Capacity
CCI-001097
Monitor and control communications at the external managed interfaces to the system and at key managed interfaces within the system.
1
Rule
Severity: Medium
The Arista Multilayer Switch must configure the maximum hop limit value to at least 32.
2
Rule
Severity: High
The Arista router must be configured to restrict traffic destined to itself.
2
Rule
Severity: Medium
The Arista router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
2
Rule
Severity: Medium
The Arista perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.
2
Rule
Severity: Medium
The Arista perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.
2
Rule
Severity: Medium
The Arista BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.
2
Rule
Severity: High
The Arista router must be configured to block any traffic that is destined to IP core infrastructure.
2
Rule
Severity: Medium
The Arista router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.
2
Rule
Severity: Medium
The out-of-band management (OOBM) Arista gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).
2
Rule
Severity: Medium
The out-of-band management (OOBM) Arista gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the NOC.
1
Rule
Severity: Medium
The Arista router must be configured to only permit management traffic that ingresses and egresses the OOBM interface.
2
Rule
Severity: Medium
The Arista perimeter router must be configured to block all outbound management traffic.
2
Rule
Severity: Medium
The perimeter firewall must filter traffic destined to the internal enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL), Vulnerability Assessments (VAs) for that the enclave.
1
Rule
Severity: Medium
The FortiGate firewall must filter traffic destined to the internal enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL), Vulnerability Assessments (VAs) for that the enclave.
1
Rule
Severity: Medium
The HP FlexFabric Switch must configure the maximum hop limit value to at least 32.
4
Rule
Severity: High
The Juniper router must be configured to restrict traffic destined to itself.
4
Rule
Severity: Medium
The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
4
Rule
Severity: Medium
The Juniper perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.
4
Rule
Severity: Medium
The Juniper perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.
4
Rule
Severity: Medium
The Juniper perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.
4
Rule
Severity: Medium
The Juniper perimeter router must be configured to block all outbound management traffic.
2
Rule
Severity: Medium
The Juniper out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.
4
Rule
Severity: Medium
The Juniper out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).
4
Rule
Severity: Medium
The Juniper out-of-band management (OOBM) gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the NOC.
4
Rule
Severity: Medium
The Juniper router must be configured to only permit management traffic that ingresses and egresses the OOBM interface.
2
Rule
Severity: Medium
The Juniper router providing connectivity to the NOC must be configured to forward all in-band management traffic via an IPsec tunnel.
4
Rule
Severity: Medium
The Juniper BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.
4
Rule
Severity: High
The Juniper PE router must be configured to block any traffic that is destined to IP core infrastructure.
2
Rule
Severity: Medium
The Juniper PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.
2
Rule
Severity: High
The router must be configured to restrict traffic destined to itself.
2
Rule
Severity: Medium
The router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
2
Rule
Severity: Medium
The perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.
2
Rule
Severity: Medium
The perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.
2
Rule
Severity: Medium
The perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.
2
Rule
Severity: Medium
The BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.
2
Rule
Severity: High
The PE router must be configured to block any traffic that is destined to IP core infrastructure.
2
Rule
Severity: Medium
The PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces..
2
Rule
Severity: Medium
The out-of-band management (OOBM) gateway must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.
2
Rule
Severity: Medium
The out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).
2
Rule
Severity: Medium
The out-of-band management (OOBM) gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the NOC.
2
Rule
Severity: Medium
The router must be configured to only permit management traffic that ingresses and egresses the OOBM interface.
2
Rule
Severity: Medium
The router providing connectivity to the NOC must be configured to forward all in-band management traffic via an IPsec tunnel.
1
Rule
Severity: Medium
The perimeter router must be configured to block all outbound management traffic.
1
Rule
Severity: Medium
The NSX-T Tier-1 Gateway Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
1
Rule
Severity: High
The NSX-T Tier-0 Gateway must be configured to restrict traffic destined to itself.
2
Rule
Severity: Medium
The VPN Gateway must be configured to route sessions to an IDPS for inspection.
2
Rule
Severity: Medium
The Cisco ASA perimeter firewall must be configured to filter traffic destined to the enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.
2
Rule
Severity: High
The Cisco router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
6
Rule
Severity: Medium
The Cisco perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.
6
Rule
Severity: Medium
The Cisco perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.
6
Rule
Severity: Medium
The Cisco perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.
6
Rule
Severity: Medium
The Cisco perimeter router must be configured to block all outbound management traffic.
6
Rule
Severity: Medium
The Cisco out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.
6
Rule
Severity: Medium
The Cisco out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).
6
Rule
Severity: Medium
The Cisco out-of-band management (OOBM) gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the Network Operations Center (NOC).
6
Rule
Severity: Medium
The Cisco router must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.
6
Rule
Severity: Medium
The Cisco router providing connectivity to the Network Operations Center (NOC) must be configured to forward all in-band management traffic via an IPsec tunnel.
6
Rule
Severity: Medium
The Cisco BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.
6
Rule
Severity: High
The Cisco PE router must be configured to block any traffic that is destined to IP core infrastructure.
6
Rule
Severity: Medium
The Cisco PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.
4
Rule
Severity: High
The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
6
Rule
Severity: Medium
The Cisco perimeter switch must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.
6
Rule
Severity: Medium
The Cisco perimeter switch must be configured to filter ingress traffic at the external interface on an inbound direction.
6
Rule
Severity: Medium
The Cisco perimeter switch must be configured to filter egress traffic at the internal interface on an inbound direction.
6
Rule
Severity: Medium
The Cisco perimeter switch must be configured to block all outbound management traffic.
6
Rule
Severity: Medium
The Cisco switch must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.
6
Rule
Severity: High
The Cisco PE switch must be configured to block any traffic that is destined to the IP core infrastructure.
6
Rule
Severity: Medium
The Cisco PE switch must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.
2
Rule
Severity: High
The Cisco router must be configured to protect against or limit the effects of denial of service (DoS) attacks by employing control plane protection.
4
Rule
Severity: Medium
The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.
2
Rule
Severity: High
The Cisco router must be configured to restrict traffic destined to itself.
2
Rule
Severity: Medium
The Cisco router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
2
Rule
Severity: High
The Cisco switch must be configured to restrict traffic destined to itself.
2
Rule
Severity: Medium
The Cisco switch must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
2
Rule
Severity: Medium
The Juniper PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode, or a firewall filter, enabled on all CE-facing interfaces.
2
Rule
Severity: Medium
The Juniper out-of-band management (OOBM) gateway must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.
2
Rule
Severity: Medium
An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor all Demilitarized Zone (DMZ) segments housing public servers.
2
Rule
Severity: Medium
An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor the network segment hosting web, application, and database servers.
2
Rule
Severity: Medium
An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor network segments that house network security management servers.
2
Rule
Severity: Medium
An Intrusion Detection and Prevention System (IDPS) must be deployed to monitor all unencrypted traffic entering and leaving the enclave.
2
Rule
Severity: Medium
Multi-Protocol Labeled Switching (MPLS) labels must not be exchanged between the enclaves edge routers and any external neighbor routers.
4
Rule
Severity: Medium
The network device must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.
1
Rule
Severity: Medium
The Arista router must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.
1
Rule
Severity: High
The Mission Owner's internet-facing applications must be configured to traverse the Cloud Access Point (CAP) and Virtual Datacenter Security Stack (VDSS) prior to communicating with the internet.
1
Rule
Severity: Medium
The Mission Owner of the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must configure scanning using an Assured Compliance Assessment Solution (ACAS) server or solution that meets DOD scanning and reporting requirements.
1
Rule
Severity: Medium
The Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must be configured to maintain separation of all management and data traffic.
1
Rule
Severity: Medium
The F5 BIG-IP appliance providing remote access intermediary services must be configured to route sessions to an IDPS for inspection.
1
Rule
Severity: Medium
The BIG-IP appliance perimeter firewall must be configured to filter traffic destined to the enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.
1
Rule
Severity: High
The perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
1
Rule
Severity: Medium
The perimeter router must be configured to block all packets with any IP options.
1
Rule
Severity: Medium
The PE router must be configured to ignore or block all packets with any IP options.
1
Rule
Severity: Medium
The NSX Tier-0 Gateway Firewall must deny network communications traffic by default and allow network communications traffic by exception.
1
Rule
Severity: Medium
The NSX Tier-1 Gateway firewall must deny network communications traffic by default and allow network communications traffic by exception.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules