No profile (default benchmark)
Rules and Groups employed by this XCCDF Profile
-
NET0140
<GroupDescription></GroupDescription>Group -
The connection between the Channel Service Unit/Data Service Unit (CSU/DSU) and the Local Exchange Carriers (LEC) data service jack (i.e., demarc) as well as any service provider premise equipment must be located in a secure environment.
<VulnDiscussion>DOD leased lines carry an aggregate of sensitive and non-sensitive data; therefore unauthorized access must be restricted. In...Rule Low Severity -
NET-IDPS-016
<GroupDescription></GroupDescription>Group -
An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor all Demilitarized Zone (DMZ) segments housing public servers.
<VulnDiscussion>The initial step in IDPS deployment is determining where sensors should be placed. Because attacks originate at the enclave p...Rule Medium Severity -
NET-IDPS-018
<GroupDescription></GroupDescription>Group -
An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor the network segment hosting web, application, and database servers.
<VulnDiscussion>Attacks can originate within the enclave boundary. Hence, deploying an IDPS on the network segment hosting web, application, ...Rule Medium Severity -
NET-IDPS-019
<GroupDescription></GroupDescription>Group -
An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor network segments that house network security management servers.
<VulnDiscussion>The initial step in IDPS deployment is determining where sensors should be placed. Because attacks originate at the enclave p...Rule Medium Severity -
NET-IDPS-021
<GroupDescription></GroupDescription>Group -
An Intrusion Detection and Prevention System (IDPS) must be deployed to monitor all unencrypted traffic entering and leaving the enclave.
<VulnDiscussion>Per CJCSI 6510.01F, Enclosure A-5, Paragraph 8, "DOD ISs (e.g., enclaves, applications, outsourced IT-based process, and pla...Rule Medium Severity -
NET-IDPS-024
<GroupDescription></GroupDescription>Group -
Sensor traffic in transit must be protected at all times via an Out-of-Band (OOB) network or an encrypted tunnel between site locations.
<VulnDiscussion>User interface services must be physically or logically separated from data storage and management services. Data from IDS se...Rule Medium Severity -
NET-IDPS-025
<GroupDescription></GroupDescription>Group -
Intrusion Detection and Prevention System (IDPS) traffic between the sensor and the security management or sensor data collection servers must traverse a dedicated Virtual Local Area Network (VLAN) logically separating IDPS traffic from all other enclave traffic.
<VulnDiscussion>All IDPS data collected by agents in the enclave at required locations must also be protected by logical separation when in t...Rule Medium Severity -
NET-IDPS-027
<GroupDescription></GroupDescription>Group -
Products collecting baselines for anomaly-based detection must have their baselines rebuilt based on changes to mission requirements such as Information Operations Conditions (INFOCON) levels and when the traffic patterns are expected to change significantly.
<VulnDiscussion>Administrators should ensure that any products collecting baselines for anomaly-based detection have their baselines rebuilt ...Rule Low Severity -
NET-IDPS-029
<GroupDescription></GroupDescription>Group -
If a Secure File Transfer Protocol (SFTP) server is used to provide updates to the sensors, the server must be configured to allow read-only access to the files within the directory on which the signature packs are placed.
<VulnDiscussion>In a large scale IDPS deployment, it is common to have an automated update process implemented. This is accomplished by havin...Rule Medium Severity -
NET-IDPS-030
<GroupDescription></GroupDescription>Group -
If an automated scheduler is used to provide updates to the sensors, an account on the file server must be defined that will provide access to the signatures only to the sensors.
<VulnDiscussion>In a large scale IDPS deployment, it is common to have an automated update process implemented. This is accomplished by havin...Rule Medium Severity -
NET-IDPS-031
<GroupDescription></GroupDescription>Group -
The Intrusion Detection and Prevention System (IDPS) configuration must be backed up before applying software or signature updates, or when making changes to the configuration.
<VulnDiscussion>There are two types of IDPS updates: software updates and signature updates. Software updates fix bugs in the IDPS software o...Rule Low Severity -
NET-IDPS-032
<GroupDescription></GroupDescription>Group -
The Intrusion Detection and Prevention System (IDPS) file checksums provided by the vendor must be compared and verified with checksums computed from CD or downloaded files.
