Network Infrastructure Policy Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Annual reviews must be performed on all Releasable Local Area Network (REL LAN) environments.
The ISSM will ensure Releasable Local Area Network (REL LAN) reviews are performed annually.Rule Medium Severity -
NET1826
Group -
Enabling a connection that extends DISN IP network connectivity (e.g., NIPRNet and SIPRNet) to any DoD Vendor, Foreign, or Federal Mission Partner enclave or network without a signed DoD CIO approved sponsorship memo is prohibited. For classified connectivity it must be to a DSS approved contractor facility or DoD Component approved foreign government facility.
Having a circuit provisioned that connects the SIPRNet enclave to a non-DoD, foreign, or contractor network puts the enclave and the entire SIPRNet at risk. If the termination point is not operated...Rule High Severity -
NET1827
Group -
NET1832
Group -
VPN gateways used to create IP tunnels to transport classified traffic across an unclassified IP network must comply with appropriate physical security protection standards for processing classified information.
When transporting classified data over an unclassified IP network, it is imperative that the network elements deployed to provision the encrypted tunnels are located in a facility authorized to pro...Rule Medium Severity -
NET2000
Group -
NET2001
Group -
Multi-Protocol Labeled Switching (MPLS) labels must not be exchanged between the enclaves edge routers and any external neighbor routers.
MPLS label exchange via Label Distribution Protocol (LDP) or Resource Reservation Protocol (RSVP) with any external neighbor creates the risk of label spoofing that could disrupt optimum routing, o...Rule Medium Severity -
NET2002
Group -
Label Distribution Protocol (LDP) must be synchronized with the Interior Gateway Protocol (IGP) to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange.
Packet loss can occur when an IGP adjacency is established and the router begins forwarding packets using the new adjacency before the LDP label exchange completes between the peers on that link. P...Rule Low Severity -
NET2004
Group -
NET2005
Group -
NET2006
Group -
Protocol Independent Multicast (PIM) must be disabled on all router interfaces that are not required to support multicast routing.
PIM is a routing protocol that is used by the IP core for forwarding multicast traffic. PIM operates independent of any particular IP routing protocol but makes use of the IP unicast routing table-...Rule Medium Severity -
NET2007
Group -
A Protocol Independent Multicast (PIM) neighbor filter must be implemented to restrict and control multicast traffic.
Protocol Independent Multicast (PIM) is a routing protocol that is used by the IP core for forwarding multicast traffic. PIM traffic must be limited to only known PIM neighbors by configuring and b...Rule Low Severity -
NET2008
Group -
The multicast domain must block inbound and outbound administratively-scoped multicast traffic at the edge.
A multicast boundary must be established to ensure that administratively-scoped multicast traffic does not flow into or out of the IP core. The multicast boundary can be created by ensuring that CO...Rule Low Severity -
NET2009
Group -
NET2010
Group -
Protocol Independent Multicast (PIM) register messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups.
Customer networks that do not maintain a multicast domain and only require the IP multicast service will be required to stand up a PIM-SM router that will be incorporated into the JIE shared tree s...Rule Low Severity -
NET2011
Group -
Protocol Independent Multicast (PIM) join messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups.
Customer networks that do not maintain a multicast domain and only require the IP multicast service will be required to stand up a PIM-SM router that will be incorporated into the JIE shared tree s...Rule Low Severity -
NET2012
Group -
Multicast register messages must be rate limited per each source-group (S, G) entry.
When a new source starts transmitting in a PIM Sparse Mode network, the DR will encapsulate the multicast packets into register messages and forward them to the Rendezvous Point (RP) using unicast....Rule Medium Severity -
NET2013
Group -
Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) report messages must be filtered to allow hosts to join only those multicast groups that have been approved by the organization.
Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (e.g., someone doing a file download here or there), whereas multicast can have b...Rule Low Severity -
NET2014
Group -
NET2015
Group -
NET2016
Group -
Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping must be implemented within the network access layer.
The last-hop router sends the multicast packet out the interface towards the LAN containing interested receivers. The default behavior for a Layer 2 switch is to forward all multicast traffic out e...Rule Low Severity -
NET2017
Group -
First-hop redundancy services must be configured to delay any preempt to provide enough time for the Internet Gateway Protocol (IGP) to stabilize.
The Layer 2 connection between the nodes providing first-hop redundancy comes up quickly. If the preemption takes effect prior to the routing protocol converging, traffic is black holed. Traffic wi...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.