CCI-001097

Monitor and control communications at the external managed interfaces to the system and at key managed interfaces within the system.

1 rule found Severity: Medium

1 rule found Severity: High

4 rules found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: High

3 rules found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

3 rules found Severity: Medium

3 rules found Severity: High

3 rules found Severity: Medium

2 rules found Severity: Medium

3 rules found Severity: High

3 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: High

2 rules found Severity: Medium

2 rules found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

CCI-001097

The Arista Multilayer Switch must configure the maximum hop limit value to at least 32.

The FortiGate firewall must filter traffic destined to the internal enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL), Vulnerability Assessments (VAs) for that the enclave.

The HP FlexFabric Switch must configure the maximum hop limit value to at least 32.

The NSX-T Tier-1 Gateway Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

The NSX-T Tier-0 Gateway must be configured to restrict traffic destined to itself.

The network device must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.

The Arista router must be configured to restrict traffic destined to itself.

The Arista router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

The Arista perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.

The Arista perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.

The Arista BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

The Arista router must be configured to block any traffic that is destined to IP core infrastructure.

The Arista router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.

The out-of-band management (OOBM) Arista gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).

The out-of-band management (OOBM) Arista gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the NOC.

The Arista router must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.

The Arista perimeter router must be configured to block all outbound management traffic.

The Cisco ASA perimeter firewall must be configured to filter traffic destined to the enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.

The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

The Cisco perimeter switch must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.

The Cisco perimeter switch must be configured to filter ingress traffic at the external interface on an inbound direction.

The Cisco perimeter switch must be configured to filter egress traffic at the internal interface on an inbound direction.

The Cisco router must be configured to restrict traffic destined to itself.

The Cisco router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

The Cisco perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.

The Cisco perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.

The Cisco perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.

The Cisco perimeter router must be configured to block all outbound management traffic.

The Cisco out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.

The Cisco out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).

The Cisco out-of-band management (OOBM) gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the Network Operations Center (NOC).

The Cisco router must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.

The Cisco router providing connectivity to the Network Operations Center (NOC) must be configured to forward all in-band management traffic via an IPsec tunnel.

The Cisco BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

The Cisco PE router must be configured to block any traffic that is destined to IP core infrastructure.

The Cisco PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.

The Cisco perimeter switch must be configured to block all outbound management traffic.

The Cisco switch must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.

The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

The Cisco PE switch must be configured to block any traffic that is destined to the IP core infrastructure.

The Cisco PE switch must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.

The F5 BIG-IP appliance providing remote access intermediary services must be configured to route sessions to an IDPS for inspection.

The BIG-IP appliance perimeter firewall must be configured to filter traffic destined to the enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.

The Juniper router must be configured to restrict traffic destined to itself.

The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

The Juniper perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.

The Juniper perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.

The Juniper perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.

The Juniper BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

The Juniper PE router must be configured to block any traffic that is destined to IP core infrastructure.

The Juniper PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode, or a firewall filter, enabled on all CE-facing interfaces.

The Juniper out-of-band management (OOBM) gateway must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.

The Juniper out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).

The Juniper out-of-band management (OOBM) gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the NOC.

The Juniper router must be configured to only permit management traffic that ingresses and egresses the OOBM interface.

The Juniper perimeter router must be configured to block all outbound management traffic.

An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor all Demilitarized Zone (DMZ) segments housing public servers.

An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor the network segment hosting web, application, and database servers.

An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor network segments that house network security management servers.

An Intrusion Detection and Prevention System (IDPS) must be deployed to monitor all unencrypted traffic entering and leaving the enclave.

Multi-Protocol Labeled Switching (MPLS) labels must not be exchanged between the enclaves edge routers and any external neighbor routers.

The router must be configured to restrict traffic destined to itself.

The router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

The perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.

The perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.

The perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.

The BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

The PE router must be configured to block any traffic that is destined to IP core infrastructure.

The PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces..

The out-of-band management (OOBM) gateway must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.

The out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).

The out-of-band management (OOBM) gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the NOC.

The router must be configured to only permit management traffic that ingresses and egresses the OOBM interface.

The router providing connectivity to the NOC must be configured to forward all in-band management traffic via an IPsec tunnel.

The perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).

The perimeter router must be configured to block all packets with any IP options.

The PE router must be configured to ignore or block all packets with any IP options.

The Cisco router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.