kriterion 0.0.1

data/standards/stig_idps_security_requirements_guide_srg.json

@@ -0,0 +1,1865 @@
+{
+  "name": "stig_idps_security_requirements_guide_srg",
+  "date": "2012-03-08",
+  "description": "The IDPS Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: fso_spt@disa.mil.",
+  "title": "IDPS Security Requirements Guide (SRG)",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "SRG-NET-000001-IDPS-000021",
+      "title": "The IDPS must provide automated support for account management functions.",
+      "description": "Account management and distribution is vital to the security of any IDPS. Account management by a designated authority ensures access to IDPS is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. If account policies are not immediately and automatically enforced, system administrators may not realize that security changes are not being enforced.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000002-IDPS-000023",
+      "title": "The IDPS must automatically terminate temporary accounts after an organizationally defined time period for each type of account.",
+      "description": "Authentication for administrative access to the device is required at all times. Temporary accounts can be used for vendor support in order to perform diagnostics. \nThere is a risk the temporary account may remain in place and active after the vendor support team has left. Temporary accounts could have the highest privilege level which would enable an administrator to gain unauthorized privileges to the device.\nThis requirement is applicable for temporary accounts created for temporary use for vendor support in order to perform diagnostics.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000003-IDPS-000022",
+      "title": "The IDPS must automatically terminate emergency accounts after an organizationally defined time period.",
+      "description": "Authentication for administrative access to the device is required at all times. A single account can be created on the device's local data management console for use in an emergency such as when the authentication server is down or connectivity between the device and the authentication server is not operable. The emergency account logon credentials must be stored in a sealed envelope and kept in a safe. There is a risk the emergency account may remain in place and active after the vendor support team has left.\nThis requirement is applicable for emergency accounts created on the device's local data management console for use in an emergency such as when the authentication server is down or connectivity between the device and the authentication server is not operable.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000004-IDPS-000024",
+      "title": "The IDPS must automatically disable inactive accounts after an organizationally defined time period of inactivity.",
+      "description": "There is always a risk for inactive accounts to be compromised by unauthorized users who could then gain full control of the device; thereby enabling them to trigger a Does attacks, intercept sensitive information, or disrupt network availability.\n\nAttackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. The IDPS must track periods of user inactivity and disable application accounts after an organizationally defined period of inactivity. Such a process greatly reduces the risk that accounts will be misused, hijacked, or data compromised. \n\nTo address the multitude of policy based access requirements, many network administrators choose to integrate the IDPS with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the network administrator to off-load those access control functions and focus on core application features and functionality.\n",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000005-IDPS-000028",
+      "title": "The IDPS must automatically audit the creation of accounts.",
+      "description": "Account management and distribution is vital to the security of any IDPS. Account management by a designated authority ensures access to the IDPS is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. It is imperative that all personnel who are granted accounts have completed and submitted the proper request forms and have been approved by the designated authority. Auditing account creation and modification provides the necessary reconciliation that account management procedures are being followed. To support the auditing requirement, the IDPS must create an audit trail by logging account creation events. Without this audit trail, personnel without the proper security clearance may gain access to critical network nodes.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000006-IDPS-000025",
+      "title": "The IDPS must notify the appropriate individuals when accounts are created.",
+      "description": "Account management and distribution is vital to the security of any IDPS. Account management by a designated authority ensures access to IDPS components is secured by granting access to only authorized personnel with the appropriate and necessary privileges. Without a formal approval process for the deployment and modification of accounts, personnel without the proper security clearance may gain access to critical network nodes. It is imperative that all personnel who are granted accounts have completed and submitted the proper request forms and have been approved by the designated authority. Auditing account creation, along with an automatic notification to appropriate individuals, will provide the necessary reconciliation that account management procedures are being followed.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000007-IDPS-000032",
+      "title": "The IDPS must automatically audit account modification.",
+      "description": "Account management by a designated authority ensures access to the IDPS is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Auditing account modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed. If modifications to management accounts are not audited, reconciliation of account management procedures cannot be tracked.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000008-IDPS-000029",
+      "title": "The IDPS must notify the designated system administrators when accounts are modified.",
+      "description": "Account management and distribution is vital to the security of any IDPS. Account management by a designated authority ensures access to the IDPS is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Without a formal approval process for the deployment and modification of accounts, personnel without the proper security clearance may gain access to critical network nodes. It is imperative that all personnel who are granted accounts have completed and submitted the proper request forms and have been approved by the designated authority. Auditing account creation and modification, along with an automatic notification to appropriate individuals, will provide the necessary reconciliation that account management procedures are being followed.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000009-IDPS-000030",
+      "title": "The IDPS must automatically audit account disabling actions.",
+      "description": "Account management by a designated authority ensures access to the IDPS is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Auditing account creation and modification, along with an automatic notification to appropriate individuals, will provide the necessary reconciliation that account management procedures are being followed. It is also vital that the disablement of accounts is monitored to ensure that authorized active accounts remain enabled and available for use when required.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000010-IDPS-000026",
+      "title": "The IDPS must notify the account owner when the account has been disabled.",
+      "description": "Account management by a designated authority ensures access to the IDPS is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Auditing account creation and modification, along with an automatic notification to appropriate individuals, will provide the necessary reconciliation that account management procedures are being followed. It is also vital that the disabling of accounts is monitored to ensure that authorized active accounts remain enabled and available for use when required. Notifying the individual whose account has been disabled will provide an alert, so the account can be enabled if it had been disabled by mistake.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000011-IDPS-000031",
+      "title": "The IDPS must automatically audit account termination.",
+      "description": "Account management by a designated authority ensures access to the IDPS is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Auditing account creation and modification, along with an automatic notification to appropriate individuals, will provide the necessary reconciliation that account management procedures are being followed. It is also vital that the termination of accounts is monitored to ensure that authorized accounts remain active and available for use when required.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000012-IDPS-000027",
+      "title": "The IDPS must notify the appropriate individuals for account termination.",
+      "description": "Account management by a designated authority ensures access to the IDPS is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Automatic notification of account changes to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed. It is also vital that the termination of accounts is monitored to ensure that authorized accounts remain active and available for use when required. Additionally, it is recommended that the notification also alerts the individual whose account has been terminated, so the account can be reinstated if it had been terminated by mistake.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000013-IDPS-000033",
+      "title": "The IDPS must monitor for unusual usage of administrative user accounts.",
+      "description": "Atypical account usage is behavior that is not part of normal usage cycles (e.g., accounts logging in after hours or on weekends.) If this atypical behavior is not monitored, user accounts that are compromised could be used by unauthorized users for longer periods, giving an attacker more time to reconfigure the system to allow harmful traffic.\n\nThis control can be met in two ways.\n(i) The IPS provides the capability to learn typical user behavior over time.\n(ii) A rule is created to enforce typical usage based on  organizationally defined variable for typical usage (e.g., login hours, duration).",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000014-IDPS-000034",
+      "title": "The IDPS must be configured to dynamically manage administrative privileges and associated command authorizations.",
+      "description": "Web services are web applications that provide a method of communication between two or more different electronic devices. They are normally used by applications to provide each other with data. In contrast to conventional access control approaches which employ static information system accounts and predefined sets of user privileges, many service-oriented architecture implementations rely on run time access control decisions facilitated by dynamic privilege management. While user identities remain relatively constant over time, user privileges may change more frequently based on the ongoing mission/business requirements and operational needs of the organization. Service Oriented Architecture (SOA) based applications need to take this possibility into account and leverage dynamic access control methodologies. User privileges on the IDPS are configured by assigning users to security groups and assigning permission to the groups.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000015-IDPS-000040",
+      "title": "The IDPS must be configured to work with an authentication server to enforce the assigned privilege and authorization level for each administrator.",
+      "description": "The use of authentication, authorization, and accounting (AAA) affords the best methods for controlling user access, authorization levels, and activity logging. Privilege levels, as well as, which commands each administrator is authorized to use based on the privilege level or account group membership, must be controlled and assigned accordingly. By using the IDPS in conjunction with an authentication server, the administrators can easily add, modify, or delete accounts as well as add or remove command authorizations and privilege levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered groups that contain their associated or required privilege level. By configuring the IDPS to collaborate with an authentication server, it can enforce the appropriate authorization for each administrator. Additionally, separation of services provides added assurance to the network if the access control server is compromised.  This requirement does not apply to local emergency accounts which should be used sparingly. If management of authorizations and privileges is not centralized, it will be difficult to track and manage user authorizations and privileges and there is an increased risk of misconfiguration.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000016-IDPS-000035",
+      "title": "The IDPS must enforce dual authorization based on organizational policies and procedures for organizationally defined privileged commands.",
+      "description": "Dual authorization mechanisms require two forms of approval to execute. An organization may determine certain commands or IDPS configuration changes require dual-authorization before being activated. However, an organization should not employ dual authorization mechanisms when an immediate response is necessary to ensure public and environmental safety. If dual authorization is not automatically enforced by the system, system administrators would be able to change the system configuration without oversight from a second administrator when required by the site security policy.\nIf dual authorization is a requirement for the site, this control applies to the IDPS sensor logs and other files.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000017-IDPS-000036",
+      "title": "The IDPS must implement nondiscretionary access control policies over users and resources.",
+      "description": "When nondiscretionary access control mechanisms are implemented, security labels are assigned to securable objects and users are granted access to the objects only if their level of access matches that required by the security label. Types of nondiscretionary access control includes Attribute-Based Access Control, Mandatory Access Control, and Originator Controlled Access Control. Without these security policies, security labels on restricted objects stored on the IDPS may be accessed or changed by unauthorized users.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000018-IDPS-000041",
+      "title": "The IPS must enforce approved authorizations for controlling the flow of information within the network in accordance with applicable policy.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. \n\nExamples of flow control restrictions include blocking outside traffic claiming to be from within the organization, and not passing any web requests to the Internet not from the internal web proxy.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000018-IDPS-000042",
+      "title": "The IDPS must allow only in-band management sessions from authorized IP addresses from the internal network.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment can acquire the device account and password information. \n\nWith intercepted information an attacker could gain access to the infrastructure and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000018-IDPS-000043",
+      "title": "The IDPS management console, management server, or data management console server must reside in the management network (in-band.)",
+      "description": "Sensors and agents monitor and analyze activity. The term sensor is typically used for the IDPS that monitor networks, including network-based, wireless, and network behavior analysis technologies. The term agent is typically used for host-based IDPS technologies. A management server is a centralized device that receives information from the sensors or agents and manages them. Some management servers perform analysis on the event information that the sensors or agents provide and can identify events that the individual sensors or agents cannot. Matching event information from multiple sensors or agents, such as finding events triggered by the same IP address is known as correlation. Management servers are available as both appliance and software-only products. Some small IDPS deployments do not use any management servers, but most IDPS deployments do. In larger IDPS deployments, there are often multiple management servers, and in some cases there are two tiers of management servers. If the management console is placed on a user segment, management information may be intercepted.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000019-IDPS-NA",
+      "title": "The network element must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Example:  A router or firewall at the perimeter must only allow web traffic outbound received from a web proxy and directing all returning web traffic to the web proxy. Controlling the flow of information between interconnected networks is the functionality of the router, firewall, and/or switches.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000020-IDPS-000044",
+      "title": "The IDPS must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Restrictions can be enforced based on source and destination IP addresses as well as the ports and services being requested. This requirement should enforce the deny-by-default policy whereby only the known and accepted traffic will be allowed outbound and inbound. This requirement helps ensure that inbound and outbound traffic is inspected for possible attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000021-IDPS-000045",
+      "title": "The IDPS must enforce the highest privilege level administrative access to enable or disable security policy filters.",
+      "description": "The use of AAA affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the  IDPS in conjunction with an authentication server, the administrators can easily add, modify, or delete accounts as well as add or remove command authorizations and privilege levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered groups containing their associated or required privilege level. The IDPS must be configured to restrict management access according to the privilege level the user has been granted. Authorization to add, modify, or delete security policy filters must require the highest privilege level. If system administrators cannot be configured with different security privileges, then need-to-know cannot be enforced.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000022-IDPS-000046",
+      "title": "The IDPS must provide the capability for a privileged administrator to configure the organizationally defined security policy filters to support different security policies.",
+      "description": "The IDPS must be configured to restrict management access according to the privilege level the user has been granted. Authorization to add, modify, or delete security policies must require the highest privilege level which can be implemented by simply assigning privilege levels to administrators or via a AAA solution. The implementation of a AAA solution affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the  IDPS in conjunction with an authentication server, the administrators can easily add, modify, or delete accounts as well as add or remove command authorizations and privilege levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered groups that contain their associated or required privilege level. If system administrators cannot be configured with different security policy filters, then need-to-know cannot be enforced.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000023-IDPS-000047",
+      "title": "The IPS must enforce security policies regarding information on interconnected systems.",
+      "description": "Transferring information between interconnected information systems of differing security policies introduces the risk of the transfers violating one or more policies. It is imperative for policy guidance from information owners be implemented at the policy enforcement point between the interconnected systems. This requirement applies to IPS (rather than IDS systems) implementations only because it requires the enforcement of security policy.  If IPS is configured to transfer threat information to the firewall or other devices do not adhere to the security policy of the other device, the network security posture for devices interconnected with the IDPS could be compromised.\nEnforcement is done by an IPS and is not a function of an IDS. If the IPS is not configured to authenticate or updates to other network devices violate the access control policy of the other device, this is an issue which must be resolved. However, the IPS must also be configured to monitor and enforce the security policies between other interconnected systems.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000024-IDPS-000049",
+      "title": "The IDPS must uniquely identify source domains for information transfer.",
+      "description": "Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals.  Means to enforce this enhancement include ensuring the network element distinguishes between information systems and organizations, and between specific system components or individuals involved in sending and receiving information. \nExamples of information transfer for the IDPS are the sensor log updating the base, sensor alerts, or commands to update the firewall or router ACLs. Without unique identifiers, the audit records of these information transfers would not be useful to tracking possible violations.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000025-IDPS-NA",
+      "title": "The IDPS must uniquely authenticate source domains for information transfer.",
+      "description": "Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the IDPS authenticates the source involved in sending information. Authenticating source domain IP address and other identifiers for users versus organizations and components is not an IDPS function. The IDPS uses IP addresses and other identifiers, but is not the source or organizer of these identifiers.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000026-IDPS-000048",
+      "title": "The IDPS must uniquely identify destination domains for information transfer.",
+      "description": "Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. \nMeans to enforce this enhancement include ensuring the IDPS distinguishes between information systems and organizations, and between specific system components or individuals involved in sending and receiving information.\nExamples of information transfer for the IDPS is the sensor log updating the base, sensor alerts, or commands to update the firewall or router ACLs. Without unique identifiers, the audit records of these information transfers would not be useful to tracking possible violations.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000027-IDPS-NA",
+      "title": "The IDPS must uniquely authenticate destination domains for information transfer.",
+      "description": "Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the IDPS authenticates the source involved in receiving information.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000028-IDPS-000050",
+      "title": "The IDPS must implement security policies for all traffic flows by using security zones at various protection levels as a basis for flow control decisions.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Restrictions can be enforced using security zones at various protection levels as a basis for flow control decisions.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000029-IDPS-000051",
+      "title": "The IDPS must enforce dynamic traffic flow control based on policy allowing or disallowing flows based upon traffic types and rates within or out of profile.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Restrictions can be enforced based on policy allowing or disallowing flows based upon traffic types and rates within or out of profile.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000030-IDPS-NA",
+      "title": "All encrypted traffic must be decrypted prior to passing through content inspection and filtering mechanisms.",
+      "description": "Allowing traffic to bypass the security checkpoints such as firewalls and intrusion detection systems puts the network infrastructure and critical data at risk. Malicious traffic could enter the network undetected and attack a key IDPS or the server farm. Hence, it is imperative all encrypted traffic entering the network is decrypted prior to the content checking devices. This is a network architecture best practice and does not require a configuration setting on the IDS or IPS sensor.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000031-IDPS-NA",
+      "title": "The IDPS must terminate all tunnels prior to passing through the perimeter security zone.",
+      "description": "Allowing traffic to bypass the security checkpoints such as firewalls and intrusion detection systems puts the network infrastructure and critical data at risk. Malicious traffic could enter the network undetected and attack a key IDPS or the server farm. Hence, it is imperative all tunneled traffic entering the network terminate prior to the content checking devices. This requirement applies to inbound unencrypted traffic.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000032-IDPS-000053",
+      "title": "The IDPS must enforce organizationally defined one-way traffic flows using hardware mechanisms.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000033-IDPS-000054",
+      "title": "The IPS must enforce information flow control using organizationally defined security policy filters as a basis for flow control decisions.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Restrictions can be enforced based on source and destination IP addresses as well as the ports and services being requested using security policy filters.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000034-IDPS-000055",
+      "title": "Organizationally defined authorizations must be implemented through organizationally defined separation of duties through use of group memberships.",
+      "description": "The use of AAA affords the best methods for controlling authorization levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered groups containing their associated or required privilege levels establishing what commands and objects the authenticated administrator is authorized to access. This implementation enforces the organization's AAA policy for separation of duties and its responsibility assignments for each administrator. Each account should grant access only to privileges for which the system administrator is authorized. By not restricting system administrators to their proper privilege levels, access to restricted and advanced functions may be provided to system administrators not authorized or trained to use those functions. This requirement does not apply to the local accounts defined directly on the IDPS devices that are used for emergency or diagnostic configuration.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000035-IDPS-000056",
+      "title": "The IDPS must audit the use of privileged accounts when accessing configuration and operational commands enabled for non-privileged accounts.",
+      "description": "The IDPS implementation may include tools and applications which are valuable for some network users. By default, non-privileged users cannot access or execute these commands. However, the organization may decide that certain managers or individuals with special roles should be given access (e.g., reporting and analysis tools for the audit group). Changes to the configuration of commands which are limited to privileged users must be captured in the audit log. Monitoring account usage will increase visibility thus reducing the risk of exploitation of privileged accounts by unauthorized persons. Audit logs provide information for use in diagnostic and forensic investigation.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000036-IDPS-000057",
+      "title": "The IDPS must provide the capability for a privileged administrator to configure organizationally defined security policy filters to support different security policies.",
+      "description": "Each account should grant access to only those privileges the system administrator is authorized for. By not restricting system administrators to their proper privilege levels, access to restricted and advanced functions may be provided to system administrators not authorized or trained to use those functions. Network disruptions or outages could be caused by mistakes made by inexperienced system administrators. Monitoring account usage will reduce the risk of a privilege account being exploited by unauthorized persons and provides logging to be used for forensic investigation. Only accounts with the highest privilege level should have the authorization to configure security policy filters.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000037-IDPS-000157",
+      "title": "The IDPS must be configured to automatically disable itself if any of the organizationally defined lists of security events are detected.",
+      "description": "To reduce or eliminate the risk to the network, the IDPS must be configured to disable itself and its components if the IDPS itself is compromised. A list of known attacks to the IDPS system must be included in the rules. Since the IDPS is a major part of the network's protection and defense system, a compromised IDPS may allow malicious attacks to bypass the network's controls.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000038-IDPS-000058",
+      "title": "The maximum number of unsuccessful login attempts must be set to an organizationally defined value.\n",
+      "description": "A malicious or unauthorized user could gain access to an IDPS by guessing or using methods such as dictionary attack, word list substitution, or brute force attack-all of which require multiple login attempts. By limiting the number of failed login attempts within a defined period of time, the risk of unauthorized system access via user password guessing can be mitigated.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000039-IDPS-000060",
+      "title": "The maximum number of unsuccessful login attempts must be set to an organizationally defined value.",
+      "description": "By limiting the number of failed login attempts within a defined period of time, the risk of unauthorized system access via user password guessing can be mitigated.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000040-IDPS-000059",
+      "title": "The IDPS must automatically lock out an account after the maximum number of unsuccessful login attempts are exceeded and remain locked until released by an administrator.",
+      "description": "Locking out an account after a maximum number of unsuccessful login attempts are exceeded will reduce the risk of unauthorized system access via password guessing.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000041-IDPS-000061",
+      "title": "The IDPS must display an approved system use notification message (or banner) before granting access to the system.",
+      "description": "All network devices must present a DoD approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear and unequivocal notice to both authorized and unauthorized personnel that access to the device is subject to monitoring to detect unauthorized usage. Failure to display the required login warning banner prior to logon attempts will limit the ability to prosecute unauthorized access and also presents the potential to give rise to criminal and civil liability for systems administrators and information systems managers. In addition, DISA's ability to monitor the device's usage is limited unless a proper warning banner is displayed.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000042-IDPS-000062",
+      "title": "The IDPS must display the notification message on the screen  until the administrator takes explicit action to acknowledge the message.",
+      "description": "All network devices must present a DoD approved warning banner prior to a system administrator logging on. The banner should be acknowledged by the user prior to allowing the user access to the system. This provides assurance that the user has seen the message and accepted the conditions for access. If the warning banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000043-IDPS-000063",
+      "title": "The IDPS must display an approved system use notification message or banner before granting access to the device.",
+      "description": "All network devices must present a DoD approved warning banner before granting access to the device.  The banner shall be formatted in accordance with the DoD policy \"Use of DoD Information Systems - Standard Consent and User Agreement\". If the warning banner is not displayed, DoD will not be in compliance with system use notifications required by law. Use the following verbiage. \n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided\nfor USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the\nfollowing conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes\nincluding, but not limited to, penetration testing, COMSEC monitoring, network\noperations and defense, personnel misconduct (PM), law enforcement (LE), and\ncounterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine\nmonitoring, interception, and search, and may be disclosed or used for any USG authorized\npurpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect\nUSG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI\ninvestigative searching or monitoring of the content of privileged communications, or\nwork product, related to personal representation or services by attorneys,\npsychotherapists, or clergy, and their assistants. Such communications and work product\nare private and confidential. See User Agreement for details.\nFor sensors with severe character limitations on the display screen, use the following verbiage:\n\n\"I've read &  consent to terms in IS user agreem't.\"",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000048-IDPS-000064",
+      "title": "Upon successful logon, the IDPS must display the date and time of the last logon of the user.",
+      "description": "Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000049-IDPS-000065",
+      "title": "Upon successful logon, the IDPS must display, to the user, the number of unsuccessful logon attempts since the last successful logon.",
+      "description": "Providing users with information regarding the number of unsuccessful logon attempts since the last successful login. Without this information, the user may not become aware that unauthorized activity has occurred.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000050-IDPS-000067",
+      "title": "The IDPS must notify the user of the number of successful login attempts to the local device occurring during an organizationally defined time period.",
+      "description": "Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000051-IDPS-000066",
+      "title": "The IDPS must notify the user of the number of unsuccessful login attempts to the local device occurring during organizationally defined time period.",
+      "description": "Providing users with information regarding the number of unsuccessful logon attempts to the local device that has occurred over an organizationally defined time period. Without this information, the user may not become aware that unauthorized activity has occurred.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000052-IDPS-000068",
+      "title": "The IDPS must notify the user of organizationally defined security related changes to the user's account occurring during the organizationally defined time period.",
+      "description": "Providing users with information regarding organizationally defined security related changes to the user's account occurring during the organizationally defined time period, allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. Changes to the user account during a specific time period could be an indication of the account being compromised. Hence, without notification to the user, the compromise could go undetected.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000053-IDPS-000001",
+      "title": "The IDPS must limit the number of concurrent sessions for each account to an organizationally defined number.",
+      "description": "This requirement addresses concurrent sessions for a given information system account and does not address concurrent sessions by a single user via multiple accounts. In many products, this value defaults to unlimited which leaves the device open to DoS attacks. An organizationally defined value should be configured.\n\nLimiting the number of concurrent sessions to the device per any given account mitigates the risk associated with a Denial of Service (DoS) attack.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000054-IDPS-000004",
+      "title": "The IDPS must support and maintain the binding of organizationally defined security attributes to information in storage.",
+      "description": "Security attribute assignments (e.g., metadata, classification, subject categories, nationality, user access privileges, or affiliation) are abstractions representing the basic properties or characteristics of an entity. Attributes may be bound to data and then used in various applications within the IDPS to enable access control, flow control, information handling, and other information security policy processes. \nTypically, the security attributes used for data stored on the management console or sensors is not granular. The sensors are configured to send data to a management console using IP addresses or other network identifiers. While the data is in storage on the sensors, the system will limit user access based on assigned user account permissions.\nIf the security attributes are disassociated from the information being transmitted, stored, or processed, then access control policies and information flows which depend on these security attributes will not function and unauthorized subjects or entities may gain access to the information.\nThis requirement applies to the event log files and IDPS application files stored on the IDPS management console and sensors.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000055-IDPS-000003",
+      "title": "The IDPS must support and maintain the binding of organizationally defined security attributes to information in process.",
+      "description": "Security attribute assignments (e.g., metadata, classification, user access privileges, or affiliation) are abstractions representing the basic properties or characteristics of an entity. Attributes may be bound to data and then used in various applications within the IDPS to enable access control, flow control, information handling, and other information security policy processes. \nExamples of possible IDPS security attributes that may be used by the organization to implement security policy include: session of packet identifiers; source and destination IP addresses; protocol identifiers; traffic classification based on QoS markings for preferred treatment; or VLAN identification.\nSecurity attributes and labels should be leveraged to protect stored information, as well as information flowing to external devices. Information stored, processed, and transmitted by the IDPS include sensors event logs, local audit logs, and application files. Security attributes and labels must also be leveraged to protect communications between sensors, the management console, non-local management computers, firewalls, routers, and other network elements. \nIf the security attributes are disassociated from the information being transmitted, stored, or processed, then access control policies and information flows which depend on these security attributes will not function and unauthorized subjects or entities may gain access to the information.\n\nExamples of security attributes for IDPS systems include  session of packet identifiers; source and destination IP addresses; protocol identifiers; traffic classification based on QoS markings for preferred treatment; or VLAN identification.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000056-IDPS-000002",
+      "title": "The IDPS must support and maintain the binding of organizationally defined security attributes to information in transmission.",
+      "description": "Security attribute assignments (e.g., metadata, classification, user access privileges, or affiliation) are abstractions representing the basic properties or characteristics of an entity. Attributes may be bound to data and then used in various applications within the IDPS to enable access control, flow control, information handling, and other information security policy processes. \nExamples of possible IDPS security attributes that may be used by the organization to implement security policy include: session of packet identifiers; source and destination IP addresses; protocol identifiers; traffic classification based on Quality of Service (QoS) markings for preferred treatment; or Virtual Local Area Network (VLAN) identification.\nSecurity attributes and labels should be leveraged to protect stored information, as well as information flowing to external devices. Information stored, processed, and transmitted by the IDPS include sensors event logs, local audit logs, and application files. Security attributes and labels must also be leveraged to protect communications between sensors, the management console, non-local management computers, firewalls, routers, and other network elements. \nIf the security attributes are disassociated from the information being transmitted, stored, or processed, then access control policies and information flows which depend on these security attributes will not function and unauthorized subjects or entities may gain access to the information.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000057-IDPS-000005",
+      "title": "The IDPS must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined.",
+      "description": "Security attribute assignments (e.g., metadata, classification, user access privileges, or affiliation) are abstractions representing the basic properties or characteristics of an entity. Attributes may be bound to data and then used in various applications within the IDPS to enable access control, flow control, information handling, and other information security policy processes. \nExamples of possible IDPS security attributes that may be used by the organization to implement security policy include: session of packet identifiers; source and destination IP addresses; protocol identifiers; traffic classification based on QoS markings for preferred treatment; or VLAN identification.\nSecurity attributes and labels should be leveraged to protect stored information as well as information flowing to external devices. Information stored and processed by the IDPS includes sensors event logs, local audit logs, and application files. Security attributes and labels must also be leveraged to protect communications between sensors, the management console, non-local management computers, firewalls, routers, and other network elements. \nThe IDPS must have the capability to dynamically reconfigure destination addresses, user privilege assignments, and changes to traffic flow requirements.  If changes to the security attributes used by upon which security policies, information workflows, and access control are not dynamic, then unauthorized subjects and entities may gain access to the information.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000058-IDPS-000006",
+      "title": "The IDPS must allow only authorized administrators to change security attributes.",
+      "description": "System administrators of the IDPS system can reconfigure the rules and redirect traffic.  If an unauthorized user gains access and then modifies the   configuration, this could adversely impact the operation and availability of the entire network and all users. Malicious configuration changes may cause the sensors to miss critical attacks. If unauthorized individuals have permission to change security attributes, then unauthorized individuals may compromise information flow and access control attributes, thus adversely impacting network availability or gain unauthorized access to the information.",
+      "severity": "high"
+    },
+    {
+      "id": "SRG-NET-000059-IDPS-000007",
+      "title": "The IDPS must maintain the binding of security attributes to information with sufficient assurance that the information to attribute association can be used as the basis for automated policy actions.",
+      "description": "Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are typically associated with internal data structures (e.g., records, buffers, files) within the IDPS and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. \n\nExamples of automated policy actions include automated access control decisions (e.g., Mandatory Access Control decisions), or decisions to release (or not release) information (e.g., information flows via cross domain systems).\n\nIf the attribute to information binding does have a high assurance, then information security policies based on these attributes may allow unauthorized subjects or entities to gain access to the information or network.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000060-IDPS-000008",
+      "title": "The IDPS must allow authorized system administrators to associate security attributes with information.",
+      "description": "System administrators of the IDPS system can reconfigure the rules and redirect traffic. If an unauthorized user gains access and then modifies the  configuration, this could adversely impact the operation and availability of the entire network and all users. Malicious configuration changes may cause the sensors to miss critical attacks.\n\nIf unauthorized individuals have permission to change security attribute-information associations, then unauthorized individuals may compromise information flow and access control attributes, thus adversely impacting network availability or gain unauthorized access to the information.",
+      "severity": "high"
+    },
+    {
+      "id": "SRG-NET-000060-IDPS-000009",
+      "title": "Accounts must be removed from the IDPS, when no longer required.",
+      "description": "Allowing unnecessary or unauthorized accounts may allow for them to be compromised by unauthorized users who could then gain full control of the device. DoS attacks, interception of sensitive information or other destructive actions could then take place.\nUser accounts, group members, and system defined on the IDPS must be necessary for the use of current users and operations.  \nIf unused accounts exist, then unauthorized individuals may compromise information flow and access control attributes, thus adversely impacting network availability or gain unauthorized access to the information.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000060-IDPS-000010",
+      "title": "The IPS must only allow authorized devices to change security attributes.",
+      "description": "In some implementations, the IPS system may work with the firewalls, routers, or switches to dynamically update or create rules.  Changes to the IPS may cause the sensors to miss critical attacks.\nThe IPS sensors are configured to transmit sensor logs using network configuration information. They also may communicate with the Firewall and other network devices. The IPS must have the capability to dynamically reconfigure destination addresses, user privilege assignments, and changes to traffic flow requirements.  \nThis requirement is applicable only to IPS implementation allowing external devices to update sensor signatures, rules or other scanning configuration.\nIf unauthorized devices are allowed to update the IPS configuration, information flow and access control attributes may be maliciously changed, thus adversely impacting network availability or gain unauthorized access to the information.",
+      "severity": "high"
+    },
+    {
+      "id": "SRG-NET-000061-IDPS-NA",
+      "title": "The network element must employ automated mechanisms to facilitate the monitoring and control of remote access methods.",
+      "description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring of remote access sessions allows organizations to audit user activities and to ensure compliance with the remote access policy. \nUnless restrictions are put in place, a user connecting to the LAN via remote access can access/perform everything he/she could access/perform as those connected internally. Monitoring will ensure unauthorized access to the enclave's resources and data will not go undetected. However, monitoring and control of remote access methods is not a function of the IDPS.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000062-IDPS-000012",
+      "title": "Communications using the auxiliary port(s) must be configured to use cryptography to protect the confidentiality of the remote access session.",
+      "description": "IDS and IPS devices may have auxiliary port(s) which can be configured for local or non-local (remote) access to management functions and diagnostics. \n\nUse of the modem for remote system management is strongly discouraged because this transmission bypasses the network security infrastructure and depends on authentication provided by the device itself. However, there may be cases where this type of access is mission essential. Modems may be attached to auxiliary ports only if communications are secured using cryptography.\n\nTo provide confidentiality, the data encryption algorithm must meet the following requirements:\n(i) Data encryption algorithm shall be AES using the appropriate key size (128 or 256-bit key) in one of the following modes: CBC, CCM, CFB, CTR, OFB and XTS. \n(ii) The implementation must meet FIPS 140-2, FIPS PUB 197, and NIST SP 800-38 A.\n(iii) Must support the ability to enter a strong passphrase/password that meets FIPS 140-2 standards.\nUnless restrictions are put in place, a user connecting to the LAN via remote access can access/perform everything he/she could access/perform as those connected internally.",
+      "severity": "high"
+    },
+    {
+      "id": "SRG-NET-000063-IDPS-000013",
+      "title": "The IDPS auxiliary port or modem must be configured to use cryptography to protect the integrity of remote access sessions.",
+      "description": "If a modem is installed on the auxiliary port of the IDPS management console to provide direct remote management access, cryptographic mechanisms must be implemented to protect the integrity of information. Unless restrictions are put in place, transmissions over commercial network could be corrupted or altered with malicious traffic.  \nThis control requires the configuration of cryptographic modules with strong integrity protection. Integrity protection is provided by the hashing algorithm used by the cryptographic module. Two hashing algorithms are approved for use in DoD. Both algorithms create a checksum that changes if the data is altered. \n(i) Select the Secure Hash Algorithm (SHA-2).\n(ii) Select a keyed, sequenced implementation of the Message Digest (MD5) algorithm only if SHA-2 is not available on the device. \nIntegrity protection also requires the following:\n(i) The firmware of the device must be signed and verified using RSA 2048 or ECDSA with P25.\n(ii) The firmware health checks must be authenticated with either Hashed Message Authentication Code (HMAC-SHA256) or a digital signature (RSA 2048 or ECDSA P256).",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000064-IDPS-NA",
+      "title": "The network element must route all remote access traffic through managed access control points.",
+      "description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Regardless of the backbone networks used for transit between the user end-point and the remote access server (VPN appliance or firewall), remote connections must be secured and must not be given direct access to the private network. Traffic between the remote access server and the private network must be secured. Therefore, the remote access server must forward traffic destined to the private network to the firewall interface inspecting all private network ingress traffic. Routing remote access traffic through managed access control points is not a function of the IDPS.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000065-IDPS-000014",
+      "title": "The IDPS must continuously monitor for unauthorized remote connections to specific information systems.",
+      "description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring of remote access sessions allows organizations to audit user activities and to ensure compliance with the remote access policy. \nMonitoring will ensure unauthorized access to the enclave's resources and data will not go undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000066-IDPS-000015",
+      "title": "The network element must audit remote sessions for accessing an organizationally defined list of security functions and security-relevant information.",
+      "description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring of remote access sessions allows organizations to audit user activities and to ensure compliance with the remote access policy. \nUnless restrictions are put in place, a user connecting to the LAN via remote access can access/perform everything he/she could access/perform as those connected internally. Auditing will ensure unauthorized access to the enclave's resources and data will not go undetected.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000067-IDPS-000016",
+      "title": "The IDPS must disable use of organizationally defined networking protocols.",
+      "description": "Some networking protocols that allow remote access may not meet security requirements to protect data and components. The organization can either make a determination as to the relative security of the networking protocol or management console the security decision on the assessment of other entities.\n\nUnsecure protocols such as TELNET and FTP must be turned off at the device level or the IDPS components may be using these protocols. These protocols are often enabled by default, so the system administrator must ensure an explicit command to disable the disallowed protocols may be required.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000068-IDPS-NA",
+      "title": "The IDPS must enforce requirements for remote connections to the network.",
+      "description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. Enabling access to the network from outside introduces security risks which must be addressed through implementation of strict controls and procedures such as authentication and defining what resources can be accessed. Enforcing requirements for remote connections to the network is not a function of the IDPS.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000069-IDPS-NA",
+      "title": "The IDPS must protect wireless access to the network using authentication.",
+      "description": "The security boundary of a Wireless LAN (WLAN) extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most vulnerable to attack and must be protected. Within this boundary there must be two distinct, but related, security protection mechanisms: authentication and data-in-transit encryption. These protections ensure access control and protection from eavesdropping for both the WLAN system and the DoD network enclave. Wireless network authentication is not the function of the IDPS.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000070-IDPS-NA",
+      "title": "The IDPS must protect wireless access to the network using encryption.",
+      "description": "The security boundary of a WLAN extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most vulnerable to attack and must be protected. Within this boundary there must be two distinct, but related, security protection mechanisms: authentication and data-in-transit encryption. These protections ensure access control and protection from eavesdropping for both the WLAN system and the DoD network enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000071-IDPS-000017",
+      "title": "The site must scan the radio frequency spectrum for unauthorized WLAN devices.",
+      "description": "Unauthorized WLAN devices threaten DoD networks in a variety of ways. If someone installs an access point on a DoD network, then people may use that access point to access network resources without any perimeter security controls, which significantly degrades the IA posture of that network. If someone installs an unauthorized access point in the site's vicinity, even if not connected to a DoD network, then site users may unknowingly or inadvertently connect to it. Once this connection occurs, the user's traffic may be diverted to spoofed web sites and other servers to capture the user's authentication credentials and sensitive DoD data. Finally, if an unauthorized WLAN client is operating inside or near the site, it may improperly connect to the site's WLAN infrastructure or other network devices that improperly have left open active Wi-Fi interfaces. WIDS can help counter all of these threats.\n\nDoDD 8100.2 requires ALL DoD networks must use a wireless IDS to scan for unauthorized wireless devices. The WIDS sensor and server must be configured as either a continuous WIDS or a periodic WIDS.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000071-IDPS-000018",
+      "title": "If the site uses a continuous WIDS scanning, then the system must be configured to meet requirements.",
