II - Mission Support Classified
Rules and Groups employed by this XCCDF Profile
-
NET0346
Group -
All hosted NIPRNet-only applications must be located in a local enclave Demilitarized Zone (DMZ).
Without the protection of a DMZ, production networks will be prone to outside attacks as they are allowing externally accessible services to be accessed on the internal LAN. This can cause many un...Rule Medium Severity -
NET0348
Group -
All Internet-facing applications must be hosted in a DoD Demilitarized Zone (DMZ) Extension.
Without the protection of a DMZ, production networks will be prone to outside attacks as they are allowing externally accessible services to be accessed on the internal LAN. This can cause many un...Rule Medium Severity -
NET0351
Group -
When protecting the boundaries of a network, the firewall must be placed between the private network and the perimeter router and the Demilitarized Zone (DMZ).
The only way to mediate the flow of traffic between the inside network, the outside connection, and the DMZ is to place the firewall into the architecture in a manner that allows the firewall the a...Rule Medium Severity -
NET0365
Group -
The organization must implement a deep packet inspection solution when protecting perimeter boundaries.
Deep packet inspection (DPI) examines the packet beyond the Layer 4 header by examining the payload to identify the application or service. DPI searches for illegal statements, predefined criteria,...Rule High Severity -
NET0369
Group -
A deny-by-default security posture must be implemented for traffic entering and leaving the enclave.
To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or ac...Rule High Severity -
NET0445
Group -
Two-factor authentication must be implemented to restrict access to all network elements.
Without secure management implemented with authenticated access controls, strong two-factor authentication, encryption of the management session and audit logs, unauthorized users may gain access t...Rule Medium Severity -
NET0810
Group -
Two Network Time Protocol (NTP) servers must be deployed in the management network.
NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time i...Rule Low Severity -
NET0928
Group -
A policy must be implemented to keep Bogon/Martian rulesets up to date.
A Bogon route or Martian address is a type of packet that should never be routed inbound through the perimeter device. Bogon routes and Martian addresses are commonly found as the source addresses...Rule Medium Severity -
NET0998
Group -
A dedicated management network must be implemented.
To deploy a management network for the purpose of controlling, monitoring, and restricting management traffic, a separate management subnet must be implemented. Define a large enough address block ...Rule Medium Severity -
NET1025
Group -
A minimum of two syslog servers must be deployed in the management network.
Maintaining an audit trail of system activity logs can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network.Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.