Capacity
CCI-002403
Only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.
1
Rule
Severity: Medium
The A10 Networks ADC, when used to load balance web applications, must examine incoming user requests against the URI White Lists.
1
Rule
Severity: Medium
Kona Site Defender must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.
1
Rule
Severity: Medium
The Arista Multilayer Switch must only allow incoming communications from authorized sources to be routed to authorized destinations.
2
Rule
Severity: Medium
The ALG must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.
2
Rule
Severity: Medium
The Arista perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.
2
Rule
Severity: Medium
The Arista perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.
2
Rule
Severity: Low
The Arista perimeter router must be configured to have Link Layer Discovery Protocols (LLDPs) disabled on all external interfaces.
2
Rule
Severity: Medium
The Arista perimeter router must be configured to have Proxy ARP disabled on all external interfaces.
2
Rule
Severity: Low
The Arista multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.
2
Rule
Severity: Medium
The Arista multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.
2
Rule
Severity: Medium
The Arista Multicast Source Discovery Protocol (MSDP) router must be configured to only accept MSDP packets from known MSDP peers.
3
Rule
Severity: Medium
The perimeter router must be configured to block all packets with any IP options.
3
Rule
Severity: Medium
The PE router must be configured to ignore or block all packets with any IP options.
1
Rule
Severity: Medium
The CA API Gateway must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.
2
Rule
Severity: Medium
The firewall must apply ingress filters to traffic that is inbound to the network through any active external interface.
2
Rule
Severity: Medium
The firewall must apply egress filters to traffic that is outbound from the network through any internal interface.
2
Rule
Severity: Medium
The premise firewall (located behind the premise router) must block all outbound management traffic.
2
Rule
Severity: Medium
The firewall must restrict traffic entering the VPN tunnels to the management network to only the authorized management packets based on destination address.
1
Rule
Severity: Medium
The FortiGate firewall must apply ingress filters to traffic that is inbound to the network through any active external interface.
1
Rule
Severity: Medium
The FortiGate firewall must apply egress filters to traffic outbound from the network through any internal interface.
1
Rule
Severity: Medium
When employed as a premise firewall, FortiGate must block all outbound management traffic.
1
Rule
Severity: Medium
The FortiGate firewall must restrict traffic entering the VPN tunnels to the management network to only the authorized management packets based on destination address.
1
Rule
Severity: Medium
The HP FlexFabric Switch must only allow incoming communications from authorized sources to be routed to authorized destinations.
1
Rule
Severity: Medium
The DataPower Gateway must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.
1
Rule
Severity: Medium
The DataPower Gateway must not use 0.0.0.0 as a listening IP address for any service.
2
Rule
Severity: Medium
The Sentry must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.
4
Rule
Severity: Medium
The Juniper perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.
4
Rule
Severity: Medium
The Juniper perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.
4
Rule
Severity: Medium
The Juniper perimeter router must be configured to block all packets with any IP options.
2
Rule
Severity: Low
The Juniper perimeter router must be configured to have Link Layer Discovery Protocol (LLDP) disabled on all external interfaces.
4
Rule
Severity: Medium
The Juniper perimeter router must be configured to have Proxy ARP disabled on all external interfaces.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway Firewall must only allow inbound communications from organization-defined authorized sources routed to organization-defined authorized destinations.
4
Rule
Severity: Medium
The Juniper PE router must be configured to ignore or block all packets with any IP options.
2
Rule
Severity: Low
The Juniper multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.
2
Rule
Severity: Medium
The Juniper multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.
4
Rule
Severity: Medium
The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to only accept MSDP packets from known MSDP peers.
4
Rule
Severity: Medium
The Juniper perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3255.
4
Rule
Severity: Medium
The Juniper perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values.
4
Rule
Severity: Medium
The Juniper perimeter router must be configured to drop IPv6 packets containing a Destination Option header with invalid option type values.
4
Rule
Severity: Medium
The Juniper perimeter router must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option.
4
Rule
Severity: Medium
The Juniper perimeter router must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header.
4
Rule
Severity: Medium
The Juniper perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway VPN must only allow incoming VPN communications from organization-defined authorized sources routed to organization-defined authorized destinations.
2
Rule
Severity: Medium
The perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.
2
Rule
Severity: Medium
The perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.
2
Rule
Severity: Low
The perimeter router must be configured to have Link Layer Discovery Protocols (LLDPs) disabled on all external interfaces.
2
Rule
Severity: Medium
The perimeter router must be configured to have Proxy ARP disabled on all external interfaces.
2
Rule
Severity: Low
The multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.
2
Rule
Severity: Medium
The multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.
2
Rule
Severity: Medium
The Multicast Source Discovery Protocol (MSDP) router must be configured to only accept MSDP packets from known MSDP peers.
2
Rule
Severity: Medium
The router must not be configured to have any feature enabled that calls home to the vendor.
2
Rule
Severity: Medium
The perimeter router must be configured to drop IPv6 undetermined transport packets.
2
Rule
Severity: Medium
The perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3255.
2
Rule
Severity: Medium
The perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values.
2
Rule
Severity: Medium
The perimeter router must be configured to drop IPv6 packets containing a Destination Option header with invalid option type values.
2
Rule
Severity: Medium
The perimeter router must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option.
2
Rule
Severity: Medium
The perimeter router must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header.
2
Rule
Severity: Medium
The perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type.
2
Rule
Severity: Medium
The SDN controller must be configured to only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.
1
Rule
Severity: Medium
Symantec ProxySG must allow incoming communications only from organization-defined authorized sources routed to organization-defined authorized destinations.
1
Rule
Severity: Medium
The NSX-T Tier-1 Gateway Firewall must apply ingress filters to traffic that is inbound to the network through any active external interface.
