Network Infrastructure Policy Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
NET2001
<GroupDescription></GroupDescription>Group -
Multi-Protocol Labeled Switching (MPLS) labels must not be exchanged between the enclaves edge routers and any external neighbor routers.
<VulnDiscussion>MPLS label exchange via Label Distribution Protocol (LDP) or Resource Reservation Protocol (RSVP) with any external neighbor ...Rule Medium Severity -
NET2002
<GroupDescription></GroupDescription>Group -
Label Distribution Protocol (LDP) must be synchronized with the Interior Gateway Protocol (IGP) to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange.
<VulnDiscussion>Packet loss can occur when an IGP adjacency is established and the router begins forwarding packets using the new adjacency b...Rule Low Severity -
NET2004
<GroupDescription></GroupDescription>Group -
Rapid Spanning Tree Protocol (STP) must be implemented at the access and distribution layers where Virtual Local Area Networks (VLANs) span multiple switches.
<VulnDiscussion>Spanning Tree Protocol (STP) is implemented on bridges and switches to prevent Layer 2 loops when a broadcast domain spans mu...Rule Low Severity -
NET2005
<GroupDescription></GroupDescription>Group -
A Quality of Service (QoS) policy must be implemented to provide preferred treatment for Command and Control (C2) real-time services and control plane traffic.
<VulnDiscussion>Different applications have unique requirements and toleration levels for delay, jitter, packet loss, and availability. To ma...Rule Low Severity -
NET2006
<GroupDescription></GroupDescription>Group -
Protocol Independent Multicast (PIM) must be disabled on all router interfaces that are not required to support multicast routing.
<VulnDiscussion>PIM is a routing protocol that is used by the IP core for forwarding multicast traffic. PIM operates independent of any parti...Rule Medium Severity -
NET2007
<GroupDescription></GroupDescription>Group -
A Protocol Independent Multicast (PIM) neighbor filter must be implemented to restrict and control multicast traffic.
<VulnDiscussion>Protocol Independent Multicast (PIM) is a routing protocol that is used by the IP core for forwarding multicast traffic. PIM ...Rule Low Severity -
NET2008
<GroupDescription></GroupDescription>Group -
The multicast domain must block inbound and outbound administratively-scoped multicast traffic at the edge.
<VulnDiscussion>A multicast boundary must be established to ensure that administratively-scoped multicast traffic does not flow into or out o...Rule Low Severity -
NET2009
<GroupDescription></GroupDescription>Group -
The multicast domain must block inbound and outbound Auto-RP discovery and announcement messages at the edge.
<VulnDiscussion>With static RP, the RP address for any multicast group must be consistent across all routers in a multicast domain. A static ...Rule Low Severity -
NET2010
<GroupDescription></GroupDescription>Group -
Protocol Independent Multicast (PIM) register messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups.
<VulnDiscussion>Customer networks that do not maintain a multicast domain and only require the IP multicast service will be required to stand...Rule Low Severity -
NET2011
<GroupDescription></GroupDescription>Group -
Protocol Independent Multicast (PIM) join messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups.
<VulnDiscussion>Customer networks that do not maintain a multicast domain and only require the IP multicast service will be required to stand...Rule Low Severity -
NET2012
<GroupDescription></GroupDescription>Group -
Multicast register messages must be rate limited per each source-group (S, G) entry.
<VulnDiscussion>When a new source starts transmitting in a PIM Sparse Mode network, the DR will encapsulate the multicast packets into regist...Rule Medium Severity -
NET2013
<GroupDescription></GroupDescription>Group -
Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) report messages must be filtered to allow hosts to join only those multicast groups that have been approved by the organization.
<VulnDiscussion>Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (e.g., so...Rule Low Severity -
NET2014
<GroupDescription></GroupDescription>Group -
The number of mroute states resulting from Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) membership reports must be limited.
<VulnDiscussion>The current multicast paradigm can let any host join any multicast group at any time by sending an Internet Group Management ...Rule Medium Severity -
NET2015
<GroupDescription></GroupDescription>Group -
The number of source-group (SG) states must be limited within the multicast topology where Any Source Multicast (ASM) is deployed.
<VulnDiscussion>Any Source Multicast (ASM) can have many sources for the same groups (many-to-many). For many receivers, the path via the Ren...Rule Medium Severity -
NET2016
<GroupDescription></GroupDescription>Group -
Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping must be implemented within the network access layer.
<VulnDiscussion>The last-hop router sends the multicast packet out the interface towards the LAN containing interested receivers. The default...Rule Low Severity -
NET2017
<GroupDescription></GroupDescription>Group -
First-hop redundancy services must be configured to delay any preempt to provide enough time for the Internet Gateway Protocol (IGP) to stabilize.
<VulnDiscussion>The Layer 2 connection between the nodes providing first-hop redundancy comes up quickly. If the preemption takes effect prio...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.