Cisco ISE NAC Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Cisco ISE must deny network connection for endpoints that cannot be authenticated using an approved method. This is required for compliance with C2C Step 4.
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Identification failure does not need to result in connection termination or ...Rule Medium Severity -
Before establishing a connection with a Network Time Protocol (NTP) server, the Cisco ISE must authenticate using a bidirectional, cryptographically based authentication method that uses a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the NTP server. This is required for compliance with C2C Step 1.
If the NTP server is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log t...Rule Medium Severity -
The Cisco ISE must be configured so client machines do not communicate with other network devices in the DMZ or subnet except as needed to perform an access client assessment or to identify themselves. This is required for compliance with C2C Step 2.
Devices not compliant with DoD secure configuration policies are vulnerable to attack. Allowing these systems to connect presents a danger to the enclave. This requirement gives the option to conf...Rule Medium Severity -
SRG-NET-000322-NAC-001230
Group -
The Cisco ISE must deny or restrict access for endpoints that fail required posture checks. This is required for compliance with C2C Step 4.
Devices, which do not meet minimum-security configuration requirements, pose a risk to the DOD network and information assets. Endpoint devices must be disconnected or given limited access as desi...Rule Medium Severity -
SRG-NET-000492-NAC-002100
Group -
The Cisco ISE must generate a log record when an endpoint fails authentication. This is This is required for compliance with C2C Step 1.
Failing the Cisco ISE assessment means that an unauthorized machine has attempted to access the secure network. Without generating log records that are specific to the security and mission needs of...Rule Medium Severity -
SRG-NET-000492-NAC-002101
Group -
The Cisco ISE must generate a log record when the client machine fails posture assessment because required security software is missing or has been deleted. This is This is required for compliance with C2C Step 1.
Failing the Cisco ISE assessment means an unauthorized machine has attempted to access the secure network. Without generating log records that are specific to the security and mission needs of the ...Rule Medium Severity -
SRG-NET-000492-NAC-002120
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.