1
Rule
Severity: Medium
The NSX-T Tier-0 Gateway Firewall must apply ingress filters to traffic that is inbound to the network through any active external interface.
2
Rule
Severity: Medium
The Cisco ASA must be configured to filter inbound traffic on all external interfaces.
2
Rule
Severity: Medium
The Cisco ASA must be configured to filter outbound traffic on all internal interfaces.
2
Rule
Severity: Medium
The Cisco ASA perimeter firewall must be configured to block all outbound management traffic.
2
Rule
Severity: Medium
The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel.
6
Rule
Severity: Medium
The Cisco perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.
6
Rule
Severity: Medium
The Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.
6
Rule
Severity: Low
The Cisco perimeter router must be configured to have Link Layer Discovery Protocol (LLDP) disabled on all external interfaces.
6
Rule
Severity: Low
The Cisco perimeter router must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.
6
Rule
Severity: Medium
The Cisco perimeter router must be configured to have Proxy ARP disabled on all external interfaces.
6
Rule
Severity: Low
The Cisco multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.
6
Rule
Severity: Medium
The Cisco multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.
6
Rule
Severity: Medium
The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to only accept MSDP packets from known MSDP peers.
6
Rule
Severity: Medium
The Cisco perimeter router must be configured to block all packets with any IP options.
2
Rule
Severity: Medium
The Cisco PE router must be configured to drop all packets with any IP options.
6
Rule
Severity: Medium
The Cisco perimeter router must be configured to drop IPv6 undetermined transport packets.
6
Rule
Severity: Medium
The Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3–255.
6
Rule
Severity: Medium
The Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values.
6
Rule
Severity: Medium
The Cisco perimeter router must be configured to drop IPv6 packets containing a Destination Option header with invalid option type values.
6
Rule
Severity: Medium
The Cisco perimeter router must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option.
6
Rule
Severity: Medium
The Cisco perimeter router must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header.
6
Rule
Severity: Medium
The Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type.
6
Rule
Severity: Medium
The Cisco perimeter switch must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.
6
Rule
Severity: Medium
The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes.
6
Rule
Severity: Low
The Cisco perimeter switch must be configured to have Link Layer Discovery Protocol (LLDP) disabled on all external interfaces.
6
Rule
Severity: Low
The Cisco perimeter switch must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.
6
Rule
Severity: Medium
The Cisco perimeter switch must be configured to have Proxy ARP disabled on all external interfaces.
6
Rule
Severity: Low
The Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.
6
Rule
Severity: Medium
The Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.
6
Rule
Severity: Medium
The Cisco perimeter switch must be configured to block all packets with any IP options.
6
Rule
Severity: Medium
The Cisco PE switch must be configured to ignore or drop all packets with any IP options.
4
Rule
Severity: Medium
The Cisco perimeter switch must be configured to drop IPv6 undetermined transport packets.
4
Rule
Severity: Medium
The Cisco perimeter switch must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3-255.
4
Rule
Severity: Medium
The Cisco perimeter switch must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values.
4
Rule
Severity: Medium
The Cisco perimeter switch must be configured to drop IPv6 packets containing a Destination Option header with invalid option type values.
4
Rule
Severity: Medium
The Cisco perimeter switch must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option.
4
Rule
Severity: Medium
The Cisco perimeter switch must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header.
4
Rule
Severity: Medium
The Cisco perimeter switch must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type.
2
Rule
Severity: Medium
The Cisco PE router must be configured to ignore or drop all packets with any IP options.
4
Rule
Severity: Medium
The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to only accept MSDP packets from known MSDP peers.
2
Rule
Severity: Medium
The Cisco PE router must be configured to ignore or block all packets with any IP options.
2
Rule
Severity: Medium
The Cisco switch must not be configured to have any feature enabled that calls home to the vendor.
2
Rule
Severity: Medium
The Juniper router must not be configured to have any feature enabled that calls home to the vendor.
2
Rule
Severity: Low
The Juniper perimeter router must be configured to have Link Layer Discovery Protocols (LLDPs) disabled on all external interfaces.
2
Rule
Severity: Low
The Juniper multicast Designated Router (DR) must be configured to filter the IGMP and MLD Report messages to allow hosts to join only multicast groups that have been approved by the organization.
2
Rule
Severity: Medium
The Juniper multicast Designated Router (DR) must be configured to filter the IGMP and MLD Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.
2
Rule
Severity: Medium
The Juniper perimeter router must be configured to drop fragmented IPv6 packets where the first fragment does not include the entire IPv6 header chain.
2
Rule
Severity: Medium
The Windows PAW must be configured so that all inbound ports and services to a PAW are blocked except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request.
3
Rule
Severity: Medium
The network device must not be configured to have any feature enabled that calls home to the vendor.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must only allow incoming communications from organization-defined authorized sources forwarded to organization-defined authorized destinations.
1
Rule
Severity: Medium
The BIG-IP AFM module must be configured to only allow incoming communications from authorized sources routed to authorized destinations.
1
Rule
Severity: Medium
The BIG-IP Core implementation must be configured to only allow incoming communications from authorized sources routed to authorized destinations.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must be configured to filter inbound traffic on all external interfaces.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must be configured to filter outbound traffic on all internal interfaces.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must be configured to block all outbound management traffic.
1
Rule
Severity: Medium
The perimeter router must be configured to block all outbound management traffic.
1
Rule
Severity: Medium
The NSX Tier-0 Gateway Firewall must deny network communications traffic by default and allow network communications traffic by exception.
1
Rule
Severity: Medium
The NSX Tier-1 Gateway firewall must deny network communications traffic by default and allow network communications traffic by exception.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules