Network Device Management Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
Unapproved mechanisms that are used for authentication to the cryptographic module are not validated and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be...Rule High Severity -
The network device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill documented and validated mission requirements.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port th...Rule High Severity -
The network device must only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).
This requirement is intended to address the confidentiality and integrity of system information at rest (e.g., network device rule sets) when it is located on a storage device within the network de...Rule High Severity -
The network device must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.
If an explicit logout message is not displayed and the administrator does not expect to see one, the administrator may inadvertently leave a management session un-terminated. The session may remain...Rule Medium Severity -
If the network device uses discretionary access control, the network device must enforce organization-defined discretionary access control policies over defined subjects and objects.
Discretionary Access Control (DAC) is based on the notion that individual network administrators are "owners" of objects and therefore have discretion over who should be authorized to access the ob...Rule Medium Severity -
The network device must generate an immediate real-time alert of all audit failure events requiring real-time alerts.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impe...Rule Medium Severity -
The network device must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the application include date and time. Granula...Rule Medium Severity -
The network device must audit the enforcement actions used to restrict access associated with changes to the device.
Without auditing the enforcement of access restrictions against changes to the device configuration, it will be difficult to identify attempted attacks, and an audit trail will not be available for...Rule Medium Severity -
The network device must prohibit the use of cached authenticators after an organization-defined time period.
Some authentication implementations can be configured to use cached authenticators. If cached authentication information is out-of-date, the validity of the authentication information may be quest...Rule Medium Severity -
The network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be ...Rule High Severity -
The network device must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This require...Rule Medium Severity -
The network device must generate audit records when successful/unsuccessful attempts to delete administrator privileges occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
The network device must generate log records for a locally developed list of auditable events
Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack; to recognize resource utilization or capacity...Rule Medium Severity -
The network device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With ro...Rule High Severity -
The network device must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system configur...Rule Medium Severity -
The network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure...Rule Medium Severity -
The network device must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.
Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administr...Rule Medium Severity -
The network device, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.
Without mapping the PKI certificate to a unique user account, the ability to determine the identities of individuals or the status of their non-repudiation is considerably impacted during forensic ...Rule High Severity -
The network device must be configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.
The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multifactor authentication is to reduce the likelihoo...Rule Medium Severity -
The network device must be configured to maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency for password-based authentication.
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter pass...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.