+      "description": "Unauthorized WLAN devices threaten DoD networks in a variety of ways. If someone installs an access point on a DoD network, then people may use that access point to access network resources without any perimeter security controls, which significantly degrades the IA posture of that network. If someone installs an unauthorized access point in the site's vicinity, even if not connected to a DoD network, then site users may unknowingly or inadvertently connect to it. Once this connection occurs, the user's traffic may be diverted to spoofed web sites and other servers to capture the user's authentication credentials and sensitive DoD data. Finally, if an unauthorized WLAN client is operating inside or near the site, it may improperly connect to the site's WLAN infrastructure or other network devices that improperly have left open active Wi-Fi interfaces. WIDS can help counter all of these threats.\nDoDD 8100.2 requires ALL DoD networks use a wireless IDS to scan for unauthorized wireless devices.\nThe continuous WIDS sensor and server must meet the following requirements:\n(I) System is server-based, whereby sensor scanning results are consolidated and evaluated by a WIDS server.\n(ii) The WIDS will scan continuously 24 hours/day, 7 days/week to detect authorized and unauthorized activity. \n(iii) The WIDS will include a location sensing protection scheme for authorized and unauthorized wireless devices that will provide information enabling designated site personnel to take appropriate actions.\n\nWhile not recommended, WLAN access points that also provide WIDS scanning capability are acceptable as \"continuous scanning\" WIDS sensors. \n\nThe WIDS must cover all WLAN frequencies transmitted by the WLAN equipment. The WLAN frequency band can vary by country and the WIDS must cover all channels being used in a country the equipment is being used in. For example, the allowed WLAN channels are different in the U.S., Japan, and many European countries.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000071-IDPS-000019",
+      "title": "If the site uses periodic WIDS scanning, then the system must be configured to meet the requirements.",
+      "description": "Unauthorized WLAN devices threaten DoD networks in a variety of ways. If someone installs an access point on a DoD network, then people may use that access point to access network resources without any perimeter security controls, which significantly degrades the IA posture of that network. If someone installs an unauthorized access point in the site's vicinity, even if not connected to a DoD network, then site users may unknowingly or inadvertently connect to it. Once this connection occurs, the user's traffic may be diverted to spoofed web sites and other servers to capture the user's authentication credentials and sensitive DoD data. Finally, if an unauthorized WLAN client is operating inside or near the site, it may improperly connect to the site's WLAN infrastructure or other network devices that improperly have left open active Wi-Fi interfaces. WIDS can help counter all of these threats.\nDoDD 8100.2 requires ALL DoD networks use a wireless IDS to scan for unauthorized wireless devices.\nWhile not recommended, WLAN access points that also provide WIDS scanning capability are acceptable as \"continuous scanning\" WIDS sensors. \n(I) The DAA will determine how often WIDS scanning will be conducted based on the results of the wireless risk assessment. (DISA recommends at least every 90 days.)\n(ii) Periodic scanning will be conducted by using handheld or laptop WIDS scanners during a walk-through assessment of the network environment.\n\nNOTE: The WIDS must cover all WLAN frequencies transmitted by the WLAN equipment. The WLAN frequency band can vary by country and the WIDS must cover all channels being used in a country the equipment is being used in. For example, the allowed WLAN channels are different in the U.S., Japan, and many European countries.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000071-IDPS-000020",
+      "title": "WIDS sensor scan results must be saved for at least one year.",
+      "description": "DoDD 8100.2 requires ALL DoD networks use a wireless IDS to scan for unauthorized wireless devices. If sites do not maintain scan logs, it cannot be determined if IDS findings are isolated and harmless events or a more sustained, methodical attack on the system.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000072-IDPS-NA",
+      "title": "The IDPS must enforce requirements for the connection of mobile devices to organizational information systems.",
+      "description": "Wireless services enable users within close proximity of access points to have access to data and services within the private network. The security boundary of a Wireless LAN extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most vulnerable to attack and must be protected. Wireless access introduces security risks which must be addressed through implementation of strict controls and procedures such as, authentication, encryption, and defining what resources can be accessed.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000073-IDPS-NA",
+      "title": "The IDPS must be configured to disable functionality that provides the capability for automatic execution of code on mobile devices without user direction.",
+      "description": "Auto execution vulnerabilities can result in malicious programs being executed that can be used to cause a denial of service on the device and hence disrupt network services. \nExamples of information system functionality that provide the capability for automatic execution of code are Auto Run and AutoPlay. Disabling applications on mobile devices is outside the scope of both the IDS and the IPS.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000074-IDPS-000081",
+      "title": "The IDPS must produce sensor log records that contain sufficient information to establish what type of event occurred.",
+      "description": "It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000075-IDPS-000083",
+      "title": "The IDPS must produce log records containing sufficient information to establish when the events occurred.",
+      "description": "It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. \nIn order to establish and correlate the series of events leading up to an outage or attack, it is imperative the date and time are recorded in all log records.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000076-IDPS-000082",
+      "title": "The IDPS must produce log records containing sufficient information to establish where the events occurred.",
+      "description": "It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. \nIn order to establish and correlate the series of events leading up to an outage or attack, it is imperative the source or object of the log record is recorded in all log records.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000077-IDPS-000080",
+      "title": "The IDPS must produce sensor log records containing sufficient information to establish the source of the event.",
+      "description": "It is essential for security personnel to know what is being done, what attempted to be done, when and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. \n\nIf the originator of the log record is not recorded, it will be difficult to establish and correlate the series of events leading up to an outage or attack.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000078-IDPS-000084",
+      "title": "The IDPS must produce log records containing sufficient information to determine if the event was a success or failure.",
+      "description": "It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Denied traffic must be logged. There may also be some instances where a packet that was permitted or other successful event (i.e., logon) should be logged to establish and correlate the series of events leading up to an outage or attack.\nLogging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000079-IDPS-000076",
+      "title": "The IDPS must capture and log sufficient information to establish the identity of any user accounts associated with the event.",
+      "description": "Log records content that may be necessary to satisfy the requirement of this control includes: timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. This capability is critical for accurate forensic analysis.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000080-IDPS-000077",
+      "title": "The IDPS must capture and log alerts that contain detailed information for events identified by type, location, and subject.",
+      "description": "Audit record content that may be necessary to satisfy the requirement of this control, includes, timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. This capability is critical for accurate forensic analysis.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000081-IDPS-000078",
+      "title": "The IDPS must support the requirement to centrally manage the events from  multiple sensor queues.",
+      "description": "Centrally managing data captured by the various sensors provides for easier management of network events and is an effective facility for monitoring and the automatic generation of alert notification. The repository of audit data can facilitate troubleshooting when problems are encountered and can assist in performing root cause analysis. A repository of audit data can also be correlated in real time to identify suspicious behavior or be archived for review at a later time for research and analysis.\n\nIDPS sensors are managed from a maintenance console or server installed on the management network. Configuration and management of the sensor configuration, except for initial network configuration, must be performed through accessing the management console. Without the ability to centrally manage events, troubleshooting and correlation of suspicious behavior will be difficult and may lead to or prolong the attack.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000082-IDPS-000085",
+      "title": "The IDPS must be configured to allocate audit record storage capacity.",
+      "description": "The IDPS must allocate storage capacity to contain log records. Log records on the sensors are critical because if space is not available the sensor may malfunction. The site would lose valuable data needed for investigating security incidents.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000082-IDPS-000087",
+      "title": "The IDPS must provide a warning when the logging storage capacity reaches 75% of maximum capacity.",
+      "description": "It is imperative the IDPS is configured to allocate storage capacity to contain log records and an alert is generated when the capacity reaches an organization-defined threshold. Without this capability, the site could lose valuable data needed for investigating security incidents.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000083-IDPS-000079",
+      "title": "The IDPS sensor events log monitoring application or mechanism retrieves events from the sensor before the events log becomes full.",
+      "description": "The IDPS logging facility must be configured to reduce the likelihood of log record capacity being exceeded. Events on the sensor are typically stored on a large events log. The log in the sensor is typically very large and can hold several days of logging events under normal conditions. However, the monitoring application must retrieve events from the sensor before the queue becomes full; otherwise the sensor will start overwriting the unread events and valuable information may be lost.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000083-IDPS-000086",
+      "title": "The IDPS logging function must be configured to reduce the likelihood of log record capacity being exceeded.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. It is imperative the IDPS is configured to allocate enough log record storage capacity that will not become exhausted. Without this capability, the site could lose valuable data needed for investigating security incidents.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000085-IDPS-000088",
+      "title": "The IDPS must provide a real-time alert when organizationally defined audit failure events occur.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. It is imperative the IDPS is configured to generate an alarm when an audit failure occurs. Because there can be a delay between the sensor queue and the logging server, this alert must come from the sensors themselves.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000086-IDPS-000090",
+      "title": "The IDPS must enforce configurable traffic volume thresholds representing logging capacity for network traffic to be logged.",
+      "description": "Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a QoS framework to differentiate traffic and provide a method to avoid and manage network congestion. When network congestion occurs, all traffic has an equal chance of being dropped. QoS categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment based on the classification. Many DoS attacks target the network core by attempting to saturate link capacity and exhausting router processors. If hackers can compromise QoS trust boundaries, they can amplify the effect of their abuse. When attack traffic receives premium services, it not only forces priority traffic, such as voice, to compete for service, but it also robs critical  network management traffic of the service it requires to ensure routing convergence and network availability. Furthermore, it enables the attacker to easily induce a sustained DoS attack on all network resources along the entire path where QoS has been hijacked. It is imperative that traffic marked for premium service is strictly policed. Traffic that is out of profile must be marked down by placing it into a low priority class.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000087-IDPS-000089",
+      "title": "The IPS must reject or delay network traffic generated above configurable traffic volume thresholds as defined by the organization.",
+      "description": "Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a QoS framework to differentiate traffic and provide a method to avoid and manage network congestion. When network congestion occurs, all traffic has an equal chance of being dropped. QoS categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment based on the classification. Many DoS attacks target the network core by attempting to saturate link capacity and exhausting router processors. If hackers can compromise QoS trust boundaries, they can amplify the effect of their abuse. When attack traffic receives premium services, it not only forces priority traffic such as voice to compete for service, it robs critical control-plane and network management traffic the service it demands to ensure routing convergence and network availability. Furthermore, it enables the attacker to easily induce a sustained DoS attack on all network resources along the entire path where QoS has been hijacked.  It is imperative that traffic marked for premium service is strictly policed. Traffic that is out of profile must be marked down by placing it into a low priority class.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000088-IDPS-000092",
+      "title": "The IDPS must be configured to send an alert to designated personnel in the event of an audit processing failure.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential that security personnel know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify a IDPS that has been configured improperly. It is imperative that the IDPS is configured to generate an alarm when an audit failure occurs.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000089-IDPS-000093",
+      "title": "The IDPS must be configured to stop generating log records or overwrite the oldest log records when an audit failure occurs.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. To preserve recent audit information, if an audit failure occurs, the IDPS must either stop producing audit records to overwrite or purge the oldest records.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000090-IDPS-000094",
+      "title": "The IDPS must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple the IDPS to acquire a clear understanding as to what happened or is happening. Collecting log data and presenting that data in a single, consolidated view achieves this objective.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000091-IDPS-NA",
+      "title": "The IDPS must centralize the review and analysis of audit records from multiple network elements within the network.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple the IDPS to acquire a clear understanding as to what happened or is happening. Collecting log data and presenting the data in a single, consolidated view achieves this objective.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000092-IDPS-000234",
+      "title": "The IDPS must employ automated mechanisms to alert security personnel of any inappropriate or unusual activities with security implications.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. By immediately displaying an alarm message, potential security violations can be identified more immediately, even when administrators are not logged into the IDPS.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000093-IDPS-000096",
+      "title": "Audit log reduction must be enabled on the IDPS.",
+      "description": "Log reduction is the capability of a system to consolidate, archive and compress audit logs. This process saves space when saving these logs over a long time period. Log entries must not be removed from the log in order to reduce the size; however, the file may be compressed.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000094-IDPS-NA",
+      "title": "The IDPS must provide a report generation capability.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple the IDPS to acquire a clear understanding as to what happened or is happening. Collecting log data and aggregating it to present the data in a single, consolidated report achieves this objective.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000095-IDPS-000095",
+      "title": "The IDPS must provide the capability to automatically process log records for events of interest based upon selectable criteria.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple the IDPS to acquire a clear understanding as to what happened or is happening. Collecting log data and enabling personnel to filter the data based on selection criteria to produce a meaningful view achieves this objective.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000096-IDPS-000099",
+      "title": "The IDPS must use internal system clocks to generate timestamps for audit records.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple the IDPS to acquire a clear understanding as to what happened or is happening. In order to correlate, timestamps are needed on all of the log records.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000096-IDPS-000100",
+      "title": "The IDPS must protect audit tools from unauthorized deletion.",
+      "description": "Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. If the tools are compromised it could provide attackers with the capability to manipulate log data. It is imperative for audit tools to be controlled and protected from unauthorized modification. Audit tools include, but are not limited to, OS provided audit tools, vendor provided audit tools and open source audit tools needed to successfully view and manipulate audit information system activity and records.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000097-IDPS-000097",
+      "title": "The IDPS must be configured to use a minimum of two Network Time Protocol (NTP) servers to synchronize time.",
+      "description": "The various components within the network infrastructure providing the log records must have their clocks synchronized using a common time reference so the events can be correlated in exact order of time. Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. If sensor logs cannot be correlated with the routers, switches, and firewalls, it may not be possible to trace all the damage caused by a network breach. NTP provides an efficient and scalable method for network elements to synchronize to an accurate time source.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000097-IDPS-000098",
+      "title": "The IDPS must authenticate NTP messages received.",
+      "description": "Since NTP is used to ensure accurate log file timestamp information, NTP could pose a security risk if a malicious user were able to falsify NTP information. To launch an attack on the NTP infrastructure, a hacker could inject time that would be accepted by NTP clients by spoofing the IP address of a valid NTP server. To mitigate this risk, the time messages must be authenticated by the client before accepting them as a time source. Two NTP-enabled devices can communicate in either client-server mode or peer-to-peer mode (aka \"symmetric mode\"). The peering mode is configured manually on the device and indicated in the outgoing NTP packets. The fundamental difference is the synchronization behavior: an NTP server can synchronize to a peer with better stratum, whereas it will never synchronize to its client regardless of the client's stratum. From a protocol perspective, NTP clients are no different from the NTP servers. The NTP client can synchronize to multiple NTP servers, select the best server and synchronize with it, or synchronize to the averaged value returned by the servers. A hierarchical model can be used to improve scalability. With this implementation, an NTP client can also become an NTP server providing time to downstream clients at a higher stratum level and of decreasing accuracy than that of its upstream server. To increase availability, NTP peering can be used between NTP servers. In the event the device looses connectivity to it upstream NTP server, it will be able to choose time from one of its peers. The NTP authentication model is opposite of the typical client-server authentication model. NTP authentication enables an NTP client or peer to authenticate time received from their servers and peers. It's not used to authenticate NTP clients because NTP servers don't care about the authenticity of their clients, as they never accept any time from them.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000098-IDPS-000107",
+      "title": "The IDPS must protect application audit and sensor event logs information from unauthorized read access.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured system. Audit and event log data must be protected from unauthorized access, including from legitimate administrators who are not do not have a need for this type of access. Without this protection, a compromise or loss of log data needed for incident analysis or risk assessment. \nThere are two types of log files required for IDPS components, the sensor event log/queue and the application audit trail log. The sensor event log stores detected events based on sensor network scans. The application level audit trail log stores auditing results of enforcement actions based on the access control restrictions and other security policy for the IDPS itself.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000100-IDPS-000109",
+      "title": "The IDPS must protect application audit and sensor event logs are protected from unauthorized deletion.",
+      "description": "Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured system. Audit and event log data must be protected from unauthorized access, including from legitimate administrators who are not do not have a need for this type of access. Unauthorized deletion of logs or events may obfuscate evidence of an attack. Event log and sensor log entries should not be deleted without a clear audit trail and an approval process.\nThere are two types of log files required for IDPS components, the sensor event log/queue and the application audit trail log. The sensor event log stores detected events based on sensor network scans. The application level audit trail log stores auditing results of enforcement actions based on the access control restrictions and other security policy for the IDPS itself.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000101-IDPS-000101",
+      "title": "The IDPS must protect audit tools from unauthorized access.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. It is imperative the auditing tools are secured and can only be accessed by authorized personnel.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000102-IDPS-000102",
+      "title": "The IDPS must protect audit tools from unauthorized modification.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. It is imperative the auditing tools are secured and can only be accessed by authorized personnel.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000104-IDPS-NA",
+      "title": "The IDPS must produce audit records on hardware-enforced write-once media.",
+      "description": "It is imperative the collected log data from the various the IDPS is secured and stored on write-once media for safekeeping.\nThis is not applicable for IDPS. Sensor logs are aggregated onto a separate partition on the management console and are then backed-up in accordance with CCI-000537 and CCI-001348.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000105-IDPS-000104",
+      "title": "The IDPS must backup system level and sensor event log records on an organizationally defined frequency onto a different system or media.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Without the backup of logged data, the actions of specific events, the  site's ability to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS., will be degraded. \nThere are two types of log files required for IDPS components, the sensor event log/queue and the application audit trail log. The sensor event log stores detected events based on sensor network scans. The application level audit trail log stores auditing results of enforcement actions based on the access control restrictions and other security policy for the IDPS itself. It is imperative the collected log data from the various IDPS components be secured and backed up regularly unto a different system or off-line media.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000106-IDPS-000105",
+      "title": "The IDPS must use cryptographic mechanisms to protect the integrity of audit and sensor event log information.",
+      "description": "Without the use of mechanisms, such as a signed hash using asymmetric cryptography, the integrity of the collected audit data is not fully protected. There are two types of log files required for IDPS components, the sensor event log/queue and the application audit trail log. The sensor event log stores detected events based on sensor network scans. The application level audit trail log stores auditing results of enforcement actions based on the access control restrictions and other security policy for the IDPS itself.\nThis control requires the configuration of a cryptographic module with strong integrity protection. Integrity protection is provided by the hashing algorithm used by the cryptographic module.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000107-IDPS-000106",
+      "title": "The IDPS must use cryptography to protect the integrity of audit tools.",
+      "description": "Audit tools provide services such as audit reduction, reporting, or analysis. Without mechanisms such as a signed hash using asymmetric cryptography, the integrity of the collected data garnered from these tools is not fully protected. Mechanisms such as a signed hash using asymmetric cryptography must be used to protect the integrity of the audit tools used for audit reduction and reporting.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000107-IDPS-000108",
+      "title": "The IDPS must protect application audit and sensor event log information from unauthorized modification.",
+      "description": "Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured system. Audit and event log data must be protected from unauthorized access, including from legitimate administrators who are not do not have a need for this type of access. Without this protection, a compromise or loss of log data needed for incident analysis or risk assessment. \nThere are two types of log files required for IDPS components, the sensor event log/queue and the application audit trail log. The sensor event log stores detected events based on sensor network scans. The application level audit trail log stores auditing results of enforcement actions based on the access control restrictions and other security policy for the IDPS itself.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000108-IDPS-000069",
+      "title": "The IDPS must log administrator access and system configuration changes in a central logging server such as a management console/server.",
+      "description": "This requirement supports non-repudiation of actions taken by an administrator and is required in order to maintain the integrity of the configuration management process. All configuration changes to the IDPS are logged; and system administrators authenticate with 2-factor authentication before gaining administrative access. Together, these processes will ensure the administrators can be held accountable for the configuration changes they implement.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000110-IDPS-000070",
+      "title": "The IDPS must provide a centralized management console/server that compiles data from the agents and sensors.",
