Capacity
CCI-001414
Enforce approved authorizations for controlling the flow of information between connected systems based on organization-defined information flow control policies.
1
Rule
Severity: High
Kona Site Defender must immediately apply updates to the Kona Rule Set to block designated traffic of interest in response to new or emerging threats.
1
Rule
Severity: Medium
Kona Site Defender must immediately use updates made to policy enforcement mechanisms to block traffic from organizationally defined geographic regions.
1
Rule
Severity: Medium
Kona Site Defender must immediately use updates made to policy enforcement mechanisms to block traffic from organizationally defined IP addresses (i.e., IP blacklist).
1
Rule
Severity: Medium
Kona Site Defender must immediately use updates made to policy enforcement mechanisms to allow traffic from organizationally defined IP addresses (i.e., IP whitelist).
2
Rule
Severity: Medium
The ALG must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
2
Rule
Severity: Medium
The ALG must immediately use updates made to policy enforcement mechanisms such as policy filters, rules, signatures, and analysis algorithms for gateway and/or intermediary functions.
2
Rule
Severity: Medium
The ALG that is part of a CDS must apply information flow control to data transferred between security domains by means of a policy filter which consists of a set of hardware and/or software.
1
Rule
Severity: Medium
The Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
1
Rule
Severity: Medium
The Arista Multilayer Switch must disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
1
Rule
Severity: Medium
The Arista Multilayer Switch must bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
1
Rule
Severity: Medium
The Arista Multilayer Switch must establish boundaries for IPv6 Admin-Local, IPv6 Site-Local, IPv6 Organization-Local scope, and IPv4 Local-Scope multicast traffic.
1
Rule
Severity: Medium
The Arista Multilayer Switch must be configured so inactive router interfaces are disabled.
1
Rule
Severity: Medium
The Arista Multilayer Switch must protect an enclave connected to an Alternate Gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.
1
Rule
Severity: Medium
If Border Gateway Protocol (BGP) is enabled on The Arista Multilayer Switch, The Arista Multilayer Switch must not be a BGP peer with a router from an Autonomous System belonging to any Alternate Gateway.
1
Rule
Severity: Medium
The Arista Multilayer Switch must not redistribute static routes to alternate gateway service provider into an Exterior Gateway Protocol or Interior Gateway Protocol to the NIPRNet or to other Autonomous System.
1
Rule
Severity: Medium
The Arista Multilayer Switch must enforce that Interior Gateway Protocol instances configured on the out-of-band management gateway router only peer with their own routing domain.
1
Rule
Severity: Medium
The Arista Multilayer Switch must enforce that the managed network domain and the management network domain are separate routing domains and the Interior Gateway Protocol instances are not redistributed or advertised to each other.
1
Rule
Severity: Medium
The Arista Multilayer Switch must enforce that any interface used for out-of-band management traffic is configured to be passive for the Interior Gateway Protocol that is utilized on that management interface.
2
Rule
Severity: Medium
The Arista perimeter router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
2
Rule
Severity: Medium
The Arista multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
2
Rule
Severity: Medium
The Arista multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
2
Rule
Severity: Low
The Arista multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.
2
Rule
Severity: Low
The Arista router must be configured to have all inactive interfaces disabled.
2
Rule
Severity: High
The Arista perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.
2
Rule
Severity: High
The Arista perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.
2
Rule
Severity: Low
The Arista perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.
2
Rule
Severity: Medium
The out-of-band management (OOBM) Arista gateway router must be configured to have separate IGP instances for the managed network and management network.
2
Rule
Severity: Medium
The out-of-band management (OOBM) Arista gateway router must be configured to not redistribute routes between the management network routing domain and the managed network routing domain.
2
Rule
Severity: Low
The multicast Rendezvous Point (RP) Arista router must be configured to filter Protocol Independent Multicast (PIM) Register and Join messages received from the Designated Router (DR) for any undesirable multicast groups and sources.
2
Rule
Severity: Medium
The application must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
1
Rule
Severity: Medium
The CA API Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1
Rule
Severity: High
Citrix Linux Virtual Delivery Agent must implement DoD-approved encryption.
2
Rule
Severity: High
Citrix Windows Virtual Delivery Agent must implement DoD-approved encryption.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
1
Rule
Severity: Medium
The Docker Enterprise hosts process namespace must not be shared.
1
Rule
Severity: Medium
The Docker Enterprise hosts IPC namespace must not be shared.
2
Rule
Severity: Medium
The firewall must immediately use updates made to policy enforcement mechanisms such as firewall rules, security policies, and security zones.
1
Rule
Severity: Medium
The HP FlexFabric Switch must not redistribute static routes to alternate gateway service provider into an Exterior Gateway Protocol or Interior Gateway Protocol to the NIPRNet or to other Autonomous System.
1
Rule
Severity: High
The HP FlexFabric Switch must protect an enclave connected to an Alternate Gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.
1
Rule
Severity: Medium
If Border Gateway Protocol (BGP) is enabled on the HP FlexFabric Switch, the HP FlexFabric Switch must not be a BGP peer with a HP FlexFabric Switch from an Autonomous System belonging to any Alternate Gateway (AG).
1
Rule
Severity: Medium
The HP FlexFabric Switch must enforce that Interior Gateway Protocol (IGP) instances configured on the out-of-band management gateway only peer with their own routing domain.
1
Rule
Severity: Medium
The HP FlexFabric Switch must enforce that the managed network domain and the management network domain are separate routing domains and the Interior Gateway Protocol (IGP) instances are not redistributed or advertised to each other.
1
Rule
Severity: Medium
The HP FlexFabric Switch must enforce that any interface used for out-of-band management traffic is configured to be passive for the Interior Gateway Protocol (IGP) that is utilized on that management interface.
1
Rule
Severity: Medium
The HP FlexFabric Switch must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
1
Rule
Severity: Medium
The HP FlexFabric Switch must disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
1
Rule
Severity: Medium
The HP FlexFabric Switch must bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
1
Rule
Severity: Medium
The HP FlexFabric Switch must establish boundaries for IPv6 Admin-Local, IPv6 Site-Local, IPv6 Organization-Local scope, and IPv4 Local-Scope multicast traffic.
1
Rule
Severity: Medium
The DataPower Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
2
Rule
Severity: Medium
The IDPS must restrict or block harmful or suspicious communications traffic between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
2
Rule
Severity: Medium
The IDPS must immediately use updates made to policy filters, rules, signatures, and anomaly analysis algorithms for traffic detection and prevention functions.
2
Rule
Severity: Medium
The Sentry must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
4
Rule
Severity: Low
The Juniper router must be configured to have all inactive interfaces disabled.
4
Rule
Severity: Low
The Juniper router must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.
2
Rule
Severity: Medium
The Juniper perimeter router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
2
Rule
Severity: High
The Juniper perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.
2
Rule
Severity: High
The Juniper perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.
2
Rule
Severity: Low
The Juniper perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.
4
Rule
Severity: Medium
The Juniper out-of-band management (OOBM) gateway router must be configured to have separate IGP instances for the managed network and management network.
2
Rule
Severity: Medium
The Juniper out-of-band management (OOBM) gateway router must be configured to not redistribute routes between the management network routing domain and the managed network routing domain.
2
Rule
Severity: Medium
The Juniper Networks SRX Series Gateway IDPS must restrict or block harmful or suspicious communications traffic between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
2
Rule
Severity: Medium
The Juniper multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
2
Rule
Severity: Medium
The Juniper multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
4
Rule
Severity: Low
The Juniper multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.
4
Rule
Severity: Low
The Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.
2
Rule
Severity: Low
The Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Juniper router (DR) for any undesirable multicast groups.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway VPN must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.
1
Rule
Severity: Low
User control of proxy settings must be disabled.
1
Rule
Severity: High
SharePoint must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.