<VulnDiscussion>There are two types of IDPS updates: software updates and signature updates. Software updates fix bugs in the IDPS software o...Rule Low Severity -
NET-IDPS-033
<GroupDescription></GroupDescription>Group -
The organization must establish weekly data backup procedures for the network Intrusion Detection and Prevention System (IDPS) data.
<VulnDiscussion>IDPS data needs to be backed up to ensure preservation in the case a loss of data due to hardware failure or malicious activi...Rule Medium Severity -
NET-IDPS-035
<GroupDescription></GroupDescription>Group -
The Intrusion Detection and Prevention System (IDPS) software and signatures must be updated when updates are provided by the vendor.
<VulnDiscussion>Keeping the IDPS software updated with the latest engine and attack signatures will allow for the IDPS to detect all forms of...Rule Low Severity -
NET-TUNL-026
<GroupDescription></GroupDescription>Group -
Encapsulated and/or encrypted traffic received from another enclave must not bypass the network perimeter defense without being terminated and inspected before entering the enclaves private network.
<VulnDiscussion>Allowing encapsulated traffic to bypass the enclave's network perimeter without being filtered and inspected leaves the encla...Rule High Severity -
NET-TUNL-028
<GroupDescription></GroupDescription>Group -
Tunneling of classified traffic across an unclassified IP transport network or service provider backbone must be documented in the enclaves security authorization package and an Approval to Connect (ATC), or an Interim ATC must be issued by DISA prior to implementation.
<VulnDiscussion>CJCSI 6211.02D instruction establishes policy and responsibilities for the connection of any information systems to the Defen...Rule High Severity -
NET-TUNL-030
<GroupDescription></GroupDescription>Group -
DSAWG approval must be obtained before tunneling classified traffic outside the components local area network boundaries across a non-DISN or OCONUS DISN unclassified IP wide area network transport infrastructure.
<VulnDiscussion>CJCSI 6211.02D instruction establishes policy and responsibilities for the connection of any information systems to the Defen...Rule High Severity -
NET-TUNL-031
<GroupDescription></GroupDescription>Group -
Tunneling of classified traffic across an unclassified IP transport network must employ cryptographic algorithms in accordance with CNSS Policy No. 15.
<VulnDiscussion>When transporting classified data over an unclassified IP network, it is imperative that traffic from the classified enclave ...Rule High Severity -
NET-VLAN-001
<GroupDescription></GroupDescription>Group -
The organization must ensure all switches and associated cross-connect hardware are kept in a secure Intermediate Distribution Frame (IDF) or an enclosed cabinet that is kept locked.
<VulnDiscussion>Since the IDF includes all hardware required to connect horizontal wiring to the backbone, it is imperative that all switches...Rule Medium Severity -
NET0090
<GroupDescription></GroupDescription>Group -
Network topology diagrams for the enclave must be maintained and up to date at all times.
<VulnDiscussion>To assist in the management, auditing, and security of the network infrastructure facility drawings and topology maps are a n...Rule Medium Severity -
NET0130
<GroupDescription></GroupDescription>Group -
All external connections must be validated and approved by the Authorizing Official (AO) and the Connection Approval Office (CAO) and meeting Connection Approval Process (CAP) requirements.
<VulnDiscussion>Every site must have a security policy to address filtering of the traffic to and from those connections. This documentation...Rule Medium Severity -
NET0131
<GroupDescription></GroupDescription>Group -
Prior to having external connection provisioned between enclaves, a Memorandum of Agreement (MOA) or Memorandum of Understanding (MOU) must be established.
<VulnDiscussion>Prior to establishing a connection with another activity, a Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA...Rule Medium Severity -
NET0135
<GroupDescription></GroupDescription>Group -
External connections to the network must be reviewed and the documentation updated semi-annually.
<VulnDiscussion>A network is only as secure as its weakest link. It is imperative that all external connections be reviewed and kept to a min...Rule Medium Severity -
NET0168
<GroupDescription></GroupDescription>Group -
If the site has a non-DoD external connection (i.e. Approved Gateway), an Intrusion Detection and Prevention System (IDPS) must be located between the sites Approved Gateway and the perimeter router.
<VulnDiscussion>The incorrect placement of the external IDPS may allow unauthorized access to go undetected and limit the ability of security...Rule Medium Severity -
NET0170
<GroupDescription></GroupDescription>Group -
External network connections must not bypass the enclaves perimeter security.
<VulnDiscussion>Without taking the proper safeguards, external networks connected to the organization will impose security risks unless prope...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.