+      "description": "Sensors and agents monitor and analyze activity. The term sensor is typically used for the IDPS that monitor networks, including network-based, wireless, and network behavior analysis technologies. The term agent is typically used for host-based IDPS technologies. A management server is a centralized device that receives information from the sensors or agents and manages them. Some management servers perform analysis on the event information that the sensors or agents provide and can identify events that the individual sensors or agents cannot. Matching event information from multiple sensors or agents, such as finding events triggered by the same IP address, is known as correlation. Management servers are available as both appliance and software-only products. Some small IDPS deployments do not use any management servers, but most IDPS deployments do. In larger IDPS deployments, there are often multiple management servers, and in some cases there are two tiers of management servers. Centralized audit and log records are essential for quickly investigating network attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000110-IDPS-000071",
+      "title": "The IDPS management consoles must be logically installed on the management network.",
+      "description": "The central management console or data management console server. Provide a central location to store, view, analyze, and produce detailed reports on alerts. This server must be installed on a protected network segment to limit access to normal user traffic.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000112-IDPS-000072",
+      "title": "The IDPS must produce a system-wide audit trail composed of log records in a standardized format.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS.\nThe IDPS consists of a management console/server which aggregates the application audit trail log from the sensors and management server. The audit trail log is the application log rather than the sensor events log. The IDPS will also aggregate the sensor event logs from all the sensors onto the management console/server. Centralized audit and log records are essential for quickly investigating network attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000113-IDPS-000073",
+      "title": "The IDPS must generate log records for alerts determined by the organization to be relevant to the security of the network infrastructure.",
+      "description": "Sensor alerts are stored on each sensor and then periodically transferred to a central management or logging server database. Centrally logging the sensor information provides a central location to store, view, analyze, and produce detailed reports on alerts. Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. Many events such as configuration changes and login success or failure are mandated by this control; however organizations may also define additional events for logging. The sensor's primary responsibility is to monitor its network segment for suspicious activity. The management console is a central management, auditing, and data storage point for a large number of sensors.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000114-IDPS-000074",
+      "title": "The IDPS must allow administrators to select which rule sets are to be logged at the management console and sensor level.",
+      "description": "All sensors of the IDPS must be configurable with the organizationally defined rules. This requirement does not require each sensor be configured with separate rule sets; however, this capability must be available to meet the need to respond to future attack vectors. If administrators do not have granular control of the rule to be applied and logged for later analysis, then malicious attacks may be missed.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000115-IDPS-000075",
+      "title": "The IDPS must generate log alerts for locally developed sensor rules.",
+      "description": "Logging specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. Locally developed sensor rules may be developed incorrectly and may not be configured for proper alerting. These rules implement organizationally defined security policies and are used to tailor the IDPS sensors to meet organizational requirements not provided by default vendor rules and updates (e.g., IAVMs).",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000118-IDPS-000116",
+      "title": "The IDPS must enforce access restrictions associated with changes to the information system.",
+      "description": "Changes to the hardware or software components of the IDPS can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the IDPS for implementing any changes or upgrades. This requirement applies to update of the application files, configuration, and signatures. Changes to the operating system will be addressed in the operating system STIG.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000119-IDPS-000110",
+      "title": "The IDPS must be configured to enable automated mechanisms to enforce access restrictions.",
+      "description": "Changes to the hardware or software components of the IDPS can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the IDPS for implementing any changes or upgrades.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000120-IDPS-000111",
+      "title": "The IDPS must be configured to enable automated mechanisms to support auditing of the enforcement actions.",
+      "description": "Changes to the hardware or software components of the IDPS can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals  allowed administrative access to the IDPS for implementing any changes or upgrades. Additionally, maintaining automated log records of access is essential for ensuring configuration change control is being implemented as intended and for supporting after-the-fact actions should the organization become aware of an unauthorized change to the information system.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000121-IDPS-000112",
+      "title": "The IDPS must prevent the installation of organizationally defined critical software programs not signed with a certificate that is recognized and approved by the organization.",
+      "description": "Changes to any software components of the IDPS can have significant effects on the overall security of the network. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Software must be obtained from a trusted patch server not from the vendor. The IDPS sensors should not have to verify the software again. Additional services should not be installed on the sensors.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000122-IDPS-000113",
+      "title": "The IDPS must enforce a two-person rule for changes to organizationally defined information system components and system-level information.",
+      "description": "Changes to any software components of the IDPS can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the IDPS for implementing any changes or upgrades to system components. Enforcing a two-person rule will ensure the changes have been approved.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000123-IDPS-000114",
+      "title": "The IDPS must limit privileges to change software resident within software libraries.",
+      "description": "Changes to any software components of the IDPS can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the IDPS for implementing any changes or upgrades. If the IDPS were to enable non-authorized users to make changes to software libraries, those changes could be implemented without undergoing the appropriate testing, validation, and approval.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000124-IDPS-000115",
+      "title": "The IDPS must implement automatic safeguards and countermeasures if security functions or mechanisms are changed inappropriately.",
+      "description": "Changes to any software components of the IDPS can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals are  allowed administrative access to the IDPS for implementing any changes or upgrades. In order to ensure a prompt response to unauthorized changes to IDPS security functions, the organizations will define the safeguards the device must undertake in the event these changes occur.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000125-IDPS-000117",
+      "title": "The IDPS must employ automated mechanisms to centrally manage configuration settings.",
+      "description": "Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for the IDPS can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that peer and require compatible configurations. Centralized configuration management also provides visibility and tracking of enterprise level activity promoting a sound configuration management procedure as well as an aid for troubleshooting network problems.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000126-IDPS-000118",
+      "title": "The IDPS must employ automated mechanisms to centrally apply configuration settings.",
+      "description": "Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for the IDPS can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that peer and require compatible configurations. Centralized configuration management also provides visibility and tracking of enterprise level activity promoting a sound configuration management procedure as well as an aid for troubleshooting network problems.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000127-IDPS-000119",
+      "title": "The IDPS must employ automated mechanisms to centrally verify configuration settings.",
+      "description": "Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for the IDPS can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that peer and require compatible configurations. Centralized configuration management also provides visibility and tracking of enterprise level activity promoting a sound configuration management procedure as well as an aid for troubleshooting network problems.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000128-IDPS-000120",
+      "title": "The IDPS must employ automated mechanisms to respond to unauthorized changes to organizationally defined configuration settings.",
+      "description": "Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for the IDPS can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that peer and require compatible configurations. Centralized configuration management also provides visibility and tracking of enterprise level activity promoting a sound configuration management procedure as well as an automatic mechanism to initiate an alert when an unauthorized change has been detected.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000129-IDPS-000121",
+      "title": "The IDPS must ensure that detected unauthorized security-relevant configuration changes are tracked.",
+      "description": "Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for the IDPS can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that peer and require compatible configurations. Centralized configuration management also provides visibility and tracking of enterprise level activity promoting a sound configuration management procedure as well as an automatic mechanism to track detected unauthorized security-relevant configuration changes.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000131-IDPS-000123",
+      "title": "The IDPS must not have unnecessary services and capabilities enabled.",
+      "description": "A compromised IDPS introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Prevention of network breaches from within the network requires a comprehensive defense-in-depth strategy, including security all devices connecting to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each IDPS is to only enable the services and capabilities required for operation.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000131-IDPS-000125",
+      "title": "The sensor must be configured to alarm if unexpected protocols for network management enter the subnet.",
+      "description": "The management network must detect all attacks on the management hosts. The management network has a range of traffic that is permitted. Some of the following traffic is allowed on the Management Hosts Segment: Trivial File Transfer Protocol (TFTP [UDP 69])-For network device configuration files from devices on the Managed Devices Segment; FTP-Data (TCP 20)-For file transfers to network devices on the Managed Devices Segment and for Internet downloads; FTP-Control (TCP 21)-For file transfers to network devices on the Managed Devices Segment and for Internet downloads; Sysco (UDP 514)-From network devices on the Managed Devices Segment; Telnet (TCP 23)-To network devices on the Managed Devices Segment; SSH (TCP 22)-To network devices on the Managed Devices Segment; Network Time Protocol (NTP [UDP 123])-To synchronize the clocks of all network devices on the Managed Devices Segment; HTTP (TCP 80)-To the Internet and from hosts on other segments to download the host-based IPS agent software; HTTPS (TCP 443)-To network devices on the Managed Devices Segment and the Internet as well as between the host-based IPS Console and its agents; TACACS+ (TCP 49)-For administrator authentication to devices on the Managed Devices Segment; RADIUS (UDP 1812/1813 authentication/accounting)-For authentication of administrator remote-access VPN connections coming from the Remote Administration Segment; ICMP (IP Protocol 1)-Echo request and response to reach network devices on the Managed Devices Segment and the Internet; DNS (UDP 53)-For name translation services for management hosts as they access services on the Internet; Simple Network Management Protocol (SNMP [UDP 161])-To query information from network devices on the Managed Devices Segment; SNMP-Trap (UDP 162)-To receive trap information from network devices on the Managed Devices Segment.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000132-IDPS-000124",
+      "title": "The IDPS must be configured to prohibit or restrict the use of ports, protocols, and services in accordance with organizationally defined requirements.",
+      "description": "A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Prevention of network breaches from within the network requires a comprehensive defense-in-depth strategy, including security all devices connecting to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each IDPS is to only enable the ports, protocols, and services required for operation.  The IDPS application must not be configured to use ports, protocols or services which are prohibited by the Ports, Protocol, and Service Management (PPSM) requirements.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000132-IDPS-NA",
+      "title": "The IDPS must employ automated mechanisms to detect the addition of unauthorized components or devices.",
+      "description": "Centrally managing configuration changes for all network devices can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that peer and require compatible configurations. Centralized configuration management also provides visibility and tracking of enterprise level activity promoting a sound configuration management procedure as well as an automatic mechanism to track the status of applicable vulnerabilities. Keeping an up-to-date inventory of all network devices and their components provides the framework for the implementation of a comprehensive configuration and problem management system. An inventory of components and their features provides a mechanism for tracking vulnerabilities of affected products which can be used for automated patch management and upgrades. Monitoring may be accomplished on an ongoing basis or by the periodic scanning. Automated mechanisms can be implemented within the network.\nCentrally managing configuration of network devices and tracking vulnerable is not the role of an IDPS.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000133-IDPS-000122",
+      "title": "The IDPS must employ automated mechanisms to prevent program execution in accordance with organization defined specifications.",
+      "description": "A compromised IDPS introduces risk to the entire network infrastructure as well as data resources accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Prevention of network breaches from within the network requires a comprehensive defense-in-depth strategy, including security all devices connecting to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each IDPS is to only enable the services required for operation. Any form of automatic execution should be disabled as it can easily be exploited by hackers to infect hosts with malware and viruses.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000134-IDPS-000126",
+      "title": "A periodic or continuous monitoring IDS or IPS must be installed to scan the network.",
+      "description": "Monitoring may be accomplished on an ongoing basis or by the periodic scanning. Automated mechanisms can be implemented within the network.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000135-IDPS-000127",
+      "title": "The IDPS must support organizational requirements to conduct backups of user-level information contained in the device per organizationally defined frequency that is consistent with recovery time and recovery point objectives.",
+      "description": "User information contained on an IDPS is associated to the users account and the resources the user is authorized to access. If this information becomes corrupted by hardware failures or by a malicious user, it must be restored immediately to ensure network access availability. Backing up this information is a critical step for data recovery.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000136-IDPS-000128",
+      "title": "The IDPS must support organizational requirements to conduct backups of system-level information contained in the information system per organizationally defined frequency.",
+      "description": "System information contained on an IDPS contains default and customized attributes, as well as software required for the execution and operation of the device. If this information becomes corrupted by hardware failures or by a malicious user, it must be restored immediately to ensure network availability. Backing up this information is a critical step for data recovery.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000137-IDPS-000129",
+      "title": "The IDPS must support organizational requirements to conduct backups of information system documentation including security related documentation per organizationally defined frequency that is consistent with recovery time and recovery point object",
+      "description": "System information contained on an IDPS contains default and customized attributes as well as software required for the execution and operation of the device. If this information becomes corrupted by hardware failures or by a malicious user, it must be restored immediately to ensure network availability. Backing up this information is a critical step for data recovery.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000138-IDPS-NA",
+      "title": "The IDPS must enforce the identification and authentication of all organizational users.",
+      "description": "Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Access to the network must be categorized as administrator, user, or guest so the appropriate authorization can be assigned to the user requesting access to the network or IDPS. Authorization requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multi-factor authentication, some combination thereof. Lack of authentication enables anyone to gain access to the network or possibly an IDPS providing opportunity for intruders to compromise resources within the network infrastructure. \nThe IDPS does not enforce identification and authentication of all organizational users. Non-privileged users are not authorized to authenticate to the sensors or management consoles.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000139-IDPS-000130",
+      "title": "The IDPS must use multifactor authentication for network access to privileged accounts.",
+      "description": "Multifactor authentication uses two or more factors to achieve authentication. \n\nFactors include: \n(i) something you know (e.g. password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric). \n\nA privileged account is defined as: \nAn information system account with authorizations of a privileged user. \n\nNetwork Access is defined as: \nAccess to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).\n\nMultifactor authentication provides strong protection for authentication mechanisms. Without a strong authentication method, the system is more easily breached by standard access control attacks.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000139-IDPS-000131",
+      "title": "Management connections to the IDPS must require authentication.",
+      "description": "Devices protected with weak password schemes or no password at all, provide the opportunity for anyone to crack the password or gain access to the device and cause network, device, or information damage or denial of service.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000140-IDPS-NA",
+      "title": "The IDPS must use multi-factor authentication for network access to non-privileged accounts.",
+      "description": "Multifactor authentication is defined as: using two or more factors to achieve authentication. \n\nFactors include: \n(i) something you know (e.g. password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric). \n\nA non-privileged account is defined as: \nAn information system account with authorizations of a regular or non-privileged user. \n\nNetwork Access is defined as: \nAccess to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).\n\nNon-privileged users are not authorized to authenticate to the sensors or management consoles.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000141-IDPS-000132",
+      "title": "The IDPS must use multi-factor authentication for local access to privileged accounts.",
+      "description": "Multifactor authentication is defined as: using two or more factors to achieve authentication. \n\nFactors include: \n(i) something you know (e.g. password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric). \n\nNon-privileged account: An information system account with authorizations of a regular or non-privileged user. \n\nLocal access: Access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.\nMultifactor authentication provides strong protection for authentication mechanisms. Without a strong authentication method, the system is more easily breached by standard access control attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000142-IDPS-NA",
+      "title": "The IDPS must use multifactor authentication for local access to non-privileged accounts.",
+      "description": "Multifactor authentication is defined as: using two or more factors to achieve authentication. \n\nFactors include: \n(i) something you know (e.g. password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric). \n\nNon-privileged account: An information system account with authorizations of a regular or non-privileged user. \n\nLocal access: Access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.\nMultifactor authentication provides strong protection for authentication mechanisms. Without a strong authentication method, the system is more easily breached by standard access control attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000143-IDPS-000133",
+      "title": "System administrators must be authenticated with an individual authenticator prior to using a group authenticator.",
+      "description": "To assure individual accountability and prevent unauthorized access, organizational users shall be individually identified and authenticated. Sharing group accounts on any device is prohibited. If group accounts are not changed when individuals leave the group, that person could gain control of the network device. However, there are times when they are deemed mission essential. The security architecture of the IDPS and any installed applications must allow use of an individual authenticator (e.g., AAA server or Active Directory authentication) prior to using individual authentications.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000144-IDPS-000134",
+      "title": "The IDPS must enforce multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the IDPS being accessed.",
+      "description": "Multifactor authentication is defined as: using two or more factors to achieve authentication. \n\nFactors include: \n(i) something you know (e.g. password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric). \n\nA privileged account is defined as: An information system account with authorizations of a privileged user. \n\nWhen one of the authentication factors is provided by a device that is separate from the system that is gaining access, this is referred to as \"out of band two factor authentication\". OOB2FA employs separate communication channels at least one of which is independently maintained and trusted to authenticate an end user. One channel could be a mobile device that is registered to the user. Upon a logon attempt, the system sends instructions to the device in the form of on-screen prompts that instruct the user how to complete the login process.\nMultifactor authentication provides strong protection for authentication mechanisms. Without a strong authentication method, the system is more easily breached by standard access control attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000145-IDPS-NA",
+      "title": "The IDPS must enforce multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the IDPS being accessed.",
+      "description": "Multifactor authentication is defined as: using two or more factors to achieve authentication. \n\nFactors include: \n(i) something you know (e.g. password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric). \n\nA non-privileged account is defined as: An information system account with authorizations of a regular or non-privileged user. \n\nWhen one of the authentication factors is provided by a device that is separate from the system that is gaining access, this is referred to as \"out of band 2 factor authentication\".\n",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000146-IDPS-000135",
+      "title": "The IDPS must use organizationally defined replay-resistant authentication mechanisms for network access to privileged accounts.",
+      "description": "All authentication credentials must be maintained on an authentication server. Messages between the authenticator and the IDPS validating user credentials must not be vulnerable to a replay attack possibly enabling an unauthorized user to gain access to any IDPS. A replay attack is a form of a network attack in which a valid session or series of IP packets is intercepted by a malicious user who at a later time transmits the packets to gain access to the target device.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000147-IDPS-NA",
+      "title": "The IDPS must use organizationally defined replay-resistant authentication mechanisms for network access to non-privileged accounts.",
+      "description": "Authorization for access to any IDPS requires an approved and assigned individual account identifier. The authenticator must be a separate device than the target device for which the individual is requesting access to. Therefore, all authentication credentials must be maintained on an authentication server. Messages between the authenticator and the IDPS validating user credentials must not be vulnerable to a replay attack possibly enabling an unauthorized user to gain access to any IDPS. A replay attack is a form of a network attack in which a valid session or series of IP packets is intercepted by a malicious user who at a later time transmits the packets to gain access to the target device.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000148-IDPS-000139",
+      "title": "The IDPS must authenticate an organizationally defined list of specific devices by device type before establishing a connection.",
+      "description": "An IDPS must have a level of trust with any node wanting to connect to it. The remote node could be a host device requiring a layer 2 connection to the network or a router wanting to peer as a neighbor and establish a connection to exchange control plane and forwarding plane traffic. A network control plane is comprised of routing, signaling, and link management protocols; all used to establish the forwarding paths required by the data plane. Disrupting the flow of this information or injecting false information breaks down the integrity or believability of path information.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000149-IDPS-000136",
+      "title": "The IDPS must authenticate devices before establishing remote network connections using bidirectional authentication between cryptographically based devices.",
