Capacity
CCI-002385
Protect against or limit the effects of organization-defined types of denial of service events.
4
Rule
Severity: Medium
Configure firewalld To Rate Limit Connections
12
Rule
Severity: Medium
Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments
7
Rule
Severity: Medium
Configure Firewalld to Use the Nftables Backend
1
Rule
Severity: Medium
Enable DoS Protections in SuSEfirewall2
1
Rule
Severity: Medium
ufw Must rate-limit network interfaces
1
Rule
Severity: High
The A10 Networks ADC must protect against TCP and UDP Denial of Service (DoS) attacks by employing Source-IP based connection-rate limiting.
1
Rule
Severity: Medium
The A10 Networks ADC must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.
1
Rule
Severity: Medium
The A10 Networks ADC must enable DDoS filters.
1
Rule
Severity: High
The A10 Networks ADC must protect against ICMP-based Denial of Service (DoS) attacks by employing ICMP Rate Limiting.
1
Rule
Severity: Medium
Kona Site Defender providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis.
1
Rule
Severity: Medium
Kona Site Defender providing content filtering must protect against known types of denial-of-service (DoS) attacks by employing signatures.
6
Rule
Severity: Medium
The Apache web server must be tuned to handle the operational requirements of the hosted application.
4
Rule
Severity: Medium
The Apache web server must be protected from being stopped by a non-privileged user.
1
Rule
Severity: Medium
The Arista Multilayer Switch must ensure all Exterior Border Gateway Protocol (eBGP) routers are configured to use Generalized TTL Security Mechanism (GTSM) or are configured to meet RFC3682.
2
Rule
Severity: Medium
The ALG must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.
2
Rule
Severity: Medium
The ALG providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.
2
Rule
Severity: Medium
The ALG providing content filtering must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing pattern recognition pre-processors.
2
Rule
Severity: Medium
The ALG providing content filtering must protect against known types of Denial of Service (DoS) attacks by employing signatures.
2
Rule
Severity: Medium
The application server, when a MAC I system, must be in a high-availability (HA) cluster.
2
Rule
Severity: Medium
The application server must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing organization-defined security safeguards.
2
Rule
Severity: Medium
The Arista MLS layer 2 switch must be configured for Storm Control to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
2
Rule
Severity: Low
The Arista MLS switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.
2
Rule
Severity: Medium
The Arista MLS layer 2 switch must have BPDU Guard enabled on all switch ports connecting to access layer switches and hosts.
2
Rule
Severity: Medium
The Arista MLS switch must have STP Loop Guard enabled on all nondesignated STP switch ports.
2
Rule
Severity: Medium
The Arista MLS layer 2 switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.
2
Rule
Severity: Medium
The Arista MLS layer 2 switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.
2
Rule
Severity: Medium
The Arista MLS layer 2 switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.
2
Rule
Severity: Medium
The Arista router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.
2
Rule
Severity: Medium
The Arista router must be configured to have gratuitous ARP disabled on all external interfaces.
2
Rule
Severity: Low
The Arista router must be configured to have IP directed broadcast disabled on all interfaces.
2
Rule
Severity: Medium
The Arista router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
2
Rule
Severity: Medium
The Arista router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
2
Rule
Severity: Medium
The Arista router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.
2
Rule
Severity: Medium
The Arista BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
2
Rule
Severity: Low
The Arista BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.
2
Rule
Severity: Low
The multicast Rendezvous Point (RP) Arista router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.
2
Rule
Severity: Medium
The Arista multicast Designated Router (DR) must be configured to increase the shortest-path tree (SPT) threshold or set it to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.
2
Rule
Severity: Low
The Arista BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).
2
Rule
Severity: Medium
XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways.
1
Rule
Severity: Medium
The CA API Gateway must protect against or limit the effects of all known types of Denial of Service (DoS) attacks on the CA API Gateway management network by employing organization-defined security safeguards.
1
Rule
Severity: Medium
The CA API Gateway providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.
1
Rule
Severity: Medium
The CA API Gateway must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.
1
Rule
Severity: Medium
The on-failure container restart policy must be is set to 5 in Docker Enterprise.
1
Rule
Severity: Medium
The Docker Enterprise default ulimit must not be overwritten at runtime unless approved in the System Security Plan (SSP).
