CCI-001414
Enforce approved authorizations for controlling the flow of information between connected systems based on organization-defined information flow control policies.
Kona Site Defender must immediately apply updates to the Kona Rule Set to block designated traffic of interest in response to new or emerging threats.
1 rule found Severity: High
Kona Site Defender must immediately use updates made to policy enforcement mechanisms to block traffic from organizationally defined geographic regions.
1 rule found Severity: Medium
Kona Site Defender must immediately use updates made to policy enforcement mechanisms to block traffic from organizationally defined IP addresses (i.e., IP blacklist).
1 rule found Severity: Medium
Kona Site Defender must immediately use updates made to policy enforcement mechanisms to allow traffic from organizationally defined IP addresses (i.e., IP whitelist).
1 rule found Severity: Medium
The Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
1 rule found Severity: Medium
The Arista Multilayer Switch must disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
1 rule found Severity: Medium
The Arista Multilayer Switch must bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
1 rule found Severity: Medium
The Arista Multilayer Switch must establish boundaries for IPv6 Admin-Local, IPv6 Site-Local, IPv6 Organization-Local scope, and IPv4 Local-Scope multicast traffic.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Arista Multilayer Switch must protect an enclave connected to an Alternate Gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.
1 rule found Severity: Medium
If Border Gateway Protocol (BGP) is enabled on The Arista Multilayer Switch, The Arista Multilayer Switch must not be a BGP peer with a router from an Autonomous System belonging to any Alternate Gateway.
1 rule found Severity: Medium
The Arista Multilayer Switch must not redistribute static routes to alternate gateway service provider into an Exterior Gateway Protocol or Interior Gateway Protocol to the NIPRNet or to other Autonomous System.
1 rule found Severity: Medium
The Arista Multilayer Switch must enforce that Interior Gateway Protocol instances configured on the out-of-band management gateway router only peer with their own routing domain.
1 rule found Severity: Medium
The Arista Multilayer Switch must enforce that the managed network domain and the management network domain are separate routing domains and the Interior Gateway Protocol instances are not redistributed or advertised to each other.
1 rule found Severity: Medium
The Arista Multilayer Switch must enforce that any interface used for out-of-band management traffic is configured to be passive for the Interior Gateway Protocol that is utilized on that management interface.
1 rule found Severity: Medium
The CA API Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1 rule found Severity: Medium
1 rule found Severity: High
2 rules found Severity: High
A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
1 rule found Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
1 rule found Severity: Medium
The HP FlexFabric Switch must not redistribute static routes to alternate gateway service provider into an Exterior Gateway Protocol or Interior Gateway Protocol to the NIPRNet or to other Autonomous System.
1 rule found Severity: Medium
The HP FlexFabric Switch must protect an enclave connected to an Alternate Gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.
1 rule found Severity: High
If Border Gateway Protocol (BGP) is enabled on the HP FlexFabric Switch, the HP FlexFabric Switch must not be a BGP peer with a HP FlexFabric Switch from an Autonomous System belonging to any Alternate Gateway (AG).
1 rule found Severity: Medium
The HP FlexFabric Switch must enforce that Interior Gateway Protocol (IGP) instances configured on the out-of-band management gateway only peer with their own routing domain.
1 rule found Severity: Medium
The HP FlexFabric Switch must enforce that the managed network domain and the management network domain are separate routing domains and the Interior Gateway Protocol (IGP) instances are not redistributed or advertised to each other.
1 rule found Severity: Medium
The HP FlexFabric Switch must enforce that any interface used for out-of-band management traffic is configured to be passive for the Interior Gateway Protocol (IGP) that is utilized on that management interface.
1 rule found Severity: Medium
The HP FlexFabric Switch must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
1 rule found Severity: Medium
The HP FlexFabric Switch must disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
1 rule found Severity: Medium
The HP FlexFabric Switch must bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
1 rule found Severity: Medium
The HP FlexFabric Switch must establish boundaries for IPv6 Admin-Local, IPv6 Site-Local, IPv6 Organization-Local scope, and IPv4 Local-Scope multicast traffic.
1 rule found Severity: Medium
The DataPower Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1 rule found Severity: Medium
The Sentry must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
2 rules found Severity: Medium
Innoslate must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
1 rule found Severity: Medium
Symantec ProxySG must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1 rule found Severity: High
Symantec ProxySG must immediately use updates made to policy enforcement mechanisms such as policies and rules.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Tanium documentation identifying recognized and trusted folders for IOC Detect Folder streams must be maintained.
1 rule found Severity: Medium
The Tanium IOC Detect Folder streams must be configured to restrict access to only authorized maintainers of IOCs.