1
Rule
Severity: Medium
For environments requiring an Internet-facing capability, the SharePoint application server upon which Central Administration is installed, must not be installed in the DMZ.
2
Rule
Severity: High
Prisma Cloud Compute Cloud Native Network Firewall (CNNF) automatically monitors layer 4 (TCP) intercontainer communications. Enforcement policies must be created.
2
Rule
Severity: Low
The router must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.
2
Rule
Severity: Medium
The perimeter router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
2
Rule
Severity: Medium
The multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
2
Rule
Severity: Medium
The multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
2
Rule
Severity: Low
The multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.
2
Rule
Severity: Low
The router must be configured to have all inactive interfaces disabled.
2
Rule
Severity: High
The perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.
2
Rule
Severity: High
The perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.
2
Rule
Severity: Low
The perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.
2
Rule
Severity: Medium
The out-of-band management (OOBM) gateway router must be configured to have separate IGP instances for the managed network and management network.
2
Rule
Severity: Medium
The out-of-band management (OOBM) gateway router must be configured to not redistribute routes between the management network routing domain and the managed network routing domain.
2
Rule
Severity: Low
The multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.
2
Rule
Severity: Low
The multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.
1
Rule
Severity: Medium
Innoslate must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1
Rule
Severity: High
Symantec ProxySG must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1
Rule
Severity: Medium
Symantec ProxySG must immediately use updates made to policy enforcement mechanisms such as policies and rules.
1
Rule
Severity: Medium
The Tanium documentation identifying recognized and trusted IOC Detect streams must be maintained.
1
Rule
Severity: Medium
The Tanium IOC Detect must be configured to receive IOC streams only from trusted sources.
1
Rule
Severity: Medium
The Tanium documentation identifying recognized and trusted folders for IOC Detect Folder streams must be maintained.
1
Rule
Severity: Medium
The Tanium IOC Detect Folder streams must be configured to restrict access to only authorized maintainers of IOCs.
1
Rule
Severity: Medium
The Tanium documentation identifying recognized and trusted SCAP feeds must be maintained.
4
Rule
Severity: Medium
The Tanium documentation identifying recognized and trusted OVAL feeds must be maintained.
1
Rule
Severity: Medium
Tanium Comply must be configured to receive SCAP feeds only from trusted sources.
4
Rule
Severity: Medium
Tanium Comply must be configured to receive OVAL feeds only from trusted sources.
2
Rule
Severity: Medium
The Tanium documentation identifying recognized and trusted indicator of compromise (IOC) streams must be maintained.
1
Rule
Severity: Medium
The Tanium documentation identifying recognized and trusted Intel streams must be maintained.
1
Rule
Severity: Medium
The Tanium Detect must be configured to receive IOC streams only from trusted sources.
1
Rule
Severity: Medium
The Tanium documentation identifying recognized and trusted folders for Detect Local Directory Source must be maintained.
1
Rule
Severity: Medium
The Tanium Detect Local Directory Source must be configured to restrict access to only authorized maintainers of Intel.
3
Rule
Severity: Medium
The Tanium documentation identifying recognized and trusted SCAP sources must be maintained.
3
Rule
Severity: Medium
Tanium Comply must be configured to receive SCAP content only from trusted sources.
2
Rule
Severity: Medium
The Tanium documentation identifying recognized and trusted IOC streams must be maintained.
4
Rule
Severity: Medium
Tanium Threat Response must be configured to receive IOC streams only from trusted sources.
4
Rule
Severity: Medium
The Tanium documentation identifying recognized and trusted folders for Threat Response Local Directory Source must be maintained.
2
Rule
Severity: Medium
The Tanium Threat Response Local Directory Source must be configured to restrict access to only authorized maintainers of Threat Intel.
2
Rule
Severity: Medium
The Tanium Threat Response Local Directory Source must be configured to restrict access to only authorized maintainers of threat intel.
2
Rule
Severity: Medium
The Tanium documentation identifying recognized and trusted Security Content Automation Protocol (SCAP) sources must be maintained.
2
Rule
Severity: Medium
The Tanium documentation identifying recognized and trusted Open Vulnerability and Assessment Language (OVAL) feeds must be maintained.
2
Rule
Severity: Medium
Tanium Comply must be configured to receive Security Content Automation Protocol (SCAP) content only from trusted sources.
2
Rule
Severity: Medium
Tanium Comply must be configured to receive Open Vulnerability and Assessment Language (OVAL) feeds only from trusted sources.
2
Rule
Severity: Medium
The Trend Micro TPS must immediately use updates made to policy filters, rules, signatures, and anomaly analysis algorithms for traffic detection and prevention functions which are all contained in the Digital Vaccine (DV) updates.
1
Rule
Severity: Medium
The NSX-T Distributed Firewall must verify time-based firewall rules.
1
Rule
Severity: High
The NSX-T Tier-1 Gateway must be configured to have all inactive interfaces removed.
1
Rule
Severity: Medium
The NSX-T Tier-0 Gateway must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
1
Rule
Severity: Low
The NSX-T Tier-0 Gateway must be configured to have all inactive interfaces removed.
2
Rule
Severity: Medium
The Cisco ASA must immediately use updates made to policy enforcement mechanisms such as firewall rules, security policies, and security zones.
2
Rule
Severity: Medium
The Cisco ASA VPN gateway must be configured to restrict what traffic is transported via the IPsec tunnel according to flow control policies.
6
Rule
Severity: Low
The Cisco router must be configured to have all inactive interfaces disabled.
4
Rule
Severity: Low
The Cisco router must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.
6
Rule
Severity: Medium
The Cisco perimeter router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
6
Rule
Severity: High
The Cisco perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.
6
Rule
Severity: High
The Cisco perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.
4
Rule
Severity: Low
The Cisco perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.
4
Rule
Severity: Medium
The Cisco out-of-band management (OOBM) gateway router must be configured to have separate IGP instances for the managed network and management network.
6
Rule
Severity: Medium
The Cisco out-of-band management (OOBM) gateway router must be configured to not redistribute routes between the management network routing domain and the managed network routing domain.
6
Rule
Severity: Medium
The Cisco multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
6
Rule
Severity: Medium
The Cisco multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
6
Rule
Severity: Low
The Cisco multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.
6
Rule
Severity: Low
The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.
6
Rule
Severity: Low
The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.
2
Rule
Severity: Low
The Cisco switch must be configured to have all inactive Layer 3 interfaces disabled.
4
Rule
Severity: Low
The Cisco switch must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.
6
Rule
Severity: Medium
The Cisco perimeter switch must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
6
Rule
Severity: Medium
The Cisco multicast switch must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
6
Rule
Severity: Medium
The Cisco multicast switch must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
6
Rule
Severity: Low
The Cisco multicast edge switch must be configured to establish boundaries for administratively scoped multicast traffic.
2
Rule
Severity: Low
The Cisco perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an Interior Gateway Protocol (IGP) peering with the NIPRNet or to other autonomous systems.
2
Rule
Severity: Medium
The Cisco out-of-band management (OOBM) gateway router must be configured to have separate Interior Gateway Protocol (IGP) instances for the managed network and management network.
4
Rule
Severity: Low
The Cisco switch must be configured to have all inactive layer 3 interfaces disabled.
4
Rule
Severity: Low
The Cisco multicast Rendezvous Point (RP) switch must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated switch (DR) for any undesirable multicast groups and sources.
4
Rule
Severity: Low
The Cisco multicast Rendezvous Point (RP) switch must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Cisco switch (DR) for any undesirable multicast groups.
2
Rule
Severity: Medium
The container platform must enforce approved authorizations for controlling the flow of information between interconnected systems and services based on organization-defined information flow control policies.
2
Rule
Severity: Medium
Firewall traversal from remote host must be disabled.
2
Rule
Severity: Medium
The Juniper router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
2
Rule
Severity: Medium
The Juniper router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
2
Rule
Severity: Medium
The Juniper router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
2
Rule
Severity: High
The Juniper perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the site's address space.
2
Rule
Severity: High
The Juniper perimeter router must not be configured to be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.
2
Rule
Severity: Low
The Juniper perimeter router must not be configured to redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.
2
Rule
Severity: Medium
The Juniper out-of-band management (OOBM) gateway router must not be configured to redistribute routes between the management network routing domain and the managed network routing domain.
2
Rule
Severity: Low
The Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.
1
Rule
Severity: Medium
Accessing data sources across domains must be disallowed (Internet zone).
1
Rule
Severity: Medium
Navigating windows and frames across different domains must be disallowed (Internet zone).
1
Rule
Severity: Medium
Dragging of content from different domains within a window must be disallowed (Internet zone).
1
Rule
Severity: Medium
Dragging of content from different domains across windows must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
Dragging of content from different domains within a window must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
Accessing data sources across domains must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
Navigating windows and frames across different domains must be disallowed (Restricted Sites zone).
1
Rule
Severity: Medium
Websites in less privileged web content zones must be prevented from navigating into the Internet zone.
1
Rule
Severity: Medium
Websites in less privileged web content zones must be prevented from navigating into the Restricted Sites zone.
1
Rule
Severity: Medium
Dragging of content from different domains across windows must be disallowed (Internet zone).
1
Rule
Severity: Medium
Windows Defender Firewall with Advanced Security must be enabled when connected to a private network.
1
Rule
Severity: Medium
Windows Defender Firewall with Advanced Security must be enabled when connected to a public network.
2
Rule
Severity: High
Encapsulated and/or encrypted traffic received from another enclave must not bypass the network perimeter defense without being terminated and inspected before entering the enclaves private network.
2
Rule
Severity: Medium
Protocol Independent Multicast (PIM) must be disabled on all router interfaces that are not required to support multicast routing.
2
Rule
Severity: Low
A Protocol Independent Multicast (PIM) neighbor filter must be implemented to restrict and control multicast traffic.
2
Rule
Severity: Low
The multicast domain must block inbound and outbound administratively-scoped multicast traffic at the edge.
2
Rule
Severity: Low
The multicast domain must block inbound and outbound Auto-RP discovery and announcement messages at the edge.
2
Rule
Severity: Low
Protocol Independent Multicast (PIM) register messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups.
2
Rule
Severity: Low
Protocol Independent Multicast (PIM) join messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups.
2
Rule
Severity: Low
Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) report messages must be filtered to allow hosts to join only those multicast groups that have been approved by the organization.
2
Rule
Severity: Medium
OpenShift must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.
2
Rule
Severity: Medium
All guest VM network communications must be implemented through use of virtual network devices provisioned by the VMM.
2
Rule
Severity: Medium
All interactions between guest VMs and external systems, via other interface devices, must be mediated by the VMM or its service VMs.
1
Rule
Severity: High
The BIG-IP AFM module must be configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1
Rule
Severity: High
The BIG-IP Core implementation must be configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1
Rule
Severity: High
The F5 BIG-IP appliance providing user access control intermediary services must implement attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1
Rule
Severity: High
The F5 BIG-IP appliance must be configured to use filters that use packet headers and packet attributes, including source and destination IP addresses and ports, to prevent the flow of unauthorized or suspicious traffic between interconnected networks with different security policies, including perimeter firewalls and server VLANs.
1
Rule
Severity: High
The F5 BIG-IP appliance IPsec VPN must ensure inbound and outbound traffic is configured with a security policy.
1
Rule
Severity: Medium
MKE host network namespace must not be shared.
1
Rule
Severity: High
The NSX Tier-0 Gateway router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
1
Rule
Severity: High
The NSX Tier-0 Gateway router must be configured to have all inactive interfaces removed.
1
Rule
Severity: High
The NSX Tier-1 Gateway router must be configured to have all inactive interfaces removed.
1
Rule
Severity: Medium
The TLS VPN must be configured to limit authenticated client sessions to initial session source IP.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules