Cisco ISE NAC Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-NET-000015-NAC-000020
<GroupDescription></GroupDescription>Group -
The Cisco ISE must verify host-based firewall software is running on posture required clients defined in the NAC System Security Plan (SSP) prior to granting trusted network access. This is required for compliance with C2C Step 4.
<VulnDiscussion>Automated policy assessments must reflect the organization's current security policy so entry control decisions will happen o...Rule High Severity -
SRG-NET-000015-NAC-000020
<GroupDescription></GroupDescription>Group -
The Cisco ISE must verify anti-malware software is installed and up to date on posture required clients defined in the NAC System Security Plan (SSP) prior to granting trusted network access. This is required for compliance with C2C Step 4.
<VulnDiscussion>New viruses and malware are consistently being discovered. If the host-based security software is not current then it will no...Rule High Severity -
SRG-NET-000015-NAC-000020
<GroupDescription></GroupDescription>Group -
The Cisco ISE must be configured with a secondary log server in case the primary log is unreachable. This is required for compliance with C2C Step 1.
<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required....Rule Medium Severity -
SRG-NET-000088-NAC-000440
<GroupDescription></GroupDescription>Group -
The Cisco ISE must generate a critical alert to be sent to the ISSO and SA (at a minimum) if it is unable to communicate with the central event log. This is required for compliance with C2C Step 1.
<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required....Rule Medium Severity -
SRG-NET-000089-NAC-000450
<GroupDescription></GroupDescription>Group -
The Cisco ISE must be configured so client machines do not communicate with other network devices in the DMZ or subnet except as needed to perform an access client assessment or to identify themselves. This is required for compliance with C2C Step 2.
<VulnDiscussion>Devices not compliant with DoD secure configuration policies are vulnerable to attack. Allowing these systems to connect pres...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.