+      "description": "An IDPS must have a level of trust with any node wanting to connect to it. The remote node could be a host device requiring a layer 2 connection to the network or a router wanting to peer as a neighbor and establish a connection to exchange control plane and forwarding plane traffic. A network control plane is comprised of routing, signaling, and link management protocols; all used to establish the forwarding paths required by the data plane. Disrupting the flow of this information or injecting false information breaks down the integrity or believability of path information. To safeguard these connections it is imperative the connecting device authenticate itself prior to granting access. In the case of peering neighbors, the authentication must be bidirectional. Regardless of the paradigm, authentication must use a form of cryptography to ensure a high level of trust and authenticity.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000150-IDPS-000137",
+      "title": "The IDPS must authenticate devices before establishing wireless network connections using bidirectional authentication between cryptographically based devices.",
+      "description": "Without authentication, an unauthorized device can easily connect to a nearby access-point (AP) within the enclave. In addition, a rogue AP owned by an attacker can accept connections from wireless stations enabling it to intercept traffic and initiate man-in-the-middle attacks before allowing traffic to flow to the intended host. Hence, it is imperative that authentication is bi-directional (mutual authentication) using cryptography to ensure a high level of trust and authenticity.\n\nDevice authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device as deemed appropriate by the organization.\nThe devices typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for identification or an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP Transport\nLayer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and/or wide\narea networks.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000151-IDPS-000138",
+      "title": "The network element must authenticate devices before establishing network connections using bidirectional authentication between cryptographically based devices.",
+      "description": "An IDPS must have a level of trust with any node wanting to connect to it. The remote node could be a host device requiring a layer 2 connection to the network or a router wanting to peer as a neighbor and establish a connection to exchange control plane and forwarding plane traffic. A network control plane is comprised of routing, signaling, and link management protocols; all used to establish the forwarding paths required by the data plane. Disrupting the flow of this information or injecting false information breaks down the integrity or believability of path information. To safeguard these connections it is imperative the connecting device authenticate itself prior to granting access. In the case of peering neighbors, the authentication must be bidirectional. Regardless of the paradigm, authentication must use a form of cryptography to ensure a high level of trust and authenticity.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000152-IDPS-NA",
+      "title": "The IDPS must dynamically manage identifiers, attributes, and associated access authorizations to enable user access to the network with the appropriate and authorized privileges.",
+      "description": "Web services are web applications that provide a method of communication between two or more different electronic devices. They are normally used by applications to provide each other with data. The W3C defines a web service a, \"a software system designed to support interoperable machine to machine interaction over a network. It has an interface described in a machine processable format (specifically Web Services Description Language or WSDL). Other systems interact with the web service in a manner prescribed by its description using SOAP messages typically conveyed using HTTP with an XML serialization in conjunction with other web-related standards\". Web services provide different challenges in managing access than what is presented by typical user based applications. In contrast to conventional access control approaches which employ static information system accounts and predefined sets of user privileges, many service-oriented architecture implementations rely on run time access control decisions facilitated by dynamic privilege management. While user identities remain relatively constant over time, user privileges may change more frequently based on the ongoing mission/business requirements and operational needs of the organization. In contrast to conventional approaches to identification and authentication which employ static information system accounts for preregistered users, many service-oriented architecture implementations rely on establishing identities at run time for entities that were previously unknown. Dynamic establishment of identities and association of attributes and privileges with these identities are anticipated and provisioned. Pre-established trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000153-IDPS-000142",
+      "title": "The IDPS must enforce minimum password length.",
+      "description": "Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. Password length is one factor in determining password strength. Use of a longer password string will exponentially increase the time and/or resources required to compromise the password.\nInformation systems not protected with strong password schemes including passwords of minimum length provide the opportunity for anyone to crack the password thus gaining access to the system and causing the device, information, or the local network to be compromised or a denial of service. \n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000154-IDPS-000143",
+      "title": "The IDPS must prohibit password reuse for the organizationally defined number of generations.",
+      "description": "Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. A password must have an expiration date to limit the amount of time a compromised password can be used by a malicious user.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000155-IDPS-000150",
+      "title": "The IDPS must enforce password complexity by the number of upper case characters used.",
+      "description": "Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. Combination of upper case, lower case, numbers, and special characters enhances the complexity of the password string.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000156-IDPS-000151",
+      "title": "The IDPS must enforce password complexity by the number of lower case characters used.",
+      "description": "Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. Combination of upper case, lower case, numbers, and special characters enhances the complexity of the password string.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000157-IDPS-000149",
+      "title": "The IDPS must enforce password complexity by the number of numeric characters used.",
+      "description": "Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. Combination of upper case, lower case, numbers, and special characters enhances the complexity of the password string.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000158-IDPS-000141",
+      "title": "The IDPS must enforce password complexity by the number of special characters used.",
+      "description": "Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. Combination of upper case, lower case, numbers, and special characters enhances the complexity of the password string.\nUse of a complex password helps to increase the time and resources required to compromise the password.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000159-IDPS-000148",
+      "title": "The IDPS must enforce the number of characters changed when passwords are changed.",
+      "description": "Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. It is imperative when changing the password it results in a password not similar to the previous password.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000160-IDPS-000147",
+      "title": "The IDPS must enforce password encryption for storage.",
+      "description": "Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. The IDPS can be compromised by personnel with physical access to the communication room. It is imperative for passwords to be stored encrypted, so they cannot be viewed by unauthorized staff.",
+      "severity": "high"
+    },
+    {
+      "id": "SRG-NET-000161-IDPS-000144",
+      "title": "The IDPS must enforce password encryption for transmission.",
+      "description": "Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. The IDPS can be compromised by personnel with access to the network. Passwords sent in the clear can be intercepted and used by unauthorized personnel to gain administrative access to the IDPS. It is imperative to encrypt passwords before transmitting during any authentication process.",
+      "severity": "high"
+    },
+    {
+      "id": "SRG-NET-000162-IDPS-000146",
+      "title": "The IDPS must enforce minimum password lifetime restrictions.",
+      "description": "Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. \nA password must have an expiration date to limit the amount of time a compromised password can be used by a malicious user. However, changing the password too frequently may result in the user changing a small portion of the password, or the user could mishandle the password in an attempt to remember the new password.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000163-IDPS-000145",
+      "title": "The IDPS must enforce maximum password lifetime restrictions.",
+      "description": "Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. A password must have an expiration date to limit the amount of time a compromised password can be used by a malicious user.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000164-IDPS-000152",
+      "title": "The IDPS must validate certificates used for PKI-based authentication by constructing a certification path with status information to an accepted trust anchor.",
+      "description": "A trust anchor is an authoritative entity represented via a public key. Within a chain of trust, the top entity to be trusted is the \"root certificate\" or \"trust anchors\" such as a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000165-IDPS-000153",
+      "title": "The IDPS must enforce authorized access to the corresponding private key for PKI-based authentication.",
+      "description": "The principle factor of PKI implementation is the private key used to encrypt or digitally sign information. If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000166-IDPS-000154",
+      "title": "The IDPS must map the authenticated identity to the user account for PKI-based authentication.",
+      "description": "Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure that only the assigned individual is using the account, the account must be bound to a user certificate when PKI-based authentication is implemented.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000167-IDPS-000155",
+      "title": "The IDPS must obscure feedback of authentication information during the authentication process to protect the information from possible use by unauthorized individuals.",
+      "description": "Authorization for access to any IDPS requires an approved and assigned individual account identifier. To ensure that only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined frequency. During the authentication process, malicious users can gain knowledge of passwords during authentication process by sniffing local traffic between the IDPS and the authentication server or even walking by a user logging on and viewing what had been keyed in. It is imperative the IDPS prevents any form of authentication feedback that can be used to learn account passwords.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000168-IDPS-000156",
+      "title": "For password protection, the IDPS must use mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.",
+      "description": "the IDPS not protected with strong passwords provide the opportunity for anyone to crack the password thus gaining access to the system and the network. All passwords must be kept and known only by the account user who created the password. Malicious users can gain knowledge of passwords during authentication process by sniffing local traffic between the IDPS and the authentication server. It is imperative the authentication process implements cryptographic modules adhering to the higher standards approved by the federal government.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000169-IDPS-NA",
+      "title": "The network element must uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.",
+      "description": "Non-organizational users shall be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access. Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organizations security policy. Access to the network must be categorized as administrator, user, or guest, so the appropriate authorization can be assigned to the user requesting access to the network or a network element. Authorization requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multifactor authentication, some combination thereof.  Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users, their access to network resources can be restricted accordingly.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000170-IDPS-000158",
+      "title": "The IDPS must employ automated mechanisms to assist in the tracking of security incidents.",
+      "description": "Despite the investment in perimeter defense technologies, enclaves are still faced with detecting, analyzing, and remediating network breaches and exploits that have made it past the firewall. \nAn automated incident response infrastructure allows network operations to immediately react to incidents by identifying, analyzing, and mitigating any compromised network or the IDPS. Incident response teams can perform root cause analysis, determine how the exploit proliferated, identify all affected nodes, as well as, contain and eliminate the threat.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000171-IDPS-000091",
+      "title": "The IDPS must invoke a system shutdown in the event of the log failure, unless an alternative audit capability exists.",
+      "description": "It is critical when a network device is at risk of failing to process audit logs as required; it takes action to mitigate the failure. If the device were to continue processing without auditing enabled, a network device or the network itself could be compromised without any information that can be used for the trace back of an attack and for forensic analysis.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000172-IDPS-000159",
+      "title": "The IDPS must use automated mechanisms to restrict the use of maintenance tools to authorized personnel only.",
+      "description": "With the growth of widespread network delivered malware infections, organizations tend to overlook the spread of malware from system to system through removable media. Once an infected media is connected to the information system, any worms on it will spread through the system. Maintenance tools connecting to an IDPS for diagnostics could be carrying malware; therefore, their use must be restricted to authorized personnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000173-IDPS-000160",
+      "title": "The IDPS must log non-local maintenance and diagnostic sessions.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured IDPS. If events associated with a non-local administrative access or diagnostic session are not logged, a major tool for assessing and investigating attacks would not be available.\nThis requirement pertains to the use of privileged access when using the GUI or SSH to connect non-locally for the purpose of diagnostic session on the servers and network elements.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000174-IDPS-000162",
+      "title": "The IDPS must protect non-local maintenance sessions through the use of two-factor authentication.",
+      "description": "Without authentication anyone with logical access can access IDPS components allowing intruders to compromise resources within the network infrastructure. Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organizations security policy. Authorization for access to any IDPS requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of all administrator accounts for all privilege levels must be accomplished using two or more factors that include the following:\n\n(i) something you know (e.g., password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric).\n",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000175-IDPS-000161",
+      "title": "The IDPS must protect non-local maintenance sessions by separating the maintenance session from other network sessions with the device, by using either physically separated communications paths, or logically separated communications paths based upon encryption.",
+      "description": "Network management is the process of monitoring the IDPS and links, configuring the IDPS, and enabling network services. Network management also includes the collection of performance, diagnostics, and other relevant data about each element to ensure availability and that services are being delivered to meet or exceed service level agreements. Whether a network is being managed locally or from a Network Operations Center (NOC), achieving network management objectives depends on comprehensive and reliable network management solutions. From an architectural perspective, implementing out of band (OOB) management for the IDPS is a best practice and the first step in the deployment of a management network. OOBM networks isolate network users from communication channels dedicated to network management and thereby provide traffic separation to increase security for all network management activities. The management network should have a direct link with local connection to the managed the IDPS. Where this is not possible, the management traffic can traverse over the production network or transient IP backbone via private encrypted tunnel. The OOBM access switch will connect to the management interface of the managed network elements. The management interface of the managed network element will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the OOBM interface does not have an IP address from the managed network address space, it will not be accessible from the NOC using scalable and normal control plane and forwarding mechanisms.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000176-IDPS-000163",
+      "title": "The IDPS must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.",
+      "description": "Network management is the process of monitoring the IDPS and links, configuring the IDPS, and enabling network services. Network management also includes the collection of performance, diagnostics, and other relevant data about each element to ensure availability and that services are being delivered to meet or exceed service level agreements. Whether a network is being managed locally or from a NOC, achieving network management objectives depends on comprehensive and reliable network management solutions. If packets associated with these sessions are not encrypted, the integrity and confidentiality of non-local maintenance and diagnostics is at risk.\n\nTo provide confidentiality, the data encryption algorithm must meet the following requirements:\n(i) Data encryption algorithm shall be AES using the appropriate key size (128 or 256-bit key) in one of the following modes: CBC, CCM, CFB, CTR, OFB and XTS. \n(ii) The implementation must meet FIPS 140-2, FIPS PUB 197, and NIST SP 800-38 A.\n(iii) The implementation must support the ability to enter a strong passphrase/password that meets FIPS 140-2 standards.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000177-IDPS-000164",
+      "title": "The IDPS must enforce identification and authentication for the establishment of non-local maintenance and diagnostic sessions.",
+      "description": "Lack of authentication enables anyone to gain access to the network or possibly an IDPS providing opportunity for intruders to compromise resources within the network infrastructure. Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organizations security policy. Authorization for access to any IDPS to perform maintenance and diagnostics requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of non-local maintenance and diagnostics sessions must be accomplished through two-factor authentication via the combination of passwords, tokens, and biometrics.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000178-IDPS-000165",
+      "title": "The IDPS must terminate all sessions when non-local maintenance is completed.",
+      "description": "In the event the remote node has abnormally terminated or an upstream link from the managed device is down, the management session will be terminated; thereby, freeing device resources and eliminating any possibility of an unauthorized user being orphaned to an open idle session of the managed device.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000179-IDPS-000166",
+      "title": "The IDPS must use cryptographic mechanisms to protect and restrict access to information on portable digital media.",
+      "description": "When data is written to portable digital media, there is risk of loss of data along with integrity and data confidentiality. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations document in policy and procedures, the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000180-IDPS-000167",
+      "title": "The IDPS must employ cryptographic mechanisms to protect information in storage.",
+      "description": "When data is written to digital media, there is risk of loss of data along with integrity and data confidentiality. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring physical protection. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on the organization or individuals if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls to the facility where the media resides provide adequate protection. As part of a defense-in-depth strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information. The strength of mechanisms is commensurate with the classification and sensitivity of the information.\nSensor event logs and application audit logs must be encrypted while in storage on the sensors or management console hard drive or other digital media.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000181-IDPS-000168",
+      "title": "The IDPS must be configured to detect the presence of unauthorized software on organizational information systems.",
+      "description": "The goal of running vulnerability assessment scans is to identify devices on your network that are open to known vulnerabilities. Malicious software such as Trojan horses, hacker tools, DDoS (Distributed Denial of Service) agents, and spyware can establish a management console on individual desktops and servers. Many of these are not detected by anti-virus software or even host intrusion detection systems. Without the detection and prevention of malicious software, unauthorized users may gain access to sensitive data by assuming the identity of authorized users.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000181-IDPS-000169",
+      "title": "The IDPS administrator will review whitelists and blacklists regularly and validate all entries to ensure they are still accurate and necessary.",
+      "description": "A blacklist is a list of discrete entities, such as hosts, TCP or UDP port numbers, ICMP types and codes, applications, usernames, URLs, filenames, or file extensions, that have been previously determined to be associated with malicious activity. Blacklists, also known as hot lists, are typically used to allow the IDPS to recognize and block activity that is highly likely to be malicious, and may also be used to assign a higher priority to alerts that match entries on the blacklists. Some IDPS generate dynamic blacklists that are used to temporarily block recently detected threats. A whitelist is a list of discrete entities that are known to be benign. Whitelists are typically used on a granular basis, such as protocol-by-protocol, to reduce or ignore false positives involving known benign activity from trusted hosts. Whitelists and blacklists are most commonly used in signature-based detection and stateful protocol analysis.  Without the use of validated and up-to-date blacklists and whitelists, recently discovered malicious software, sites, or protocols may be missed by the IDPS monitoring functionality.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000182-IDPS-NA",
+      "title": "The network elements must separate user traffic from network management traffic.",
+      "description": "Network management is the process of monitoring network elements and links, configuring network elements to turn up and disable network services, the collection of performance, diagnostics, and other relevant data about each element to ensure availability and that services are being delivered to meet or exceed service level agreements. Whether a network is being managed locally or from a Network Operations Center (NOC), achieving network management objectives depends on comprehensive and reliable network management solutions. From an architectural perspective, implementing out-of-band (OOB) management for network element is a best practice and the first step in the deployment of a management network. OOBM networks isolate network users from communication channels dedicated to network management and thereby provide traffic separation to increase security for all network management activities.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000183-IDPS-000186",
+      "title": "The IDPS must prevent the exposure of network management traffic onto a user or production network.",
+      "description": "Network management is the process of monitoring the IDPS and links, configuring the IDPS to turn up and disable network services, the collection of performance, diagnostics, and other relevant data about each element to ensure availability and that services are being delivered to meet or exceed service level agreements. Whether a network is being managed locally or from a Network Operations Center (NOC), achieving network management objectives depends on comprehensive and reliable network management solutions. From an architectural perspective, implementing out of band (OOB) management for the IDPS is a best practice and the first step in the deployment of a management network. OOBM networks isolate network users from communication channels dedicated to network management and thereby provide traffic separation to increase security for all network management activities. If management traffic traverses the user network, privileged information could be leaked to unauthorized users. The IDPS is not a subnetting device; however, sensor can be placed to monitor each subnet for possible leaks between the user production network and the management network to provide added assurance for traffic separation.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000184-IDPS-000200",
+      "title": "The IDPS must isolate security functions from non-security functions.",
+      "description": "The IDPS must be designed and configured to isolate security functions isolate security functions from non-security functions. An isolation boundary is implemented via partitions and domains. This boundary must provide separation between processes having different security levels. These processes are used by the hardware, software, and firmware of the IDPS components to perform various functions. The IDPS application must maintain a separate execution domain (e.g., address space) for each executing process to minimize the risk of  leakage or corruption of privileged information. \nThis control is normally a function of the IDPS application design and is usually not a configurable setting; however, if there may be settings in some IDPS applications that must be configured to optimize function isolation.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000186-IDPS-000197",
+      "title": "The IDPS must isolate security functions used to enforce access and information flow control from both non-security functions and from other security functions.",
+      "description": "The IDPS must be designed and configured to isolate security functions enforcing access and information flow control. Isolation must separate processes that perform security functions from those performing non-security. An isolation boundary is implemented via partitions and domains. This boundary must provide access control and integrity protection of the hardware, software, and firmware of the IDPS components. The IDPS application must maintain a separate execution domain (e.g., address space) for each executing process to minimize the risk of  leakage or corruption of privileged information. This control is normally a function of the IDPS application design and is usually not a configurable setting; however, if there may be settings in some IDPS applications that must be configured to optimize function isolation.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000187-IDPS-000198",