2
Rule
Severity: High
The firewall must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
1
Rule
Severity: Medium
The FortiGate device must protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
1
Rule
Severity: High
The FortiGate firewall must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
1
Rule
Severity: Medium
The HP FlexFabric Switch must have Root Guard enabled on all ports where the root bridge should not appear.
1
Rule
Severity: Medium
The HP FlexFabric Switch must have BPDU Guard enabled on all user-facing access ports.
1
Rule
Severity: Medium
The HP FlexFabric Switch must have STP Loop Protection enabled all non-designated STP switch ports.
1
Rule
Severity: Medium
The HP FlexFabric Switch must have unknown storm-constrain enabled.
1
Rule
Severity: Medium
The HP FlexFabric Switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources as well as rate-limit DHCP traffic.
1
Rule
Severity: Medium
The HP FlexFabric Switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.
1
Rule
Severity: Medium
The HP FlexFabric Switch must have Dynamic ARP Inspection (DAI) enabled on all user VLANs.
1
Rule
Severity: Medium
The HP FlexFabric Switch must protect against or limit the effects of all known types of Denial of Service (DoS) attacks on the HP FlexFabric Switch management network by employing organization-defined security safeguards.
1
Rule
Severity: Medium
The HP FlexFabric Switch must protect against or limit the effects of denial of service (DoS) attacks by employing control plane protection.
1
Rule
Severity: Medium
The HP FlexFabric Switch must ensure all Exterior Border Gateway Protocol (eBGP) HP FlexFabric Switches are configured to use Generalized TTL Security Mechanism (GTSM).
1
Rule
Severity: High
The DataPower Gateway providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds).
1
Rule
Severity: Medium
The DataPower Gateway must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.
1
Rule
Severity: Medium
The DataPower Gateway providing content filtering must protect against known types of Denial of Service (DoS) attacks by employing signatures.
1
Rule
Severity: Medium
The DataPower Gateway providing content filtering must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing pattern recognition pre-processors.
1
Rule
Severity: Medium
The MQ Appliance messaging server, when categorized as a high level system, must be in a high-availability (HA) cluster.
1
Rule
Severity: Medium
The MQ Appliance messaging server must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing operationally-defined security safeguards.
1
Rule
Severity: Low
The WebSphere Application servers with an RMF categorization of high must be in a high-availability (HA) cluster.
1
Rule
Severity: Medium
The WebSphere Application Server high availability applications must be installed on a cluster.
1
Rule
Severity: Low
The WebSphere Application Server memory session settings must be defined according to application load requirements.
1
Rule
Severity: Medium
The WebSphere Application Server thread pool size must be defined according to application load requirements.
2
Rule
Severity: Medium
The IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.
2
Rule
Severity: Medium
The IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing anomaly-based attack detection.
2
Rule
Severity: Medium
The IDPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures.
2
Rule
Severity: Low
The Sentry must implement load balancing to limit the effects of known and unknown types of Denial-of-Service (DoS) attacks.
2
Rule
Severity: Medium
The JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster.
2
Rule
Severity: Medium
The Juniper router must be configured to protect against known types of Denial of Service (DoS) attacks by employing organization-defined security safeguards.
4
Rule
Severity: Medium
The Juniper router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
4
Rule
Severity: Medium
The Juniper router must be configured to have Gratuitous ARP disabled on all external interfaces.
2
Rule
Severity: Medium
The Juniper router must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.
2
Rule
Severity: Medium
The Juniper router must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.
2
Rule
Severity: Medium
The Juniper router must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces.
4
Rule
Severity: Low
The Juniper BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).
1
Rule
Severity: High
The Juniper SRX Services Gateway Firewall providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by implementing statistics-based screens.
1
Rule
Severity: Medium
The Juniper SRX Services Gateway Firewall must implement load balancing on the perimeter firewall, at a minimum, to limit the effects of known and unknown types of Denial of Service (DoS) attacks on the network.
1
Rule
Severity: High
The Juniper SRX Services Gateway Firewall must protect against known types of Denial of Service (DoS) attacks by implementing signature-based screens.
2
Rule
Severity: Medium
The Juniper BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
4
Rule
Severity: Low
The Juniper BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.