1 rule found Severity: Medium
1 rule found Severity: Medium
4 rules found Severity: Medium
1 rule found Severity: Medium
4 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Tanium documentation identifying recognized and trusted folders for Detect Local Directory Source must be maintained.
1 rule found Severity: Medium
The Tanium Detect Local Directory Source must be configured to restrict access to only authorized maintainers of Intel.
1 rule found Severity: Medium
3 rules found Severity: Medium
3 rules found Severity: Medium
2 rules found Severity: Medium
3 rules found Severity: Medium
The Tanium documentation identifying recognized and trusted folders for Threat Response Local Directory Source must be maintained.
3 rules found Severity: Medium
The Tanium Threat Response Local Directory Source must be configured to restrict access to only authorized maintainers of Threat Intel.
2 rules found Severity: Medium
1 rule found Severity: High
The NSX-T Tier-0 Gateway must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
1 rule found Severity: Medium
1 rule found Severity: Low
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Dragging of content from different domains across windows must be disallowed (Restricted Sites zone).
1 rule found Severity: Medium
Dragging of content from different domains within a window must be disallowed (Restricted Sites zone).
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Websites in less privileged web content zones must be prevented from navigating into the Internet zone.
1 rule found Severity: Medium
Websites in less privileged web content zones must be prevented from navigating into the Restricted Sites zone.
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows Defender Firewall with Advanced Security must be enabled when connected to a private network.
1 rule found Severity: Medium
Windows Defender Firewall with Advanced Security must be enabled when connected to a public network.
1 rule found Severity: Medium
The BIG-IP AFM module must be configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1 rule found Severity: High
The BIG-IP Core implementation must be configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1 rule found Severity: High
The Arista perimeter router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
1 rule found Severity: Medium
The Arista multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
1 rule found Severity: Medium
The Arista multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
1 rule found Severity: Medium
The Arista multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.
1 rule found Severity: Low
1 rule found Severity: Low
The Arista perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.
1 rule found Severity: High
The Arista perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.
1 rule found Severity: High
The Arista perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.
1 rule found Severity: Low
The out-of-band management (OOBM) Arista gateway router must be configured to have separate IGP instances for the managed network and management network.
1 rule found Severity: Medium
The out-of-band management (OOBM) Arista gateway router must be configured to not redistribute routes between the management network routing domain and the managed network routing domain.
1 rule found Severity: Medium
The multicast Rendezvous Point (RP) Arista router must be configured to filter Protocol Independent Multicast (PIM) Register and Join messages received from the Designated Router (DR) for any undesirable multicast groups and sources.
1 rule found Severity: Low
The Cisco ASA must immediately use updates made to policy enforcement mechanisms such as firewall rules, security policies, and security zones.
1 rule found Severity: Medium
The Cisco ASA VPN gateway must be configured to restrict what traffic is transported via the IPsec tunnel according to flow control policies.
1 rule found Severity: Medium
2 rules found Severity: Low
The Cisco switch must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.
2 rules found Severity: Low
The Cisco perimeter switch must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
3 rules found Severity: Medium
3 rules found Severity: Low
The Cisco perimeter router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
3 rules found Severity: Medium
The Cisco perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.
2 rules found Severity: High
The Cisco perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.
2 rules found Severity: High
The Cisco perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.
1 rule found Severity: Low
The Cisco out-of-band management (OOBM) gateway router must be configured to have separate IGP instances for the managed network and management network.
2 rules found Severity: Medium
The Cisco out-of-band management (OOBM) gateway router must be configured to not redistribute routes between the management network routing domain and the managed network routing domain.
3 rules found Severity: Medium
The Cisco multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
3 rules found Severity: Medium
The Cisco multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
3 rules found Severity: Medium
The Cisco multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.
3 rules found Severity: Low
The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.
3 rules found Severity: Low
The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.
3 rules found Severity: Low
The Cisco multicast switch must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
3 rules found Severity: Medium
The Cisco multicast switch must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
3 rules found Severity: Medium
The Cisco multicast edge switch must be configured to establish boundaries for administratively scoped multicast traffic.
3 rules found Severity: Low
The Cisco multicast Rendezvous Point (RP) switch must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated switch (DR) for any undesirable multicast groups and sources.
2 rules found Severity: Low
The Cisco multicast Rendezvous Point (RP) switch must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Cisco switch (DR) for any undesirable multicast groups.