+      "title": "The IDPS must implement an isolation boundary to minimize the number of non-security functions included within the boundary containing security functions.",
+      "description": "The IDPS must be designed and configured to minimize the number of non-security functions included within the boundary containing security functions. An isolation boundary, implemented via partitions and domains, must be used to minimize the mixture of these functions, thus minimizing the risk of  leakage or corruption of privileged information. \nThis control is normally a function of the IDPS application design and is usually not a configurable setting; however, in some applications, there may be settings that must be configured to optimize function isolation.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000189-IDPS-000199",
+      "title": "The IDPS must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.",
+      "description": "The IDPS must be designed and configured to implement security functions as a layered structure. An isolation boundary, using separate partitions and domains, must be used to minimize interactions between layers of the design. The lower layers of the design should not depend upon the upper layers. If one layer experiences an error in functionality or security, this should not impact the function of the remaining layers. This layered design minimizes the risk of leakage or corruption of privileged information. \nThis control is normally a function of the IDPS application design and is usually not a configurable setting; however, in some applications, there may be settings that must be configured to optimize function isolation.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000190-IDPS-000201",
+      "title": "The IDPS must prevent unauthorized and unintended information transfer via shared system resources.",
+      "description": "The purpose of this control is to prevent information produced by the actions of a prior user, role, or the actions of a process acting on behalf of a prior user/role from being available to any current user, role, or current process obtaining access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the IDPS. Control of information in shared resources is also referred to as object reuse.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000191-IDPS-NA",
+      "title": "The IDPS must protect against or limits the effects of Denial of Service (DoS) attacks.",
+      "description": "An IDPS experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering resulting in route flapping and eventually black hole production traffic. \nThe device must be configured to thwart, counter, or prevent such attacks. HIDS is not within the scope of this document.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000192-IDPS-NA",
+      "title": "The IDPS must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.",
+      "description": "An IDPS experiencing a DoS attack will not be able to handle the production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering resulting in route flapping and eventually black hole production traffic. \nThe device must be configured to block such attacks. HIDS is not within the scope of this document.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000193-IDPS-NA",
+      "title": "The IDPS must manage excess bandwidth to limit the effects of packet flooding types of Denial of Service (DoS) attacks.",
+      "description": "An IDPS experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering resulting in route flapping and eventually black hole production traffic. The device must be configured to contain and limit a DoS attack's effect on the device's resource utilization. \nHIDS is not within the scope of this document.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000194-IDPS-000202",
+      "title": "The IDPS must limit and reserve bandwidth based on the priority of the traffic type.",
+      "description": "Different applications have unique requirements and tolerance levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a QoS framework. This framework differentiates traffic types and provides a method of avoiding and managing network congestion. A QoS implementation categorizes network traffic into classes and provides priority treatment based on the classification. If QoS is not implemented, network congestion occurs causing poor network service because all traffic has an equal chance of being dropped. \nAn additional IDPS component, a load balancer, is recommended for use with larger networks.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000195-IDPS-000203",
+      "title": "The IPS must check inbound traffic to ensure that the communications are coming from an authorized source and routed to an authorized destination.",
+      "description": "Spoofing source addresses occurs when a malicious user outside the network has created packets with source address belonging to the private address space of the target network. This is done in an attempt to slip through perimeter as a member host to gain access to internal resources or to conceal identity to perform an attack. It is imperative that all inbound and outbound traffic with spoofed or invalid source addresses are blocked. If inbound traffic is not monitored to make sure source and destination of packets are authorized, then malicious users outside the network may be able to send packets to the private, trusted network.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000196-IDPS-NA",
+      "title": "The IDPS must implement host-based boundary protection mechanisms.",
+      "description": "The network element, dependent on the underlying operating system, is at greater risk due to software vulnerabilities and access capabilities. It is critical these devices have host-based IDS and firewalls installed and implemented to provide additional security for the network component.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000197-IDPS-NA",
+      "title": "The IDPS must isolate organizationally defined key information security tools, mechanisms, and support components from other internal information system components via physically separate subnets.",
+      "description": "To secure the enclave, the site must implement defense-in-depth security. This requires the deployment of various network security elements at strategic locations. The enclave must also be segregated into separate subnets with unique security policies. Subnetting provides a number of essential network services (e.g., public content, remote access, perimeter protection). If isolation techniques such as subnetting are not used, unauthorized access to privileged information could result.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000198-IDPS-000205",
+      "title": "The IDPS must receive all management traffic through a dedicated management interface.",
+      "description": "Implementing out of band (OOB) management for the IDPS is the first step in the deployment of a management network. OOBM networks isolate network users from communication channels dedicated to network management; thereby providing traffic separation that will increase security for all network management activities. The management network should have a direct connection to the management interface of the sensors and management console. Where this is not possible, the OOB management traffic can traverse over a transient IP backbone via private encrypted tunnel. Regardless of transport, all management traffic received by the managed IDPS must be received by a dedicated management interface connected to the OOBM network. If management traffic is allowed onto the user network segments, privileged information may be intercepted by non-privileged users which could lead to the compromise of network devices.\nIDPS sensors are installed in stealth mode with one interface installed on the management network. This interface is used for communications with the management console and other network elements. The management console is installed on the management network.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000199-IDPS-000206",
+      "title": "The IDPS must prevent discovery of specific system components or devices comprising a managed interface.",
+      "description": "Allowing neighbor discovery messages to reach external network nodes is dangerous as it provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack. In addition, responding to the sending node that a packet cannot be forwarded as the destination host is unreachable provides network mapping information. Furthermore, if a router receives a large number of packets that cannot be forwarded, the router processor could be overloaded if it must generate a high volume of unreachable messages. To mitigate the risk of reconnaissance or a Denial of Service (DoS) attack, all external-facing interfaces must be configured to silently drop unreachable traffic, not announce network address information, and to ignore neighbor solicitation messages.\nIDPS sensors are installed in stealth mode with one interface installed on the management network. This interface is used for communications with the management console and other network elements. The management console is installed on the management network.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000200-IDPS-000207",
+      "title": "The IPS must enforce strict adherence to protocol format.",
+      "description": "Crafted packets not conforming to Institute of Electrical and Electronics Engineers (IEEE) standards can be used by malicious people to exploit a host's protocol stack to create a Denial of Service (DoS) or force a device reset, bypass security gateway filtering, or compromise a vulnerable device. It is imperative these packets are recognized and discarded at the network perimeter.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000201-IDPS-000208",
+      "title": "The IPS must prevent access into the organization's internal networks except as explicitly permitted and controlled by employing boundary protection devices.",
+      "description": "The enclave's internal network contains the servers where mission critical data and applications reside. There should never be connection attempts made to these devices from any host outside of the enclave. The initial defense for the internal network is to block any traffic at the perimeter attempting to make a connection to a host residing on the internal network.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000202-IDPS-NA",
+      "title": "The IPS must deny network traffic by default and allow network traffic by exception at all interfaces at the network perimeter.",
+      "description": "All inbound and outbound traffic must be denied by default. Firewalls and perimeter routers should only allow traffic through that is explicitly permitted. The initial defense for the internal network is to block any traffic at the perimeter that is attempting to make a connection to a host residing on the internal network. In addition, allowing unknown or undesirable outbound traffic by the firewall or router will establish state that will subsequently permit the return of this undesirable traffic inbound.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000203-IDPS-NA",
+      "title": "The network element must route organizationally defined internal communications traffic to organizationally defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices.",
+      "description": "A proxy server is designed to hide the identity of the client when making a connection to a server on the outside of its network such as web server, web mail, and chat rooms. This prevents any hackers on the outside of learning IP addresses within the private network. With a proxy acting as the mediator, the client does not interact directly with the servers it is connecting to-the proxy server is in the middle handling both sides of the session. Hence, all routing devices must forward traffic to the appropriate proxy to filter the traffic and initiate the sessions with the external server.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000204-IDPS-000209",
+      "title": "The IPS must monitor and enforce filtering of internal addresses posing a threat to external information systems.",
+      "description": "Monitoring and filtering the outbound traffic adds a layer of protection to the enclave. \nUnlike an IDS, an IPS can both detect and take action to prevent harmful traffic from leaving  the network. Blocking harmful outbound traffic can also prevent the network from being used as the source of an attack.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000205-IDPS-000210",
+      "title": "The IPS must monitor and control traffic at both the external and internal boundary interfaces.",
+      "description": "Monitoring and controlling both inbound and outbound and inbound network traffic adds a layer of protection to the enclave. Unlike an IDS, an IPS can both detect and take action to prevent harmful traffic from leaving  the network. Blocking harmful inbound and outbound traffic can also prevent the network from being used as the source of an attack.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000206-IDPS-NA",
+      "title": "The network element must connect to external networks only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture.",
+      "description": "The firewall will build a state to allow return traffic for all initiated traffic that was allowed outbound. Monitoring and filtering the outbound traffic adds a layer of protection to the enclave, in addition to being a good Internet citizen by preventing your network from being used as an attack base. All network elements must be configured to ensure all traffic is forwarded through the perimeter security infrastructure when sending traffic to external destinations.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000207-IDPS-000213",
+      "title": "The IDPS must protect the integrity of transmitted information.",
+      "description": "The IDPS must employ cryptographic mechanisms to recognize changes to information during transmission unless the transmission is otherwise protected by alternative physical measures. If connectivity is provided by a commercial service provider rather than a  dedicated service, obtaining the necessary assurances regarding the implementation of needed security controls for transmission integrity may not be possible. Without cryptographic integrity controls, information traveling over commercial networks could be altered or compromised during transmission. Therefore, these controls must be obtained from the service provider using appropriate contracting vehicles. If this is not feasible, then the organization will implement physical or logical compensating security controls.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000208-IDPS-000211",
+      "title": "The IDPS must use cryptographic mechanisms to protect the integrity of information while in transit.",
+      "description": "This control applies to communications across internal and external networks, unless the information is protected by a physical security solution (e.g., Protective Distribution System [PDS] or physical access control) while in transit. The IDPS must employ cryptographic mechanisms to recognize changes to information during transmission unless the transmission is otherwise protected by alternative physical measures. If connectivity is provided by a commercial service provider rather than a  dedicated service, obtaining the necessary assurances regarding the implementation of needed security controls for transmission integrity may not be possible. Without cryptographic integrity controls, information traveling over commercial networks could be altered or compromised during transmission. Therefore, these controls must be obtained from the service provider using appropriate contracting vehicles. If this is not feasible, then the organization will implement physical or logical compensating security controls.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000209-IDPS-000212",
+      "title": "The IDPS must maintain the integrity of information during aggregation and encapsulation in preparation for transmission.",
+      "description": "This control applies to communications across internal and external networks. The IDPS must employ cryptographic mechanisms to recognize changes to information while preparing information for transmission unless the transmission is otherwise protected by alternative physical measures. If connectivity is provided by a commercial service provider rather than a  dedicated service, obtaining the necessary assurances regarding the implementation of needed security controls for transmission integrity may not be possible. Without cryptographic integrity controls, information traveling over commercial networks could be altered or compromised during transmission. Therefore, these controls must be obtained from the service provider using appropriate contracting vehicles. If this is not feasible, then the organization will implement physical or logical compensating security controls. The IDPS does not provide transmission service integrity protections over commercial lines.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000210-IDPS-000215",
+      "title": "The IDPS must protect the confidentiality of transmitted information.",
+      "description": "If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality. When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000211-IDPS-000214",
+      "title": "The IDPS must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.",
+      "description": "If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality. When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000212-IDPS-NA",
+      "title": "The IDPS must maintain the confidentiality of information during aggregation and encapsulation in preparation for transmission.",
+      "description": "If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality. When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000213-IDPS-000171",
+      "title": "The IDPS must terminate the connection associated with a communications session at the end of the session or after an organizationally defined time period of inactivity.",
+      "description": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled between the managed IDPS and a PC or terminal server when the latter has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed IDPS as well as reduce the risk of a management session from being hijacked.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000214-IDPS-000172",
+      "title": "The IDPS must establish a trusted communications path between the user and organizationally defined security functions within the information system.",
+      "description": "To safeguard critical information that could be used by a malicious user to compromise the device or the entire network infrastructure, a trusted path is required for high-confidence connections between the security functions (i.e., login) of the IDPS and the user.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000215-IDPS-NA",
+      "title": "The IDPS must produce, control, and distribute symmetric cryptographic keys using NIST-approved or NSA-approved key management technology and processes.",
+      "description": "The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily cryptographic transactions. The most secure algorithm is rendered useless if the keys cannot be kept secured. Left unprotected keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a key to be used for access to the service and steal information. An attacker will modify or corrupt a key to cause a Denial of Service. The secure administration and distribution of cryptographic keys is a necessary and critical aspect of risk mitigation. Key management is the process of generating and securely distributing keys used in the encryption process. It is the practice of implementing a security key management policy to protect cryptographic operations from compromise and abuse. The policy must include key generation, distribution, storage, usage, lifetime duration, and destruction. Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective operation of a cryptographic mechanism, effective cryptographic key management provides protection to maintain the availability of the information in the event of the loss of cryptographic keys by users.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000216-IDPS-NA",
+      "title": "The IDPS must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes.",
+      "description": "The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily cryptographic transactions. The most secure algorithm is rendered useless if the keys cannot be kept secured. Left unprotected keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a key to be used for access to the service and steal information. An attacker will modify or corrupt a key to cause a Denial-of-Service. The secure administration and distribution of cryptographic keys is a necessary and critical aspect of risk mitigation. Key management is the process of generating and securely distributing keys used in the encryption process. It is the practice of implementing a security key management policy to protect cryptographic operations from compromise and abuse. The policy must include key generation, distribution, storage, usage, lifetime duration, and destruction. Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective operation of a cryptographic mechanism, effective cryptographic key management provides protection to maintain the availability of the information in the event of the loss of cryptographic keys by users.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000217-IDPS-NA",
+      "title": "The IDPS must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material.",
+      "description": "The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily cryptographic transactions. The most secure algorithm is rendered useless if the keys cannot be kept secured. Left unprotected keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a key to be used for access to the service and steal information. An attacker will modify or corrupt a key to cause a Denial-of-Service. The secure administration and distribution of cryptographic keys is a necessary and critical aspect of risk mitigation. Key management is the process of generating and securely distributing keys used in the encryption process. It is the practice of implementing a security key management policy to protect cryptographic operations from compromise and abuse. The policy must include key generation, distribution, storage, usage, lifetime duration, and destruction. Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective operation of a cryptographic mechanism, effective cryptographic key management provides protections to maintain the availability of the information in the event of the loss of cryptographic keys by users.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000218-IDPS-NA",
+      "title": "The IDPS must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key.",
+      "description": "The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily cryptographic transactions. The most secure algorithm is rendered useless if the keys cannot be kept secured. Left unprotected keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a key to be used for access to the service and steal information. An attacker will modify or corrupt a key to cause a Denial-of-Service. The secure administration and distribution of cryptographic keys is a necessary and critical aspect of risk mitigation. Key management is the process of generating and securely distributing keys used in the encryption process. It is the practice of implementing a security key management policy to protect cryptographic operations from compromise and abuse. The policy must include key generation, distribution, storage, usage, lifetime duration, and destruction. Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective operation of a cryptographic mechanism, effective cryptographic key management provides protections to maintain the availability of the information in the event of the loss of cryptographic keys by users.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000219-IDPS-000176",
+      "title": "The IDPS must employ cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.",
+      "description": "It is imperative the authentication process and the transmission of network management traffic implements cryptographic modules adhering to the standards approved by the federal government. If approved encryption and/or hashing methods are not used during the authentication process, malicious users can gain knowledge of passwords and other configuration information by sniffing IDPS traffic on the network.\nFIPS-validated or NSA-approved cryptographic modules must be used by the IDPS whenever cryptographic protection is  required.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000219-IDPS-000177",
+      "title": "IDPS auxiliary port(s) must be disabled if not approved for use.",
+      "description": "IDS and IPS devices may have auxiliary port(s) which can be configured for local or non-local (remote) access to management functions and diagnostics. This is not a recommended practice since it bypasses the network infrastructure and depends on authentication provided by the device itself. Use of directly attached modems risks sending management communications over commercial circuits and the risk of war-dialing attacks on the device could degrade the device and the production network. Where auxiliary ports are used for remote access, both the modem and the port must be configured to use authentication and encrypted communications.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000219-IDPS-000178",
+      "title": "Modems used for remote access to the IDPS, must be able to authenticate users using two-factor authentication.",
+      "description": "IDPS management consoles may have auxiliary port(s) which can be configured for local or non-local (remote) access to management functions and diagnostics. This is not a recommended practice since it bypasses the network infrastructure since it often relies upon authentication and access control provided by the device itself. Use of directly attached modems without authentication risks the compromise of privileged communications over commercial circuits. However, there may be use cases where this type of access is mission essential. Modems may be attached to auxiliary ports only if they are secured using two-factor authentication. System administrators must be authenticated using a hardware token (e.g., key fob) and granted access to the appropriate maintenance port, thus the technician will gain access to the system.  The token provides a method of strong (two-factor) user authentication. The token works in conjunction with a server to generate one-time user passwords that will change values at second intervals. The user must know a personal identification number (PIN) and possess the token to be allowed access to the device.",
+      "severity": "high"
+    },
+    {
+      "id": "SRG-NET-000220-IDPS-000173",
+      "title": "The IDPS must employ FIPS-validated cryptography to protect unclassified information.",
+      "description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to protect data. Hence it is imperative that transmission of traffic that requires privacy utilize FIPS-validated cryptography. Traffic between the management console, sensor, and/or other network elements must be protected by cryptographic mechanisms.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000221-IDPS-000170",
+      "title": "The IDPS must employ NSA-approved cryptography to protect classified information.",
+      "description": "Whether a network is being managed locally or from a Network Operations Center (NOC), achieving network management objectives depends on comprehensive and reliable network management solutions. To protect the integrity and confidentiality of non-local maintenance and diagnostics, all packets associated with these sessions must be encrypted. During the authentication process, malicious users can gain knowledge of passwords during authentication process by sniffing local traffic between the IDPS and the authentication server. It is imperative the authentication process and the transmission of network management traffic implements NSA-approved cryptography.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000222-IDPS-000174",
+      "title": "The IDPS must employ FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.",
+      "description": "Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to protect data. FIPS-validated cryptography must be used to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals. \nTraffic between the management console, sensor, and/or other network elements must be protected by cryptographic mechanisms.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000224-IDPS-000179",
+      "title": "The IDPS must protect the integrity and availability of publicly available information and applications.",
+      "description": "Public-facing servers enable access to information by clients outside of the enclave. These servers are subject to greater exposure to attacks. It is imperative that the integrity of the data is maintained to ensure the enclave does not provide false or erroneous information. The IDPS must provide the necessary protection to ensure availability and integrity of the data and to reduce or eliminate Denial-of-Service (DoS) attacks directed against the servers on the public-facing segment. A sensor must be installed to monitor and scan the publicly available segment (e.g., public DMZ).",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000225-IDPS-000181",
+      "title": "The IDPS must associate security attributes with information exchanged between information systems.",
+      "description": "Security attributes are associated with internal structures within the IDPS application used to enable the implementation of access control and flow control policies or support other aspects of the information security policy. It is crucial these attributes are associated and validated to ensure access control and flow control policies are properly implemented. \nThe IDPS communicates with other systems to transmit notices and sensor logs or to update other network elements (e.g., IPS updating the router or firewall ACLs).",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000226-IDPS-000180",
+      "title": "The IDPS must validate the integrity of security attributes exchanged between information systems.",
+      "description": "Security attributes are associated with internal structures within the IDPS used to enable the implementation of access control and flow control policies or support other aspects of the information security policy. It is crucial these attributes are associated and validated to ensure access control and flow control policies are properly implemented. \nThe IDPS communicates with other systems to transmit notices and sensor logs or to update other network elements (e.g., IPS updating the router or firewall ACLs).",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000227-IDPS-NA",
+      "title": "The IDPS must issue public key certificates under an appropriate certificate policy or obtain public key certificates under an appropriate certificate policy from an approved service provider.",
+      "description": "For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice. This requirement focuses on certificates with a visibility external to the information system and does not include certificates related to internal system operations, application-specific time services.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000228-IDPS-000183",
+      "title": "The IDPS must implement detection and inspection mechanisms to identify unauthorized mobile code.",
+      "description": "The mobile code paradigm encompasses programs that can be executed on one or several hosts other than the one they originate from. Mobility of such programs implies some built-in capability for each piece of code to travel smoothly from one host to another. Mobile code systems range from simple applets to intelligent software agents. These systems offer several advantages over the more traditional distributed computing approach. However, mobile code introduces risk to the IT infrastructure. Malicious mobile code is a vehicle to remotely install malware on a computer. This type of code can be transmitted through interactive Web applications such as ActiveX controls, Flash animation, or JavaScript. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. This code must be detected before it infiltrates the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000229-IDPS-000182",
+      "title": "The IDPS must take corrective action when unauthorized mobile code is identified.",
+      "description": "The mobile code paradigm encompasses programs that can be executed on one or several hosts other than the one they originate from. Mobility of such programs implies some built-in capability for each piece of code to travel smoothly from one host to another. Mobile code systems range from simple applets to intelligent software agents. These systems offer several advantages over the more traditional distributed computing approach. However, mobile code introduces risk to the IT infrastructure. Malicious mobile code is a vehicle to remotely install malware on a computer. This type of code can be transmitted through interactive Web applications such as ActiveX controls, Flash animation, or JavaScript. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. This code must be detected before it infiltrates the enclave. When detected, the IDPS must log and drop the traffic containing the mobile code.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000230-IDPS-000187",
+      "title": "The IDPS must provide mechanisms to protect the authenticity of communications sessions.",
+      "description": "Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous information shared between the IDPS can disrupt network operations by creating non-optimized forwarding of traffic and network outages. Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the IDPS authenticates the source involved in sending the information.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000231-IDPS-000188",
+      "title": "The IDPS must invalidate session identifiers upon user logout or other session termination.",
+      "description": "Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous information shared between the IDPS can disrupt network operations by creating non-optimized forwarding of traffic and network outages. Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the IDPS authenticates the source involved in sending the information. Unique session identifier must also be used to reduce the risk of session hi-jacking. These session identifiers must be released and invalidated upon user logout or session termination to prevent exploitation by attackers.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000232-IDPS-000189",
+      "title": "The IDPS must generate a unique session identifier for each session.",
+      "description": "Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous information shared between the IDPS can disrupt network operations by creating non-optimized forwarding of traffic and network outages. Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. \nMeans to enforce this enhancement include ensuring the IDPS authenticates the source involved in sending the information. IDPS generated, unique session identifier must also be used to reduce the risk of session hi-jacking.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000233-IDPS-000190",
+      "title": "The IDPS must allow only system generated session identifiers.",
+      "description": "Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous information shared between the IDPS can disrupt network operations by creating non-optimized forwarding of traffic and network outages. Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the IDPS authenticates the source involved in sending the information. IDPS generated, unique session identifier must also be used to reduce the risk of session hi-jacking.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000234-IDPS-000191",
+      "title": "The IDPS must generate unique session identifiers with organizationally defined randomness requirements.",
+      "description": "Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous information shared between the IDPS can disrupt network operations by creating non-optimized forwarding of traffic and network outages. Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the IDPS authenticates the source involved in sending the information. IDPS generated, unique session identifier must also be used to reduce the risk of session hi-jacking. The greater the randomization of the session identifier, the more difficult to guess or anticipate.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000235-IDPS-000193",
+      "title": "The IDPS must fail to an organizationally defined known-state for organizationally defined types of failures.",
+      "description": "Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a state that is known to be secure helps prevent the loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000236-IDPS-000192",
+      "title": "The IDPS must preserve organizationally defined system state information in the event of a system failure.",
+      "description": "Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving system state information facilitates system restart and return to the operational mode of the organization with less disruption of the network. Site should have a failover solution in place in case of system fault. IDPS systems may include failover configuration using multiple management servers, logging databases, and sensor load balancers.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000237-IDPS-000194",
+      "title": "The IDPS must implement signatures that detect specific attacks and protocols that should not be seen on the segments containing web servers.",
+      "description": "In the Regional Enterprise Enclave different sets of sensors will see different traffic as a result of their location within the regional enclave. By establishing separate signature profiles for each set of sensors, each profile can then be tuned to generate alarms based on the traffic types seen, the attack signatures, and the specific traffic (string signatures) relevant to each sensor group. If more than one sensor group sees the same traffic types, then the same signature profile may be used for both sets. Alerting on specific connection signatures, general attack signatures, and specific string signatures provides focused segment analysis at Layers 4. \nThe sensor monitoring the web server will be configured for application inspection and control of all web ports (e.g. 80, 3128, 8000, 8010, 8080, 8888, 24326, etc.). The sensor monitoring the web servers must monitor and control web traffic not received on web ports. This process is called port redirection. In many implementations port redirection is a separate signature to be installed.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000238-IDPS-000196",
+      "title": "The IDPS must protect the confidentiality and integrity of system information at rest.",
+      "description": "This control is intended to address the confidentiality and integrity of system information at rest when it is located on a secondary storage device within the IDPS. It is imperative that system data that is generated as well as device configuration data is protected.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000239-IDPS-000195",
+      "title": "The IDPS must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.",
+      "description": "This control is intended to address the confidentiality and integrity of system information at rest when it is located on a secondary storage device within the IDPS. It is imperative that system data that is generated as well as device configuration data is protected.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000241-IDPS-NA",
+      "title": "The IDPS must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.",
+      "description": "Information can be subjected to unauthorized changes (e.g., malicious or unintentional modification) at information aggregation or protocol transformation points.\nThis control is covered as part of the OS SRG and implemented by configuration of a HIDS.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000242-IDPS-000219",
+      "title": "The IDPS must be configured to automatically check for security updates to the application software on an organizationally defined frequency.",
+      "description": "It is imperative that the activity promptly installs security-relevant software updates to mitigate the risk of new vulnerabilities. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, are also addressed expeditiously. By requiring the automated update of application software on a periodic schedule, flaws and newly discovered attack vendors will be remediated in a timely manner.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000242-IDPS-000220",
+      "title": "The IDPS must use a vendor-supported version of the firmware and application software.",
+      "description": "The system administrator must monitor IAVM, OS, or OEM patch or vulnerability notices.\nSoftware flaw remediation and tracking is ideally performed by a patch management/remediation server. Depending on the IDPS used, this requirement can be accomplished by configuring the device to work with the remediation server. However, it is also acceptable if the remediation server is configured to fulfill this requirement and notify the administrator when updates are required.\nIt is not recommended for the IDPS to directly connect to the vendor or any other external site. A patch management server must be used as the source of software updates. Unsupported versions will lack security enhancements as well as support provided by the vendors to address vulnerabilities.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000242-IDPS-000221",
+      "title": "The IDPS must use SNMP Version 3 (SNMPv3) Security Model with FIPS 140-2 compliant cryptography (i.e., SHA authentication and AES encryption).",
+      "description": "SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an attacker or other unauthorized user may gain access to detailed network management information and use that information to launch attacks against the network.\n\nTo verify the appropriate patches on CISCO devices check the following IAVMs associated with SNMPv1: 2001-B-0001 (V0005809 ) Cisco IOS Software SNMP Read-Write ILMI Community String Vulnerability 2002-A-SNMP-001 (V0005835) Multiple Simple Network Management Protocol Vulnerabilities in Perimeter Devices (Cisco Security Advisory: Malformed SNMP Message-Handling Vulnerabilities)\n\nTo verify the appropriate patches on other vendors, reference this web site: http://www.cert.org/advisories/CA-2002-03.html.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000243-IDPS-000222",
+      "title": "The IDPS must be configured to implement automated patch management tools to facilitate flaw remediation to network components.",
+      "description": "It is imperative that the activity promptly installs security relevant software updates from an authorized patch management server to mitigate the risk of new vulnerabilities. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, are also addressed expeditiously. Software obtained from unauthorized sources may contain malicious code and may put the enclave at risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000244-IDPS-000226",
+      "title": "The IDPS must protect the enclave from malware and unexpected traffic by using TCP reset signatures.",
+      "description": "By listening to the conversation flow of inbound and outbound internet traffic for malware and malware references, the IDPS can prevent unwanted programs entering into the enclave. When it detects unmanaged instant messaging and peer-to-peer protocols or malware coming over IM, the IDPS can prevent the unwanted computer programs from entering the network by spoofing the source and destination machine addresses to send each session partner a TCP reset packet. The TCP reset instructs both sender and receiver to cease the current transfer of data.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000244-IDPS-000227",
+      "title": "The IDPS must provide an automated means to review and validate whitelists and blacklists entries.",
+      "description": "A blacklist is a list of discrete entities, such as hosts, TCP or UDP port numbers, ICMP\ntypes and codes, applications, usernames, URLs, filenames, or file extensions, that have been previously determined to be associated with malicious activity. Blacklists, also known as hot lists, are typically used to allow the IDPS to recognize and block activity that is highly likely to be malicious, and may also be used to assign a higher priority to alerts that match entries on the blacklists. Some the IDPS generate dynamic blacklists that are used to temporarily block recently detected threats (e.g., activity from an attacker's IP address). A whitelist is a list of discrete entities that are known to be benign. Whitelists are typically used on a granular basis, such as protocol-by-protocol, to reduce or ignore false positives involving known benign activity from trusted hosts. Whitelists and blacklists are most commonly used in signature-based detection and stateful protocol analysis. If these lists are not kept updated, the IDPS may not recognized newly created malicious attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000244-IDPS-000228",
+      "title": "The IDPS must implement signatures to detect specific attacks and protocols known to affect web servers.",
+      "description": "In the Regional Enterprise Enclave different sets of sensors will see different traffic as a result of their location within the regional enclave. By establishing separate signature profiles for each set of sensors, each profile can then be tuned to generate alarms based on the traffic types seen, the attack signatures, and the specific traffic (string signatures) that is relevant to that particular set of sensors. If more than one set of sensors will see the same traffic types, then the same signature profile may be used for both sets. Alerting on specific connection signatures, general attack signatures, and specific string signatures provides focused segment analysis at Layers 4 through 7.\n\nThe IDPS system administrator will ensure the sensor monitoring the web servers is configured for application inspection and control of all web ports (e.g., 80, 3128, 8000, 8010, 8080, 8888, 24326) The sensor monitoring the web servers should be capable of inspecting web traffic that is not received on web.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000244-IDPS-000229",
+      "title": "The IDPS must ensure IP hijacking signatures have been implemented.",
+      "description": "There are a number of publicly available tools that exist to facilitate the hijacking of TCP sessions. An attacker using such tools can determine the TCP sequence and acknowledgement numbers that two hosts are using in a communication session. This information could enable the attacker to take over the legitimate network connection of an authorized user and inject commands into the session. This is particularly serious because most forms of one-time passwords do not prevent this access.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000244-IDPS-000230",
+      "title": "The sensor positioned to protect servers in the server farm or DMZ must provide protection from DoS SYN Flood attacks by dropping half open TCP sessions.\n",
+      "description": "SYN flood sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet, and waiting for a packet in response from the sender address. However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends.\nIf the server farm is being monitored by an IDS as opposed to an IPS that can block traffic inline, the following alternatives can be implemented: Upon detection of a SYN flood attack; the IDS can dynamically push (or remotely configure) an ACL unto the upstream router; or multi-layer switch that can serve as the blocking device for the TCP SYN flood attack. \nConfigure TCP Intercept on the server farm's first hop router, MLS, or firewall that is controlling access to the server farm subnet (VLAN).\n",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000244-IDPS-000231",
+      "title": "The LAND DoS signature must be implemented to protect the enclave.",
+      "description": "The LAND attack is a DoS attack in which an attacker sends a TCP packet (with the SYN bit set) to a system in which the source and destination IP address (along with the source and destination port) are the same. If network traffic is not protected against this type of attack, this may cause a DoS on the network.\nAn effective implementation is the use of an Atomic attack signature that looks at a single packet, because State information (tracking established connections) is not necessary in identifying this attack.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000245-IDPS-NA",
+      "title": "The IDPS must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. Malicious code can be transported by electronic mail, mail attachments, Web accesses, and removable media.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000246-IDPS-NA",
+      "title": "The IDPS must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. Malicious code can be transported by electronic mail, mail attachments, Web accesses, and removable media. Implement IDPS signatures that protect against LAND attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000247-IDPS-NA",
+      "title": "The IDPS must employ malicious code protection mechanisms to perform periodic scans of the information system on an organizationally defined frequency.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware.  The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code.  Many of these are not detected by anti-virus software or even host intrusion detection systems. Once they have residency within the network, unauthorized users are able to breach firewalls and access sensitive data by assuming the identity of authorized users. Vulnerability assessment scans must be performed on a regular basis to identify devices that are vulnerable or have already been breached by malicious code.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000248-IDPS-NA",
+      "title": "The IDPS must be configured to perform real-time scans of files from external sources as they are downloaded and prior to being opened or executed",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code.  Many of these are not detected by anti-virus software or even host intrusion detection systems. Once they have residency within the network, unauthorized users are able to breach firewalls and access sensitive data by assuming the identity of authorized users. Real-time scans must be performed on files from external sources as they are downloaded and prior to being opened or executed.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000249-IDPS-NA",
+      "title": "The IDPS must be configured to perform organizationally defined actions in response to malicious code detection.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. Once they have residency within the network, unauthorized users are able to breach firewalls and access sensitive data by assuming the identity of authorized users. Upon detection of traffic transporting this code, the IDPS must perform organizationally defined actions.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000250-IDPS-NA",
+      "title": "The network element must address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. Once they have residency within the network, unauthorized users are able to breach firewalls and access sensitive data by assuming the identity of authorized users. Upon detection of traffic transporting this code, the IDPS must perform organizationally defined actions and address false positives.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000251-IDPS-000223",
+      "title": "The IDPS must automatically update malicious code protection mechanisms and signature definitions.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware. It can be transported by electronic mail, mail attachments, web accesses, removable media, or other common means. Malicious mobile code is a vehicle to remotely install malware on a computer. This type of code can be transmitted through interactive web applications such as ActiveX controls, Flash animation, or JavaScript. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. The black hats and malicious code writers continuously find new methods to attack hosts and the network infrastructure. It is imperative that new protection mechanisms developed to mitigate their risks must be installed as quickly as possible. For the IDPS, rules are also updated to detect attempts to exploit systems. Not updating the rule sets could lead to missed reconnaissance and malicious attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000252-IDPS-NA",
+      "title": "The IDPS must prevent non-privileged users from circumventing malicious code protection capabilities.",
+      "description": "It is critical the protection mechanisms used to detect and contain this code are not tampered with by unauthorized users. This control pertains to anti-virus products which are out of scope.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000253-IDPS-000224",
+      "title": "The IDPS must only update malicious code protection mechanisms when directed by a privileged user.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware. It is critical the protection mechanisms used to detect and contain this code are not tampered with by unauthorized users and are only updated when directed by a privileged user.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000254-IDPS-000225",
+      "title": "The IDPS must not allow users to introduce removable media into the information system.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. Malicious code can be transported by electronic mail, mail attachments, web accesses, and removable media. This control pertains to anti-virus products which are out of scope.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000255-IDPS-NA",
+      "title": "IDPS sensors must interconnect and configure individual intrusion detection tools into a system-wide intrusion detection system using common protocols.",
+      "description": "IDPS sensor must be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing an IDS behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. This is a network architecture design requirement. Redesign the network architecture, so all ingress traffic will pass the sensor decrypted and is inspected by the firewall and Network IDS/IPS. This is a network architecture design requirement.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000256-IDPS-000237",
+      "title": "The IDPS must monitor inbound and outbound communications for unusual or unauthorized activities or conditions.",
+      "description": "IDPS sensors must be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. Both inbound and outbound traffic must be monitored. Placing a sensor behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Monitoring outbound traffic can also detect abnormal traffic or mischievous activities by internal personnel.  Without monitoring of both outbound and inbound traffic for anomalies, critical indicators of attacks may be missed until it is too late.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000256-IDPS-000238",
+      "title": "The IPS must be configured to monitor inbound and outbound TCP and UDP packets, dropping traffic using  prohibited port numbers.",
+      "description": "Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Monitoring outbound traffic can also detect abnormal traffic or mischievous activities by internal personnel.\nThe IPS must be configured to drop inbound and outbound TCP and UDP packets with the following port numbers: 67, 68, 546, 547, 647, 847, and 2490 on the IDPS. This requirement applies only if DHCPv6 is not used.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000257-IDPS-000239",
+      "title": "The IDPS must provide near real-time alerts when any of the organizationally defined list of compromise or potential compromise indicators occur.",
+      "description": "When a compromise, potential compromise, or breach has been discovered by the intrusion detection system, it is critical the appropriate personnel are notified via an alert mechanism. Near real-time alerts for critical events allow the administrators to respond to these potential compromise indicators since they may miss other types of alerts if they are not logging in or at the management console.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000258-IDPS-000240",
+      "title": "The IDPS must be installed in stealth mode without an IP address on the interface with data flow.",
+      "description": "Both passive and inline sensors must be installed in stealth mode. For stealth mode, an IP address is not assigned to the network interfaces used to monitor network traffic. Only network interfaces used for IDPS management will have an IP address assigned. Operating a sensor without IP addresses assigned to monitoring interfaces is known as operating in stealth mode. Stealth mode improves the security of the IDPS sensors because it prevents other hosts from initiating connections to them. This conceals the sensors from attackers and thus limits exposure to attacks. If monitoring is being performed using a switch SPAN port, the sensors must be configured in stealth mode and the Network Interface Card (NIC) must be connected to the SPAN port with no network protocol stacks bound to it. A second NIC must then be connected to an OOB network. Stealth mode will reduce the risk of the IDPS itself being attacked.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000259-IDPS-000242",
+      "title": "The IDPS must notify an organizationally defined list of incident response personnel of suspicious events.",
+      "description": "Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. When a compromise, potential compromise, or breach has been discovered by the intrusion detection system, it is critical the appropriate personnel are notified via an alert mechanism.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000260-IDPS-000241",