2
Rule
Severity: Low
The Juniper PE router must be configured to implement Protocol Independent Multicast (PIM) snooping for each Virtual Private LAN Services (VPLS) bridge domain.
2
Rule
Severity: Low
The Juniper multicast Rendezvous Point (RP) router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.
4
Rule
Severity: Medium
The Juniper multicast Rendezvous Point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages.
4
Rule
Severity: Medium
The Juniper multicast Designated Router (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports.
2
Rule
Severity: Medium
The Juniper multicast Designated Router (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.
2
Rule
Severity: Medium
The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.
2
Rule
Severity: Medium
The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing anomaly-based detection.
2
Rule
Severity: Medium
The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must configure the control plane to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself by configuring applicable system options and internet-options.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must limit the number of sessions per minute to an organization-defined number for SSH to protect remote access management from unauthorized access.
2
Rule
Severity: Low
The Juniper SRX Services Gateway must implement service redundancy to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself.
2
Rule
Severity: Low
The layer 2 switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.
2
Rule
Severity: Medium
The layer 2 switch must have BPDU Guard enabled on all user-facing or untrusted access switch ports.
2
Rule
Severity: Medium
The layer 2 switch must have STP Loop Guard enabled on all non-designated STP switch ports.
2
Rule
Severity: Medium
The layer 2 switch must have Unknown Unicast Flood Blocking (UUFB) enabled.
2
Rule
Severity: Medium
The layer 2 switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.
2
Rule
Severity: Medium
The layer 2 switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.
2
Rule
Severity: Medium
The layer 2 switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.
1
Rule
Severity: Medium
Exchange must provide redundancy.
4
Rule
Severity: Medium
Exchange must not send delivery reports to remote domains.
4
Rule
Severity: Medium
Exchange must not send nondelivery reports to remote domains.
8
Rule
Severity: Medium
The Exchange SMTP automated banner response must not reveal server details.
2
Rule
Severity: Medium
Exchange must provide Mailbox databases in a highly available and redundant configuration.
4
Rule
Severity: Medium
Exchange internal Send connectors must use an authentication level.
1
Rule
Severity: Medium
A host-based firewall must be configured on the SCOM management servers.
2
Rule
Severity: High
ONTAP must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
2
Rule
Severity: Medium
The network device must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
1
Rule
Severity: Medium
Nutanix AOS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
1
Rule
Severity: Medium
OHS must be tuned to handle the operational requirements of the hosted application.
1
Rule
Severity: Medium
Oracle WebLogic must protect the integrity and availability of publicly available information and applications.
2
Rule
Severity: High
The configuration integrity of the container platform must be ensured and compliance policies must be configured.
1
Rule
Severity: Medium
Oracle WebLogic must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.
1
Rule
Severity: Medium
Oracle WebLogic must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.
2
Rule
Severity: Medium
The Riverbed NetProfiler must be configured to protect against known types of denial-of-service (DOS) attacks by restricting web and SSH access to the appliance.
2
Rule
Severity: Medium
The router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.
2
Rule
Severity: Medium
The router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
2
Rule
Severity: Medium
The router must be configured to have Gratuitous ARP disabled on all external interfaces.
2
Rule
Severity: Low
The router must be configured to have IP directed broadcast disabled on all interfaces.
2
Rule
Severity: Medium
The router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
2
Rule
Severity: Medium
The router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
2
Rule
Severity: Medium
The router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.
2
Rule
Severity: Medium
The BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
2
Rule
Severity: Low
The BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.
2
Rule
Severity: Low
The PE router must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.
2
Rule
Severity: Low
The multicast Rendezvous Point (RP) router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.
2
Rule
Severity: Medium
The multicast Rendezvous Point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages.
2
Rule
Severity: Medium
The multicast Designated Router (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports.
2
Rule
Severity: Low
The BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must protect against or limit the effects of all known types of Denial of Service (DoS) attacks on the network device management network by employing organization-defined security safeguards.
2
Rule
Severity: Medium
The SDN controller must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by rate-limiting control-plane communications.
1
Rule
Severity: Medium
The SEL-2740S must be configured to prevent packet flooding and bandwidth saturation.
1
Rule
Severity: Medium
SEL-2740S flow rules must include the host IP addresses that are bound to designated SEL-2740S ports for ensuring trusted host access.