2 rules found Severity: Low
The F5 BIG-IP appliance providing user access control intermediary services must implement attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1 rule found Severity: High
The F5 BIG-IP appliance must be configured to use filters that use packet headers and packet attributes, including source and destination IP addresses and ports, to prevent the flow of unauthorized or suspicious traffic between interconnected networks with different security policies, including perimeter firewalls and server VLANs.
1 rule found Severity: High
The F5 BIG-IP appliance IPsec VPN must ensure inbound and outbound traffic is configured with a security policy.
1 rule found Severity: High
The Juniper router must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.
2 rules found Severity: Low
The Juniper router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
1 rule found Severity: Medium
The Juniper router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
1 rule found Severity: Medium
The Juniper router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
1 rule found Severity: Medium
The Juniper multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.
2 rules found Severity: Low
2 rules found Severity: Low
The Juniper perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the site's address space.
1 rule found Severity: High
The Juniper perimeter router must not be configured to be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.
1 rule found Severity: High
The Juniper perimeter router must not be configured to redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.
1 rule found Severity: Low
The Juniper out-of-band management (OOBM) gateway router must be configured to have separate IGP instances for the managed network and management network.
2 rules found Severity: Medium
The Juniper out-of-band management (OOBM) gateway router must not be configured to redistribute routes between the management network routing domain and the managed network routing domain.
1 rule found Severity: Medium
The Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.
2 rules found Severity: Low
The Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.
1 rule found Severity: Low
Encapsulated and/or encrypted traffic received from another enclave must not bypass the network perimeter defense without being terminated and inspected before entering the enclaves private network.
1 rule found Severity: High
Protocol Independent Multicast (PIM) must be disabled on all router interfaces that are not required to support multicast routing.
1 rule found Severity: Medium
A Protocol Independent Multicast (PIM) neighbor filter must be implemented to restrict and control multicast traffic.
1 rule found Severity: Low
The multicast domain must block inbound and outbound administratively-scoped multicast traffic at the edge.
1 rule found Severity: Low
The multicast domain must block inbound and outbound Auto-RP discovery and announcement messages at the edge.
1 rule found Severity: Low
Protocol Independent Multicast (PIM) register messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups.
1 rule found Severity: Low
Protocol Independent Multicast (PIM) join messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups.
1 rule found Severity: Low
Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) report messages must be filtered to allow hosts to join only those multicast groups that have been approved by the organization.
1 rule found Severity: Low
The router must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.
1 rule found Severity: Low
The perimeter router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
1 rule found Severity: Medium
The multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
1 rule found Severity: Medium
The multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
1 rule found Severity: Medium
The multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.
1 rule found Severity: Low
The perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.
1 rule found Severity: High
The perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.
2 rules found Severity: High
The perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.
1 rule found Severity: Low
The out-of-band management (OOBM) gateway router must be configured to have separate IGP instances for the managed network and management network.
1 rule found Severity: Medium
The out-of-band management (OOBM) gateway router must be configured to not redistribute routes between the management network routing domain and the managed network routing domain.
1 rule found Severity: Medium
The multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.
1 rule found Severity: Low
The multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.
1 rule found Severity: Low
The Trend Micro TPS must immediately use updates made to policy filters, rules, signatures, and anomaly analysis algorithms for traffic detection and prevention functions which are all contained in the Digital Vaccine (DV) updates.
1 rule found Severity: Medium
The Tanium documentation identifying recognized and trusted indicator of compromise (IOC) streams must be maintained.
1 rule found Severity: Medium
The Tanium Threat Response Local Directory Source must be configured to restrict access to only authorized maintainers of threat intel.
1 rule found Severity: Medium
The Tanium documentation identifying recognized and trusted Security Content Automation Protocol (SCAP) sources must be maintained.
1 rule found Severity: Medium
The Tanium documentation identifying recognized and trusted Open Vulnerability and Assessment Language (OVAL) feeds must be maintained.
1 rule found Severity: Medium
Tanium Comply must be configured to receive Security Content Automation Protocol (SCAP) content only from trusted sources.
1 rule found Severity: Medium
Tanium Comply must be configured to receive Open Vulnerability and Assessment Language (OVAL) feeds only from trusted sources.
1 rule found Severity: Medium
The ALG must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1 rule found Severity: Medium
The ALG must immediately use updates made to policy enforcement mechanisms such as policy filters, rules, signatures, and analysis algorithms for gateway and/or intermediary functions.
1 rule found Severity: Medium
The ALG that is part of a CDS must apply information flow control to data transferred between security domains by means of a policy filter which consists of a set of hardware and/or software.
1 rule found Severity: Medium
The application must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
1 rule found Severity: Medium
The Cisco router must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.
2 rules found Severity: Low
The Cisco perimeter router must be configured to protect an enclave connected to an approved gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.
1 rule found Severity: High
The Cisco perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an approved gateway service provider.
1 rule found Severity: High
The Cisco perimeter router must be configured to not redistribute static routes to an approved gateway service provider into BGP, an IGP peering with the NIPRNet, or other autonomous systems.
1 rule found Severity: Low
1 rule found Severity: Low
The Cisco perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an Interior Gateway Protocol (IGP) peering with the NIPRNet or to other autonomous systems.
1 rule found Severity: Low
The Cisco out-of-band management (OOBM) gateway router must be configured to have separate Interior Gateway Protocol (IGP) instances for the managed network and management network.
1 rule found Severity: Medium
The container platform must enforce approved authorizations for controlling the flow of information between interconnected systems and services based on organization-defined information flow control policies.
1 rule found Severity: Medium
The firewall must be configured to use filters that use packet headers and packet attributes, including source and destination IP addresses and ports, to prevent the flow of unauthorized or suspicious traffic between interconnected networks with different security policies (including perimeter firewalls and server VLANs).
1 rule found Severity: High
The firewall must immediately use updates made to policy enforcement mechanisms such as firewall rules, security policies, and security zones.
1 rule found Severity: Medium
The Dell OS10 multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
1 rule found Severity: Medium
The Dell OS10 multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
1 rule found Severity: Medium
1 rule found Severity: Low
The Dell OS10 out-of-band management (OOBM) gateway router must be configured to have separate Interior Gateway Protocol (IGP) instances for the managed network and management network.
1 rule found Severity: Medium
The Dell OS10 out-of-band management (OOBM) gateway router must be configured to not redistribute routes between the management network routing domain and the managed network routing domain.
1 rule found Severity: Medium
The Dell OS10 multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.
1 rule found Severity: Low
The Dell OS10 multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.
1 rule found Severity: Low
AOS, when used as a VPN Gateway, must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.
1 rule found Severity: Medium
The IDPS must restrict or block harmful or suspicious communications traffic between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1 rule found Severity: Medium
The IDPS must immediately use updates made to policy filters, rules, signatures, and anomaly analysis algorithms for traffic detection and prevention functions.
1 rule found Severity: Medium
The Juniper perimeter router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
1 rule found Severity: Medium
The Juniper perimeter router must be configured to protect an enclave connected to an approved gateway by using an inbound filter that only permits packets with destination addresses within the site's address space.
1 rule found Severity: High
The Juniper perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an approved gateway service provider.
1 rule found Severity: High
The Juniper perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.
1 rule found Severity: Low
The Juniper out-of-band management (OOBM) gateway router must be configured to not redistribute routes between the management network routing domain and the managed network routing domain.
1 rule found Severity: Medium
The Juniper multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
1 rule found Severity: Medium
The Juniper multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
1 rule found Severity: Medium
The Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Juniper router (DR) for any undesirable multicast groups.
1 rule found Severity: Low
The Juniper Networks SRX Series Gateway IDPS must restrict or block harmful or suspicious communications traffic between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1 rule found Severity: Medium
The Juniper SRX Services Gateway VPN must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.
1 rule found Severity: Medium
SharePoint must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.
1 rule found Severity: High
For environments requiring an Internet-facing capability, the SharePoint application server upon which Central Administration is installed, must not be installed in the DMZ.
1 rule found Severity: Medium
Prisma Cloud Compute Cloud Native Network Firewall (CNNF) automatically monitors layer 4 (TCP) intercontainer communications. Enforcement policies must be created.
1 rule found Severity: High
OpenShift must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.
1 rule found Severity: Medium
All guest VM network communications must be implemented through use of virtual network devices provisioned by the VMM.
1 rule found Severity: Medium
All interactions between guest VMs and external systems, via other interface devices, must be mediated by the VMM or its service VMs.
1 rule found Severity: Medium
The NSX Tier-0 Gateway router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: High
The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.
1 rule found Severity: Medium
1 rule found Severity: Medium
Kona Site Defender must immediately use updates made to policy enforcement mechanisms to enforce that all traffic flows over HTTPS port 443.
1 rule found Severity: High
The Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
1 rule found Severity: Medium
The FortiGate firewall must use filters that use packet headers and packet attributes, including source and destination IP addresses and ports.
1 rule found Severity: High
The HP FlexFabric Switch must be configured so inactive HP FlexFabric Switch interfaces are disabled.
1 rule found Severity: Medium
The ICS must be configured to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services.
1 rule found Severity: High