+      "title": "The IDPS must take an organizationally defined list of least-disruptive actions to terminate suspicious events.",
+      "description": "Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. When a compromise, potential compromise, or breach has been discovered by the intrusion detection system, the IDPS must take action to thwart the attack using methods creating the least disruption to network availability.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000261-IDPS-000243",
+      "title": "The IDPS must protect information obtained from network scanning from unauthorized access, modification, and deletion.",
+      "description": "Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. The intrusion detection device must be configured to ensure non-privilege users are not able to circumvent the detection or alerting mechanisms. In addition, all information collected by the intrusion detection systems must be protected from unauthorized access, modification, and deletion. Train system administrators to never modify or delete portions of the log records that are stored in achieved locations as part of the official records.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000262-IDPS-NA",
+      "title": "The IDPS must ensure all encrypted traffic is visible to network monitoring tools.",
+      "description": "IDPS sensors must be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing an IDS behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Regardless of direction, all encrypted traffic must be decrypted prior to reaching the sensor or firewall so all traffic can be monitored. This is a network architecture design requirement. Redesign the network architecture, so all ingress traffic will pass the sensor decrypted and is inspected by the firewall and Network IDS/IPS.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000263-IDPS-000232",
+      "title": "The IDPS must analyze outbound traffic at the external boundary of the network.",
+      "description": "IDPS sensors must be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing an IDS behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Monitoring outbound traffic can also detect abnormal traffic or mischievous activities by internal personnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000264-IDPS-000233",
+      "title": "The IDPS must analyze outbound communications traffic at selected interior points within the network as deemed necessary to discover anomalies.",
+      "description": "IDPS sensors must be deployed at strategic locations within the network. At a minimum, they must be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing an IDS behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Monitoring outbound traffic can also detect abnormal traffic or mischievous activities by internal personnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000265-IDPS-000235",
+      "title": "The IDPS must detect attack attempts to the wireless network.",
+      "description": "DoD information could be compromised if wireless scanning is not performed to identify unauthorized WLAN clients and access points connected to or attempting to connect to the network. A wireless IDS (WIDS) sensor must be installed and placed to monitor wireless network transmissions for possible attacks and unauthorized traffic.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000266-IDPS-000236",
+      "title": "The IDPS must detect rogue wireless devices, attack attempts, and potential compromises or breaches to the wireless network.",
+      "description": "DoD information could be compromised if wireless scanning is not performed to identify unauthorized WLAN clients and access points connected to or attempting to connect to the network. A wireless IDS (WIDS) sensor must be installed and placed to monitor wireless network transmissions for possible attacks and unauthorized traffic. Rogue devices are unauthorized wireless devices which are either connected to the enclave or are being used by personnel in DoD spaces. These devices may either provide attackers with a way into the enclave or attempt to breach the network.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000267-IDPS-000245",
+      "title": "The IDPS must be configured to perform periodic self-tests that verify security functionality is operational during system state changes (i.e., initialization, shutdown, and aborts.).",
+      "description": "The integrity of security functions during system state changes will be periodically tested. Tests will determine the system is operating as required during each system state. The organization will define the states and conditions of operations. The frequency of these integrity checks will be also be organizationally determined. Recommendation is annual testing. The need to verify security functionality is necessary to ensure the IDPS's defense is enabled. If all security functions are not operating efficiently, the defense of the element and the network is left vulnerable and both could be breached. The security functionality for IDPS implementations is: information gathering, logging, detection, and prevention.  If security functionality is not verified, the systems' defense, the system could have become compromised without the knowledge of the system administrators.\nIf automated self-tests are not available for all devices, then implement one of the following alternatives:\n(i) Document the risk as accepted.\n(ii) Provide and document manual testing procedures.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000268-IDPS-000244",
+      "title": "The IDPS must respond to security function anomalies in accordance with organizationally defined responses and alternative actions.",
+      "description": "Verification of security functionality is necessary to ensure the system's defenses are enabled. These anomalies are detected by running self-tests on each component in the IDPS. For those security functions that are not able to execute automated self-tests the organization either implements compensating security controls or explicitly accepts the risk of not performing the verification as required. Upon detection of security function anomalies or failure of automated self-tests, the IDPS must respond in accordance with organizationally defined responses and alternative actions. If security functionality is not verified, the systems' defense, the system could have become compromised without the knowledge of the system administrators. \nIf automated self-tests are not available for all devices, then implement one of the following alternatives:\n(i) Document the risk as accepted.\n(ii) Provide and document manual testing procedures.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000269-IDPS-000246",
+      "title": "The IDPS must provide notification of failed automated security tests.",
+      "description": "Upon detection of a failure of an automated security self-test, the network element must respond in accordance with organizationally defined responses and alternative actions. Without taking any self-healing actions or notifying an administrator, the defense of the element and the network is left vulnerable and both could be breached.  If system administrators are not alerted to failed security tests, the systems' defense, the system could have become compromised without the knowledge of the system administrators.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000270-IDPS-000245",
+      "title": "The IDPS must provide automated support for the management of distributed security testing.",
+      "description": "The need to verify security functionality is necessary to ensure the IDPS's defense is enabled.  To scale the deployment of the verification process, the IDPS must provide automated support for the management of distributed security testing. This control addresses security verification during network state changes. The IDPS can be configured to automatically provide logs to other devices on the network to be used for security verification processes.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000271-IDPS-000247",
+      "title": "The IDPS must detect unauthorized changes to software and information.",
+      "description": "Anomalous behavior and unauthorized changes must be detected before the IDPS is breeched or no longer in service. Identifying the source and method used to make the unauthorized change will help to determine what data is at risk and if other systems may be affected. HIDS software must be installed on the IDPS devices and sensors to protect the device itself from being breached and to monitor for unauthorized application file changes. This requirement is applicable to network appliances. For sensors with an underlying operating system, a compliance review of operating system is required which will include this HIDS requirement.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000272-IDPS-000216",
+      "title": "The IDPS must identify and respond to potential security-relevant error conditions.",
+      "description": "Error messages generated by various components and services of the network devices can indicate a possible security violation or breach. It is imperative the IDPS is configured to be able to recognize those error messages that can be a symptom of a compromise and to provide notification. The extent to which the IDPS is able to identify and handle error conditions should be guided by organizational policy, operational requirements, as well as best practices.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000273-IDPS-000217",
+      "title": "The IDPS must generate notification messages containing information necessary for corrective actions for errors encountered; however, these messages must not contain organizationally defined sensitive or potentially harmful information.",
+      "description": "The extent to which the IDPS is able to identify and handle error conditions is guided by organizational policy and operational requirements. However, it is imperative that the IDPS does not reveal information that may have been captured in the log data that could risk the compromise of the device or the network. Hence, the structure and content of error messages notifications sent to the system administrators or users must be carefully considered. These notifications may be sent to system administrators or users, depending on the type of message. This requirement includes device or application error conditions as well as sensor log alerts.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000274-IDPS-000218",
+      "title": "The IDPS must activate an organizationally defined alarm when a system component failure is detected.",
+      "description": "An IDPS with a failing security component can potentially put the entire network at risk. If key components to maintaining network security fail to function, it is possible the IDPS will continue operating in an insecure state. It is imperative this not occur and therefore must immediately send an alarm or shut down.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000277-IDPS-NA",
+      "title": "The IPS must disable network access by unauthorized devices and must log the information as a security violation.",
+      "description": "Local access to the private network can easily be accomplished by merely connecting a workstation or laptop to any available wall plate or a wireless connection to a nearby access point. Remote access to the network can be accomplished via connection to a VPN gateway. Eliminating unauthorized access to the network is vital to maintaining a secured network.  If the package is malformed or has an anomaly, it may cause an alert or a message to the Firewall or Router, however the IPS does not directly disable the unauthorized access.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000278-IDPS-000011",
+      "title": "The IDPS must display security attributes in human-readable form on each object output from the system to system output devices to identify an organizationally identified set of special dissemination, handling, or distribution instructions organizationally identified human readable, standard naming conventions.",
+      "description": "When applications generate or output data, the associated security attributes need to be displayed. Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are typically associated with internal data structures (e.g., records, buffers, files, registry keys) within the information system and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. \nObjects output from the information system include, pages, screens, or equivalent. Output devices include printers and video displays on computer terminals, monitors, screens on notebook/laptop computers and personal digital assistants.\nIf security attributes are not displayed in human readable form, then it is difficult to disseminate errors in information access control or information flow policy.  \n",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000279-IDPS-000039",
+      "title": "The IDPS must prevent access to organizationally defined security-relevant information except during secure, non-operable system states.",
+      "description": "Security relevant information is any information within the information system that can potentially impact the operation of security functions in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Organizations may define specific security relevant information that requires protection. Examples: IDPS sensor rules, cryptographic key management information, key configuration parameters for security services, and access control lists. Secure, non-operable system states are states in which the IDPS is not performing mission or business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown). Access to these types of data is to be prevented unless the system is in a maintenance mode or has otherwise been brought off-line. The goal is to minimize the potential that a security configuration or data may be dynamically and perhaps maliciously overwritten or changed without going through a formal system change process that can document the changes.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000280-IDPS-000052",
+      "title": "The IDPS must enforce information flow control on metadata.",
+      "description": "Metadata is defined as data providing information about one or more pieces of data such as purpose of the data, author or creator of the data,  network location of where data was created, and network specific information. Information flow control regulates where information is allowed to travel within a network and between hosts as opposed to who is allowed to access the information.  Information flow enforcement mechanisms compare security attributes on all information such as source and destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information flows not explicitly allowed by the information flow policy. This is a network architecture best practice and does not require a configuration setting on the IDS or IPS sensor.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000281-IDPS-NA",
+      "title": "The IDPS must identify information flows by data type specification and usage when transferring information between different security domains.",
+      "description": "Traffic flows must be identified by types and traffic rates when information is being transferred between different security domains. This requirement applies to Cross Domain Solutions. Implementation and placement of the IDS and IDP sensors and components must not be designed to require information transfer across security domains that differ in classification. There is a high risk of contamination because of the monitoring functionality of the sensors.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000282-IDPS-NA",
+      "title": "The IDPS must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms when transferring information between different security domains.",
+      "description": "Information must be decomposed into policy-relevant subcomponents, so the applicable policies and filters can be applied when information is being transferred between different security domains. This requirement applies to information flow control for Cross Domain Solutions. Implementation and placement of the IDS and IDP sensors and components must not be designed to require information transfer across security domains that differ in classification. There is a high risk of contamination because of the monitoring functionality of the sensors.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000283-IDPS-NA",
+      "title": "The IDPS must implement policy filters that constrain data structure and content to organizationally defined information security policy requirements when transferring information between different security domains.",
+      "description": "It is imperative that when information is being moved from one security domain to another, policy filters must be applied to the data to enforce the organization's security policy requirements. This requirement applies to information flow control for Cross Domain Solutions. Implementation and placement of the IDS and IDP sensors and components must not be designed to require information transfer across security domains that differ in classification. There is a high risk of contamination because of the monitoring functionality of the sensors.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000284-IDPS-NA",
+      "title": "The IDPS must detect unsanctioned information when transferring information between different security domains.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so it does not introduce any unacceptable risk to the network infrastructure or data. It is imperative that when information is being moved from one security domain to another, mechanisms are deployed to detect traffic with payloads that are not in conformance with the policy of the DoD and the organization. This requirement applies to information flow control for Cross Domain Solutions. Implementation and placement of the IDS and IDP sensors and components must not be designed to require information transfer across security domains that differ in classification. There is a high risk of contamination because of the monitoring functionality of the sensors.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000285-IDPS-NA",
+      "title": "The IDPS must prohibit the transfer of unsanctioned information in accordance with the security policy when transferring information between different security domains.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so it does not introduce any unacceptable risk to the network infrastructure or data. It is imperative that when information is being moved from one security domain to another, policy filters must be applied to the data to enforce the organizations security policy requirements. \nActions to support this requirement include, but are not limited to: checking packet payload for embedded malware; dropping packets not conforming to standards; and blocking packets using ports and protocols that are not allowed to cross these domains based on DoD and local policy. This requirement applies to Cross Domain Solutions.\nImplementation and placement of the IDS and IDP sensors and components must not be designed to require information transfer across security domains that differ in classification. There is a high risk of contamination because of the monitoring functionality of the sensors.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000286-IDPS-000103",
+      "title": "The IDPS must protect the audit records of non-local accesses to privileged accounts and the execution of privileged functions.",
+      "description": "Auditing may not be reliable when performed by the network element to which the user being audited has privileged access. The privileged user may inhibit auditing or modify audit records. This control enhancement helps mitigate this risk by requiring that privileged access be further defined between audit-related privileges and other privileges, thus, limiting the users with audit-related privileges. Reducing the risk of audit compromises by privileged users can also be achieved, for example, by performing audit activity on a separate information system or by using storage media that cannot be modified (e.g., write-once recording devices).",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000287-IDPS-000140",
+      "title": "The IDPS console port must be configured to timeout after 10 minutes or less of inactivity.",
+      "description": "Inactive user accounts pose a risk to systems and applications. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to the operating system. Operating systems need to track periods of user inactivity and disable accounts after an organizationally defined period of inactivity. Such a process greatly reduces the risk that accounts will be misused, hijacked, or data compromised. Limiting inactivity timeout lowers the risk of an attacker hijacking an unattended session.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000288-IDPS-000185",
+      "title": "The IDPS must prevent the download of prohibited mobile code.",
+      "description": "Decisions regarding the use of mobile code within the IDPS are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Prohibited mobile code may contain malicious code and may be the source of network or client attacks if download is allowed.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000289-IDPS-000184",
+      "title": "The IPS must prevent the execution of prohibited mobile code.",
+      "description": "The mobile code paradigm encompasses programs that can be executed on one or several hosts other than the one they originate from. Mobility of such programs implies some built-in capability for each piece of code to travel smoothly from one host to another. Mobile code systems range from simple applets to intelligent software agents. These systems offer several advantages over the more traditional distributed computing approach. Decisions regarding the employment of mobile code within the IDPS are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. IDPS must be configured to detect mobile code and prevent the affected traffic from reaching its intended destination and being executed.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000290-IDPS-NA",
+      "title": "The IDPS must prevent the automatic execution of mobile code in organizationally defined software applications and requires organizationally defined actions prior to executing the code.",
+      "description": "Decisions regarding the employment of mobile code within the IDPS are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Preventing execution of mobile code on a client is the function of a HIDS, thus this control is out of scope. \nPreventing execution of mobile code on the client is not a function of the IDPS.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000300-IDPS-NA",
+      "title": "The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains when operating as part of a distribution.",
+      "description": "This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. A domain name system (DNS) server is an example of an information system that provides name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Network elements using technologies other than the DNS to map between host/service names and network addresses provide other methods of assuring the authenticity and integrity of response data. The DNS security controls are consistent with, and referenced from, OMB Memorandum 08-23.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000301-IDPS-NA",
+      "title": "The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains.",
+      "description": "A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients. Authoritative DNS servers are examples of authoritative sources. Network element that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000302-IDPS-NA",
+      "title": "The network element must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.",
+      "description": "A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients. Authoritative DNS servers are examples of authoritative sources. Network element that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000303-IDPS-NA",
+      "title": "The network element must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.",
+      "description": "A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients.  Authoritative DNS servers are examples of authoritative sources that own DNS data. Network element that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. DNS is not an IDPS function.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000304-IDPS-NA",
+      "title": "The network element that collectively provides name/address resolution service for an organization must be fault-tolerant.",
+      "description": "A domain name system (DNS) server is an example of an information system that provides name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are typically at least two authoritative domain name system (DNS) servers, one configured as primary and the other as secondary. Additionally, the two servers are commonly located in two different network subnets and geographically separated (i.e., not located in the same physical facility). With regard to role separation, DNS servers with an internal role, only process name/address resolution requests from within the organization (i.e., internal clients). DNS servers with an external role only process name/address resolution information requests from clients external to the organization (i.e., on the external networks including the Internet). The set of clients that can access an authoritative DNS server in a particular role is specified by the organization (e.g., by address ranges, explicit lists).",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000305-IDPS-NA",
+      "title": "The network element that collectively provides name/address resolution service for an organization must implement internal/external role separation.",
+      "description": "A domain name system (DNS) server is an example of an information system that provides name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are typically at least two authoritative DNS servers, one configured as primary and the other as secondary.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000306-IDPS-000037",
+      "title": "The IDPS must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.",
+      "description": "Access control policies (e.g., identity-based policies, role-based policies, etc) and access enforcement mechanisms (e.g., access control lists, policy maps, and cryptography) are used to control access between users and objects (e.g., devices, data, destination addresses, etc.) within in the network. Without these security policies, access control and enforcement mechanisms will not prevent unauthorized access to user account information, system logs, and other files.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000307-IDPS-000038",
+      "title": "The IDPS must enforce a DAC policy that includes or excludes access to the granularity of a single user.",
+      "description": "Access control policies (e.g., identity-based policies, role-based policies, etc) and access enforcement mechanisms (e.g., access control lists, policy maps, cryptography) are employed by organizations to control access between users (or processes acting on behalf of users) and objects (e.g., devices, data, destination addresses, etc.) within in the network. This applies to locally defined accounts where the user management functionality is part of the IDPS application. This control does not negate the use of security groups for assigning access control to each member. Without granular DAC policies, access control and enforcement mechanisms will not prevent unauthorized access to account information, system logs, and other files.",
+      "severity": "low"
+    },
+    {
+      "id": "SRG-NET-000308-IDPS-000175",
+      "title": "The IDPS must employ FIPS-validated or NSA-approved cryptography to implement digital signatures.",
+      "description": "Cryptography is only as strong as the encryption algorithms employed to encrypt the data. Use of weak or untested certificates undermines the purposes of utilizing encryption to protect data. Traffic between the management console, sensor, and/or other network elements must be protected by cryptographic mechanisms. \nFIPS-validated  cryptography is approved for use for unclassified systems. NSA-approved cryptography is approved for use for classified systems.",
+      "severity": "medium"
+    },
+    {
+      "id": "SRG-NET-000309-IDPS-000204",
+      "title": "The IDPS must protect against unauthorized physical connections across the boundary protections implemented at organizationally defined list of managed interfaces.",
+      "description": "Local access to the network can easily be accomplished by merely connecting a workstation or laptop to any available wall plate or a wireless connection to a nearby access point. Eliminating unauthorized access to the network is vital to maintaining a secured network.",
+      "severity": "medium"
+    }
+  ]
+}