1
Rule
Severity: Medium
The SEL-2740S must be configured with ARP flow rules that are statically created with valid IP-to-MAC address bindings.
1
Rule
Severity: Medium
The SEL-2740S must be configured to permit the maintenance and diagnostics communications to specified OTSDN Controller(s).
1
Rule
Severity: Medium
Symantec ProxySG providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis.
1
Rule
Severity: Medium
Symantec ProxySG must implement load balancing to limit the effects of known and unknown types of denial-of-service (DoS) attacks.
1
Rule
Severity: Medium
Tanium must limit the bandwidth used in communicating with endpoints to prevent a denial-of-service (DoS) condition at the server.
1
Rule
Severity: Medium
Tanium service must be protected from being stopped by a non-privileged user.
2
Rule
Severity: Medium
The Tanium web server must be tuned to handle the operational requirements of the hosted application.
1
Rule
Severity: High
Symantec ProxySG must enable Attack Detection.
1
Rule
Severity: Medium
The Tanium application must limit the bandwidth used in communicating with endpoints to prevent a Denial of Service (DoS) condition at the server.
1
Rule
Severity: Medium
The Tanium application service must be protected from being stopped by a non-privileged user.
2
Rule
Severity: Medium
The Tanium application must limit the bandwidth used in communicating with endpoints to prevent a denial of service (DoS) condition at the server.
2
Rule
Severity: Medium
The Tanium application must limit the bandwidth used in communicating with endpoints to prevent a denial-of-service (DoS) condition at the server.
2
Rule
Severity: Medium
The Tanium application service must be protected from being stopped by a nonprivileged user.
1
Rule
Severity: Medium
The TPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures.
2
Rule
Severity: Medium
The TippingPoint SMS must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
2
Rule
Severity: Medium
The Tanium Operating System (TanOS) must protect against or limit the effects of denial of service (DoS) attacks by employing organization-defined security safeguards.
1
Rule
Severity: Medium
The NSX-T Distributed Firewall must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
1
Rule
Severity: Medium
The NSX-T Manager must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
1
Rule
Severity: Medium
The NSX-T Tier-1 Gateway Firewall must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
1
Rule
Severity: Medium
The NSX-T Tier-0 Gateway Firewall must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
1
Rule
Severity: Medium
The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
1
Rule
Severity: Medium
The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
1
Rule
Severity: Medium
The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.
1
Rule
Severity: Medium
The NSX-T Tier-0 Gateway must be configured to use the BGP maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
2
Rule
Severity: Medium
The application server, when categorized as a high availability system within RMF, must be in a high-availability (HA) cluster.
2
Rule
Severity: Medium
Tomcat server must be patched for security vulnerabilities.
3
Rule
Severity: Medium
The Ubuntu operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces.
2
Rule
Severity: High
The Cisco ASA must be configured to implement scanning threat detection.
4
Rule
Severity: Medium
The Cisco router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.
2
Rule
Severity: High
The Cisco router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
4
Rule
Severity: Medium
The Cisco router must be configured to have Gratuitous ARP disabled on all external interfaces.
6
Rule
Severity: Low
The Cisco router must be configured to have IP directed broadcast disabled on all interfaces.
6
Rule
Severity: Medium
The Cisco router must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.
6
Rule
Severity: Medium
The Cisco router must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.
6
Rule
Severity: Medium
The Cisco router must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces.
6
Rule
Severity: Medium
The Cisco BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
4
Rule
Severity: Low
The Cisco BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.
4
Rule
Severity: Low
The Cisco multicast Rendezvous Point (RP) router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.
8
Rule
Severity: Medium
The Cisco multicast Rendezvous Point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages.
6
Rule
Severity: Medium
The Cisco multicast Designated Router (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports.
6
Rule
Severity: Medium
The Cisco multicast Designated Router (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.
2
Rule
Severity: Medium
The Cisco ASA must be configured to protect against known types of denial-of-service (DoS) attacks by enabling the Threat Detection feature.
2
Rule
Severity: Medium
The Cisco router must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
6
Rule
Severity: Low
The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).
4
Rule
Severity: Low
The Cisco switch must have Root Guard enabled on all switch ports connecting to access layer switches.
2
Rule
Severity: Medium
The Cisco switch must have Bridge Protocol Data Unit (BPDU) Guard enabled on all user-facing or untrusted access switch ports.
2
Rule
Severity: Medium
The Cisco switch must have Spanning Tree Protocol (STP) Loop Guard enabled.
6
Rule
Severity: Medium
The Cisco switch must have Unknown Unicast Flood Blocking (UUFB) enabled.
6
Rule
Severity: Medium
The Cisco switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.
6
Rule
Severity: Medium
The Cisco switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports.
6
Rule
Severity: Medium
The Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.
4
Rule
Severity: Medium
The Cisco switch must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.
4
Rule
Severity: High
The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
2
Rule
Severity: Medium
The Cisco switch must be configured to have gratuitous ARP disabled on all external interfaces.
6
Rule
Severity: Low
The Cisco switch must be configured to have IP directed broadcast disabled on all interfaces.
6
Rule
Severity: Medium
The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.
4
Rule
Severity: Medium
The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.
6
Rule
Severity: Medium
The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces.
6
Rule
Severity: Medium
The Cisco multicast Designated switch (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports.
4
Rule
Severity: Medium
The Cisco multicast Designated switch (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.
4
Rule
Severity: Medium
The Cisco switch must have BPDU Guard enabled on all user-facing or untrusted access switch ports.
4
Rule
Severity: Medium
The Cisco switch must have STP Loop Guard enabled.
3
Rule
Severity: Medium
The Cisco switch must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
2
Rule
Severity: High
The Cisco router must be configured to protect against or limit the effects of denial of service (DoS) attacks by employing control plane protection.
2
Rule
Severity: Low
The Cisco BGP router must be configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer.
4
Rule
Severity: Low
The Cisco PE router must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.
4
Rule
Severity: Medium
The Cisco switch must be configured to have Gratuitous ARP disabled on all external interfaces.
2
Rule
Severity: Low
The Cisco BGP switch must be configured to enable the Generalized TTL Security Mechanism (GTSM).
4
Rule
Severity: Medium
The Cisco BGP switch must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
4
Rule
Severity: Low
The Cisco BGP switch must be configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer.
4
Rule
Severity: Low
The Cisco PE switch must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.
4
Rule
Severity: Low
The Cisco multicast Rendezvous Point (RP) switch must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.
2
Rule
Severity: Low
The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.
2
Rule
Severity: Low
The Cisco switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.
2
Rule
Severity: Medium
The Cisco ISE must configure the control plane to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself by configuring applicable system options and internet-options.
2
Rule
Severity: Medium
The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.
2
Rule
Severity: Low
The Cisco BGP switch must be configured to check whether a single-hop eBGP peer is directly connected.
2
Rule
Severity: Medium
The container platform must protect against or limit the effects of all types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
2
Rule
Severity: Medium
The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
2
Rule
Severity: Medium
AIX must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring AIX is implementing rate-limiting measures on impacted network interfaces.
2
Rule
Severity: Medium
IBM z/OS Policy agent must contain a policy that protects against or limits the effects of Denial of Service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
2
Rule
Severity: Medium
The IBM z/OS Policy Agent must contain a policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring IBM z/OS is implementing rate-limiting measures on impacted network interfaces.
2
Rule
Severity: Medium
The IBM z/OS Policy Agent must contain a policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
1
Rule
Severity: Low
The Juniper EX switch must be configured to enable Root Protection on all interfaces connecting to access layer switches and hosts.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to enable BPDU Protection on all user-facing or untrusted access switch ports.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to enable STP Loop Protection on all non-designated STP switch ports.
2
Rule
Severity: Medium
The Juniper EX switch must be configured not to forward unknown unicast traffic to access interfaces.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to enable DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to enable IP Source Guard on all user-facing or untrusted access VLANs.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to enable Dynamic Address Resolution Protocol (ARP) Inspection (DAI) on all user VLANs.
2
Rule
Severity: Medium
The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
2
Rule
Severity: Medium
The Juniper router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.
2
Rule
Severity: Low
The Juniper router must be configured to have IP directed broadcast disabled on all interfaces.
2
Rule
Severity: Medium
The Juniper router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
2
Rule
Severity: Medium
The Juniper router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
2
Rule
Severity: Medium
The Juniper router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.
2
Rule
Severity: Medium
The Juniper BGP router must be configured to use the prefix limit feature to protect against route table flooding and prefix deaggregation attacks.
2
Rule
Severity: Low
The Juniper PE router must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.
2
Rule
Severity: Low
The Juniper multicast RP router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of PIM and MSDP source-active entries.
2
Rule
Severity: Medium
The Juniper multicast Designated Router (DR) must be configured to increase the shortest-path tree (SPT) threshold or set it to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.
1
Rule
Severity: Medium
Exchange Internal Send connectors must use an authentication level.
2
Rule
Severity: Medium
Exchange internal send connectors must use an authentication level.
2
Rule
Severity: Medium
Exchange must provide mailbox databases in a highly available and redundant configuration.
2
Rule
Severity: Medium
Access to web administration tools must be restricted to the web manager and the web managers designees.
2
Rule
Severity: Medium
The IIS 10.0 web server must be tuned to handle the operational requirements of the hosted application.
4
Rule
Severity: Low
The system must be configured to ignore NetBIOS name release requests except from WINS servers.
2
Rule
Severity: Low
Turning off File Explorer heap termination on corruption must be disabled.
2
Rule
Severity: Low
File Explorer heap termination on corruption must be disabled.
2
Rule
Severity: Low
Windows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers.
2
Rule
Severity: Low
Windows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers.
2
Rule
Severity: Low
Windows Server 2022 must be configured to ignore NetBIOS name release requests except from WINS servers.
2
Rule
Severity: Medium
Multicast register messages must be rate limited per each source-group (S, G) entry.
2
Rule
Severity: Medium
The number of mroute states resulting from Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) membership reports must be limited.
2
Rule
Severity: Medium
The number of source-group (SG) states must be limited within the multicast topology where Any Source Multicast (ASM) is deployed.
2
Rule
Severity: Low
Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping must be implemented within the network access layer.
2
Rule
Severity: Medium
The DBMS must protect against or limit the effects of organization-defined types of Denial of Service (DoS) attacks.
2
Rule
Severity: Medium
The Oracle Linux operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces.
2
Rule
Severity: Medium
A firewall must be able to protect against or limit the effects of denial-of-service (DoS) attacks by ensuring OL 8 can implement rate-limiting measures on impacted network interfaces.
1
Rule
Severity: High
The Palo Alto Networks security platform must protect against Denial of Service (DoS) attacks from external sources.
4
Rule
Severity: Medium
The Palo Alto Networks security platform must use a Vulnerability Protection Profile that blocks any critical, high, or medium threats.
1
Rule
Severity: Medium
The Palo Alto Networks security platform must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds).
2
Rule
Severity: Medium
Automation Controller must be configured to fail over to another system in the event of log subsystem failure.
2
Rule
Severity: Medium
OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by employing organization-defined security safeguards by including a default resource quota.
2
Rule
Severity: Medium
OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace.
2
Rule
Severity: Medium
The Automation Controller NGINX web server must be protected from being stopped by a nonprivileged user.
2
Rule
Severity: Medium
A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces.
2
Rule
Severity: Medium
RHEL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.
2
Rule
Severity: Medium
RHEL 9 must be configured to use TCP syncookies.
2
Rule
Severity: High
SuSEfirewall2 must protect against or limit the effects of Denial-of-Service (DoS) attacks on the SUSE operating system by implementing rate-limiting measures on impacted network interfaces.
2
Rule
Severity: Medium
The VMM must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the VMM is implementing rate-limiting measures on impacted network interfaces.
1
Rule
Severity: Medium
VAMI must be protected from being stopped by a nonprivileged user.
1
Rule
Severity: Medium
Performance Charts must disable the shutdown port.
1
Rule
Severity: Medium
ESX Agent Manager must disable the shutdown port.
1
Rule
Severity: Medium
Lookup Service must disable the shutdown port.
1
Rule
Severity: Medium
The Photon operating system must use Transmission Control Protocol (TCP) syncookies.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service must limit the number of maximum concurrent connections permitted.
1
Rule
Severity: Medium
The Security Token Service must disable the shutdown port.
3
Rule
Severity: Medium
The vCenter Lookup service must limit the number of maximum concurrent connections permitted.
