Network Device Management Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The network device must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
A session lock is a temporary network device or administrator-initiated action taken when the administrator stops work but does not log out of the network device. The network management session lo...Rule Medium Severity -
The network device must be configured to enable network administrators to directly initiate a session lock.
A session lock is a temporary network device or administrator-initiated action taken when the administrator stops work but does not log out of the network device. Rather than being forced to wait f...Rule Medium Severity -
The network device must automatically audit account creation.
Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notifica...Rule Medium Severity -
The network device must automatically audit account removal actions.
Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account removal actions will su...Rule Medium Severity -
The network device must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved autho...Rule Medium Severity -
The network device must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
The banner must be acknowledged by the administrator prior to the device allowing the administrator access to the network device. This provides assurance that the administrator has seen the message...Rule Medium Severity -
The network device must produce audit log records containing sufficient information to establish what type of event occurred.
It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment. ...Rule Medium Severity -
The network device must produce audit records containing information to establish when (date and time) the events occurred.
It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment. ...Rule Medium Severity -
The network device must produce audit log records containing information to establish the source of events.
In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know the source of the event. The source may be a component, module, or pro...Rule Medium Severity -
The network device must generate audit records containing the full-text recording of privileged commands.
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. Organizations consider limiting the additional audit information to only ...Rule Medium Severity -
The network device must protect audit information from unauthorized modification.
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit network device activity. If audit data were to become compromised, ...Rule Medium Severity -
The network device must protect audit tools from unauthorized access.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on au...Rule Medium Severity -
The network device must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
Changes to any software components can have significant effects on the overall security of the network device. Verifying software components have been digitally signed using a certificate that is r...Rule Medium Severity -
The network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable...Rule High Severity -
The network device must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role.
To ensure individual accountability and prevent unauthorized access, administrators must be individually identified and authenticated. Individual accountability mandates that each administrator i...Rule Medium Severity -
The network device must enforce a minimum 15-character password length.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to d...Rule Medium Severity -
The network device must enforce password complexity by requiring that at least one uppercase character be used.
Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisti...Rule Medium Severity -
The network device must enforce password complexity by requiring that at least one numeric character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
The network device must require that when a password is changed, the characters are changed in at least eight of the positions within the password.
If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at ...Rule Medium Severity -
The network device must be configured to store passwords using an approved salted key derivation function, preferably using a keyed hash for password-based authentication.
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily c...Rule High Severity -
The network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
Unapproved mechanisms that are used for authentication to the cryptographic module are not validated and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be...Rule High Severity -
The network device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill documented and validated mission requirements.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port th...Rule High Severity -
The network device must only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).
This requirement is intended to address the confidentiality and integrity of system information at rest (e.g., network device rule sets) when it is located on a storage device within the network de...Rule High Severity -
The network device must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.
If an explicit logout message is not displayed and the administrator does not expect to see one, the administrator may inadvertently leave a management session un-terminated. The session may remain...Rule Medium Severity -
If the network device uses discretionary access control, the network device must enforce organization-defined discretionary access control policies over defined subjects and objects.
Discretionary Access Control (DAC) is based on the notion that individual network administrators are "owners" of objects and therefore have discretion over who should be authorized to access the ob...Rule Medium Severity -
The network device must generate an immediate real-time alert of all audit failure events requiring real-time alerts.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impe...Rule Medium Severity -
The network device must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the application include date and time. Granula...Rule Medium Severity -
The network device must audit the enforcement actions used to restrict access associated with changes to the device.
Without auditing the enforcement of access restrictions against changes to the device configuration, it will be difficult to identify attempted attacks, and an audit trail will not be available for...Rule Medium Severity -
The network device must prohibit the use of cached authenticators after an organization-defined time period.
Some authentication implementations can be configured to use cached authenticators. If cached authentication information is out-of-date, the validity of the authentication information may be quest...Rule Medium Severity -
The network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be ...Rule High Severity -
The network device must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This require...Rule Medium Severity -
The network device must generate audit records when successful/unsuccessful attempts to delete administrator privileges occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
The network device must generate log records for a locally developed list of auditable events
Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack; to recognize resource utilization or capacity...Rule Medium Severity -
The network device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With ro...Rule High Severity -
The network device must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system configur...Rule Medium Severity -
The network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure...Rule Medium Severity -
The network device must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.
Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administr...Rule Medium Severity -
The network device, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.
Without mapping the PKI certificate to a unique user account, the ability to determine the identities of individuals or the status of their non-repudiation is considerably impacted during forensic ...Rule High Severity -
The network device must be configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.
The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multifactor authentication is to reduce the likelihoo...Rule Medium Severity -
The network device must be configured to maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency for password-based authentication.
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter pass...Rule Medium Severity -
The network device must be configured to update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly for password-based authentication.
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter pass...Rule Medium Severity -
The network device must be configured to employ automated tools to assist the user in selecting strong password authenticators for password-based authentication.
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter pass...Rule Medium Severity -
SRG-APP-000142
Group -
SRG-APP-000170
Group -
SRG-APP-000190
Group -
SRG-APP-000002
Group -
SRG-APP-000003
Group -
The network device must initiate a session lock after a 15-minute period of inactivity.
A session lock is a temporary network device or administrator-initiated action taken when the administrator stops work but does not log out of the network device. Rather than relying on the user t...Rule Medium Severity -
SRG-APP-000004
Group -
SRG-APP-000005
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.