",
+      "description": "Every site must have a security policy to address filtering of the traffic to and from those connections.  This documentation along with diagrams of the network topology is required to be submitted to the Connection Approval Process (CAP) for approval to connect to the NIPRNet or SIPRNet.  SIPRNet connections must also comply with the documentation required by the Classified Connection Approval Office (CCAO) to receive the SIPRNet Interim Approval to Connect (IATC) or final Approval to Connect (ATC). Also any additional requirements must be met as outlined in the Interim Authority to Operate (IATO) or Authority to Operate (ATO) forms signed by the Authorizing Official (AO).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-8048",
+      "title": "External connections to the network must be reviewed and the documentation updated semi-annually.",
+      "description": "A network is only as secure as its weakest link. It is imperative that all external connections be reviewed and kept to a minimum needed for operations. All external connections should be treated as untrusted networks. Reviewing who or what the network is connected to empowers the security manager to make sound judgements and security recommendations. Minimizing backdoor circuits and connections reduces the risk for unauthorized access to network resources.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-8049",
+      "title": "The connection between the Channel Service Unit/Data Service Unit (CSU/DSU) and the Local Exchange Carriers (LEC) data service jack (i.e., demarc) as well as any service provider premise equipment must be located in a secure environment.",
+      "description": "DOD leased lines carry an aggregate of sensitive and non-sensitive data; therefore unauthorized access must be restricted. Inadequate cable protection can lead to damage and denial of service attacks against the site and the LAN infrastructure.",
+      "severity": "low"
+    },
+    {
+      "id": "V-8051",
+      "title": "Written mission justification approval must be obtained from the Office of the DoD CIO prior to establishing a direct connection to the Internet via commercial service provider outside DoD CIO approved Internet access points (e.g. DISA IAP, Cloud Access Point, NIPRnet Federated Gateway, DREN IAP, etc.).",
+      "description": "Analysis of DoD reported incidents reveal current protective measures at the NIPRNet boundary points are insufficient. Documented ISPs and validated architectures for DMZs are necessary to protect internal network resources from cyber attacks originating from external Internet sources by protective environments.",
+      "severity": "high"
+    },
+    {
+      "id": "V-8052",
+      "title": "External network connections must not bypass the enclaves perimeter security.",
+      "description": "Without taking the proper safeguards, external networks connected to the organization will impose security risks unless properly routed through the perimeter security devices. Since external networks to the organization are considered to be untrusted, this could prove detrimental since there is no way to verify traffic inbound or outbound on this backdoor connection. An attacker could carry out attacks or steal data from the organization without any notification. An external connection is considered to be any link from the organization's perimeter to the NIPRNet, SIPRNet, Commercial ISP, or other untrusted network outside the organization's defined security policy. The DREN and SREN are DoD's Research & Engineering Network. A DoD Network that is the official DoD long-haul network for computational scientific research, engineering, and testing in support of DoD's S&T and T&E communities. It has also been designated as a DoD IPv6 pilot network by the Assistant Secretary of Defense (Networks & Information Integration)/DoD Chief Information Officer ASD (NII)/DoD CIO. A DISN enclave should not have connectivity to the DREN unless approved by the AO and the requirements have been met for all external connections described in NET0130.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-8054",
+      "title": "All network infrastructure devices must be located in a secure room with limited access.",
+      "description": "If all communications devices are not installed within controlled access areas, risk of unauthorized access and equipment failure exists, which could result in denial of service or security compromise.  It is not sufficient to limit access to only the outside world or non-site personnel.  Not everyone within the site has the need-to-know or the need-for-access to communication devices.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-8060",
+      "title": "A centralized syslog server must be deployed in the management network.",
+      "description": "Maintaining an audit trail of system activity logs can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network.",
+      "severity": "low"
+    },
+    {
+      "id": "V-8061",
+      "title": "Current and previous network element configurations must be stored in a secured location.",
+      "description": "If the network element's non-volatile memory is lost without a recent configuration stored in an offline location, it may take time to recover that segment of the network.  Users connected directly to the switch or router will be without service for a longer than acceptable time.",
+      "severity": "low"
+    },
+    {
+      "id": "V-8066",
+      "title": "When protecting the boundaries of a network, the firewall must be placed between the private network and the perimeter router and the Demilitarized Zone (DMZ).",
+      "description": "The only way to mediate the flow of traffic between the inside network, the outside connection, and the DMZ is to place the firewall into the architecture in a manner that allows the firewall the ability to screen content for all three destinations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-8078",
+      "title": "The organization must establish weekly data backup procedures for the network Intrusion Detection and Prevention System (IDPS) data.",
+      "description": "IDPS data needs to be backed up to ensure preservation in the case a loss of data due to hardware failure or malicious activity.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-8080",
+      "title": "The Intrusion Detection and Prevention System (IDPS) software and signatures must be updated when updates are provided by the vendor.",
+      "description": "Keeping the IDPS software updated with the latest engine and attack signatures will allow for the IDPS to detect all forms of known attacks.  Not maintaining the IDPS properly could allow for attacks to go unnoticed.",
+      "severity": "low"
+    },
+    {
+      "id": "V-8081",
+      "title": "The organization must ensure all switches and associated cross-connect hardware are kept in a secure Intermediate Distribution Frame (IDF) or an enclosed cabinet that is kept locked.",
+      "description": "Since the IDF includes all hardware required to connect horizontal wiring to the backbone, it is imperative that all switches and associated cross-connect hardware are kept in a secured IDF or an enclosed cabinet that is kept locked. This will also prevent an attacker from gaining privilege mode access to the switch. Several switch products only require a reboot of the switch in order to reset or recover the password.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-8099",
+      "title": "Dynamic Host Configuration Protocol (DHCP) audit and event logs must record hostnames and MAC addresses to be stored online for thirty days and offline for one year.",
+      "description": "In order to identify and combat IP address spoofing, it is highly recommended that the DHCP server logs MAC addresses and hostnames on the DHCP server.",
+      "severity": "low"
+    },
+    {
+      "id": "V-8100",
+      "title": "Dynamic Host Configuration Protocol (DHCP) servers used within SIPRNet infrastructure must be configured with a minimum lease duration time of 30 days.",
+      "description": "In order to trace, audit, and investigate suspicious activity, DHCP servers within the SIPRNet infrastructure must have the minimum lease duration time configured to 30 or more days.",
+      "severity": "low"
+    },
+    {
+      "id": "V-8272",
+      "title": "An Intrusion Detection and Prevention System (IDPS) must be deployed to monitor all unencrypted traffic entering and leaving the enclave.",
+      "description": "Per CJCSI 6510.01F, Enclosure A-5, Paragraph 8,  “DOD ISs (e.g., enclaves, applications, outsourced IT-based process, and platform IT interconnections) shall be monitored to detect and react to incidents, intrusions, disruption of services, or other unauthorized activities (including insider threat) that threaten the security of DOD operations or IT resources, including internal misuse.”\n\nAn Intrusion Prevention System (IPS) allows the sensor to monitor, alert, and actively attempt to drop/block malicious traffic.  An Intrusion Detection System (IDS) uses a passive method; receiving a copy of the packets to analyze and alert authorized persons about any malicious activity.  While an IDS or an IPS in a passive role cannot stop the attack itself, it can typically notify and dynamically assign ACLs or other rules to a firewall or router for filtering.  The preferred method of installation is to have the IDPS configured for inline mode.  Only when there is a valid technical reason, should the IDPS be placed into a passive or IDS mode.  For a full uninhibited view of the traffic, the IDPS must sit behind the enclave’s firewall.  This will allow the IDPS to monitor all traffic unencrypted, entering or leaving the enclave.",
+      "severity": "medium"
+    }
+  ]
+}