1
Rule
Severity: Medium
vSphere UI must disable the shutdown port.
3
Rule
Severity: Medium
The Photon operating system must be configured to use TCP syncookies.
2
Rule
Severity: Medium
The web server must be protected from being stopped by a non-privileged user.
2
Rule
Severity: Medium
The web server must be tuned to handle the operational requirements of the hosted application.
1
Rule
Severity: High
The BIG-IP appliance must be configured to protect against or limit the effects of all known types of Denial of Service (DoS) attacks on the BIG-IP appliance management network by limiting the number of concurrent sessions.
1
Rule
Severity: Low
If the BIG-IP appliance is being used to authenticate users for web applications, the HTTPOnly flag must be set.
2
Rule
Severity: Medium
The F5 BIG-IP appliance must be configured to restrict a consistent inbound IP for the entire management session.
1
Rule
Severity: High
The BIG-IP Core implementation must be configured to protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis when providing content filtering to virtual servers.
1
Rule
Severity: High
The BIG-IP Core implementation must be configured to implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks to virtual servers.
1
Rule
Severity: High
The BIG-IP Core implementation must be configured to protect against known types of Denial of Service (DoS) attacks by employing signatures when providing content filtering to virtual servers.
1
Rule
Severity: High
The BIG-IP Core implementation must be configured to protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing pattern recognition pre-processors when providing content filtering to virtual servers.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must configure the Uncomplicated Firewall (ufw) to rate-limit impacted network interfaces.
1
Rule
Severity: Medium
The F5 BIG-IP appliance providing content filtering must employ rate-based attack prevention behavior analysis.
1
Rule
Severity: Medium
The F5 BIG-IP appliance providing content filtering must protect against or limit the effects of known and unknown types of denial-of-service (DoS) attacks by employing pattern recognition pre-processors.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to protect against or limit the effects of all types of denial-of-service (DoS) attacks by employing organizationally defined security safeguards.
1
Rule
Severity: High
The F5 BIG-IP appliance must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must be configured to limit the number of concurrent sessions to the Configuration Utility to 10 or an organization-defined number.
1
Rule
Severity: High
The ICS must be configured to protect against known types of denial-of-service (DoS) attacks by enabling JITC mode.
1
Rule
Severity: Low
The Juniper EX switch must be configured to enable Root Protection on STP switch ports connecting to access layer switches.
1
Rule
Severity: High
The Juniper SRX Services Gateway Firewall providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by implementing statistics-based screens.
1
Rule
Severity: Medium
The Juniper SRX Services Gateway Firewall must implement load balancing on the perimeter firewall, at a minimum, to limit the effects of known and unknown types of denial-of-service (DoS) attacks on the network.
1
Rule
Severity: High
The Juniper SRX Services Gateway Firewall must protect against known types of denial-of-service (DoS) attacks by implementing signature-based screens.
1
Rule
Severity: High
Least privilege access and need to know must be required to access MKE runtime and instantiate container images.
1
Rule
Severity: High
The Palo Alto Networks security platform must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
1
Rule
Severity: Medium
The Palo Alto Networks security platform must protect against or limit the effects of known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds).
1
Rule
Severity: Medium
The multicast Designated Router (DR) must be configured to increase the shortest-path tree (SPT) threshold or set it to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.
1
Rule
Severity: Medium
The TPS must protect against or limit the effects of known types of denial-of-service (DoS) attacks by employing signatures.
1
Rule
Severity: Medium
The NSX Distributed Firewall must limit the effects of packet flooding types of denial-of-service (DoS) attacks.
1
Rule
Severity: Medium
The NSX Manager must be configured to protect against denial-of-service (DoS) attacks by limit the number of concurrent sessions to an organization-defined number.
1
Rule
Severity: High
The NSX Tier-0 Gateway Firewall must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
1
Rule
Severity: Medium
The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
1
Rule
Severity: Medium
The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
1
Rule
Severity: Medium
The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.
1
Rule
Severity: Medium
The NSX Tier-0 Gateway router must be configured to use the Border Gateway Protocol (BGP) maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks.
1
Rule
Severity: Medium
A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring TOSS can implement rate-limiting measures on impacted network interfaces.
1
Rule
Severity: High
The NSX Tier-1 Gateway firewall must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules