Skip to content
Log In

III - Administrative Public

Rules and Groups employed by this XCCDF Profile

  • NET2012

    Group
    Show

  • Multicast register messages must be rate limited per each source-group (S, G) entry.

    When a new source starts transmitting in a PIM Sparse Mode network, the DR will encapsulate the multicast packets into register messages and forward them to the Rendezvous Point (RP) using unicast....
    Rule Medium Severity
    Show

  • NET2013

    Group
    Show

  • Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) report messages must be filtered to allow hosts to join only those multicast groups that have been approved by the organization.

    Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (e.g., someone doing a file download here or there), whereas multicast can have b...
    Rule Low Severity
    Show

  • NET2014

    Group
    Show

  • The number of mroute states resulting from Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) membership reports must be limited.

    The current multicast paradigm can let any host join any multicast group at any time by sending an Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) membership report ...
    Rule Medium Severity
    Show

  • NET2015

    Group
    Show

  • The number of source-group (SG) states must be limited within the multicast topology where Any Source Multicast (ASM) is deployed.

    Any Source Multicast (ASM) can have many sources for the same groups (many-to-many). For many receivers, the path via the Rendezvous Point (RP) may not be ideal compared with the shortest path from...
    Rule Medium Severity
    Show

  • NET2016

    Group
    Show

  • Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping must be implemented within the network access layer.

    The last-hop router sends the multicast packet out the interface towards the LAN containing interested receivers. The default behavior for a Layer 2 switch is to forward all multicast traffic out e...
    Rule Low Severity
    Show

  • NET2017

    Group
    Show

  • First-hop redundancy services must be configured to delay any preempt to provide enough time for the Internet Gateway Protocol (IGP) to stabilize.

    The Layer 2 connection between the nodes providing first-hop redundancy comes up quickly. If the preemption takes effect prior to the routing protocol converging, traffic is black holed. Traffic wi...
    Rule Low Severity
    Show

  • NET0160

    Group
    Show

  • Written mission justification approval must be obtained from the Office of the DoD CIO prior to establishing a direct connection to the Internet via commercial service provider outside DoD CIO approved Internet access points (e.g. DISA IAP, Cloud Access Point, NIPRnet Federated Gateway, DREN IAP, etc.).

    Analysis of DoD reported incidents reveal current protective measures at the NIPRNet boundary points are insufficient. Documented ISPs and validated architectures for DMZs are necessary to protect ...
    Rule High Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules