Skip to content
ATO Pathways
  Log In

CCI-004891

Implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.

Logo
1

Rule

Severity: Medium
The ALG must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
Logo
1

Rule

Severity: Medium
The Arista MLS layer 2 switch must have all disabled switch ports assigned to an unused VLAN.
Logo
1

Rule

Severity: Medium
The Arista MLS layer 2 switch must not have the default VLAN assigned to any host-facing switch ports.
Logo
1

Rule

Severity: Medium
The Arista MLS layer 2 switch must have the default VLAN pruned from all trunk ports that do not require it.
Logo
1

Rule

Severity: Medium
The Arista MLS layer 2 switch must have all user-facing or untrusted ports configured as access switch ports.
Logo
1

Rule

Severity: Medium
The Arista MLS layer 2 switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.
Logo
1

Rule

Severity: Low
The Arista MLS layer 2 switch must not have any switch ports assigned to the native VLAN.
Logo
1

Rule

Severity: Medium
The Cisco ASA must be configured to filter inbound traffic on all external interfaces.
Logo
1

Rule

Severity: Medium
The Cisco ASA must be configured to filter outbound traffic on all internal interfaces.
Logo
3

Rule

Severity: Medium
The Cisco out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.
Logo
3

Rule

Severity: Medium
The Cisco switch must have all disabled switch ports assigned to an unused VLAN.
Logo
3

Rule

Severity: Medium
The Cisco switch must not have the default VLAN assigned to any host-facing switch ports.
Logo
3

Rule

Severity: Medium
The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it.
Logo
3

Rule

Severity: Medium
The Cisco switch must have all user-facing or untrusted ports configured as access switch ports.
Logo
3

Rule

Severity: Medium
The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.
Logo
3

Rule

Severity: Low
The Cisco switch must not have any switchports assigned to the native VLAN.
Logo
2

Rule

Severity: Medium
The Cisco switch must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.
Logo
1

Rule

Severity: Medium
The firewall must be configured to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
Logo
1

Rule

Severity: Medium
The IDPS must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
Logo
1

Rule

Severity: High
The ICS must be configured to use TLS 1.2, at a minimum.
Logo
1

Rule

Severity: Medium
The Juniper EX switch must be configured to assign all disabled access interfaces to an unused VLAN.
Logo
1

Rule

Severity: Medium
The Juniper EX switch must not be configured with VLANs used for L2 control traffic assigned to any host-facing access interface.
Logo
1

Rule

Severity: Medium
The Juniper EX switch must not use the default VLAN for management traffic.
Logo
1

Rule

Severity: Medium
The Juniper out-of-band management (OOBM) gateway must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.
Logo
1

Rule

Severity: Medium
The Juniper router must be configured to only permit management traffic that ingresses and egresses the OOBM interface.
Logo
1

Rule

Severity: Medium
The Juniper out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.
Logo
1

Rule

Severity: High
The Juniper PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.
Logo
1

Rule

Severity: High
The Juniper PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT).
Logo
1

Rule

Severity: High
The Juniper PE router providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN.
Logo
1

Rule

Severity: Medium
For User Role Firewalls, the Juniper SRX Services Gateway Firewall must employ user attribute-based security policies to enforce approved authorizations for logical access to information and system resources.
Logo
1

Rule

Severity: Medium
The Juniper SRX Services Gateway Firewall must only allow inbound communications from organization-defined authorized sources routed to organization-defined authorized destinations.
Logo
1

Rule

Severity: Medium
The layer 2 switch must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
Logo
1

Rule

Severity: High
The Juniper SRX Services Gateway VPN must use AES encryption for the IPsec proposal to protect the confidentiality of remote access sessions.
Logo
1

Rule

Severity: High
The Juniper SRX Services Gateway VPN must use AES encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions.
Logo
1

Rule

Severity: Medium
The Juniper SRX Services Gateway VPN must implement a FIPS-140-2 validated Diffie-Hellman (DH) group.
Logo
1

Rule

Severity: Medium
The Palo Alto Networks security platform must only allow incoming communications from organization-defined authorized sources forwarded to organization-defined authorized destinations.
Logo
1

Rule

Severity: Medium
The router must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
Logo
1

Rule

Severity: Medium
The SDN controller must be configured to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
Logo
1

Rule

Severity: Medium
The VPN Gateway must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.

Patternfly

PatternFly elements

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules