Skip to content
Log In

III - Administrative Sensitive

Rules and Groups employed by this XCCDF Profile

  • SRG-NET-000148-VPN-000540

    Group
    Show

  • AOS, when used as a VPN Gateway, must uniquely identify all network-connected endpoint devices before establishing a connection.

    Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. For distributed architectures (e.g., service-oriented architectures), the d...
    Rule Medium Severity
    Show

  • SRG-NET-000343-VPN-001370

    Group
    Show

  • AOS, when used as a VPN Gateway, must authenticate all network-connected endpoint devices before establishing a connection.

    Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. For distributed architectures (e.g., service-oriented architectures), th...
    Rule Medium Severity
    Show

  • SRG-NET-000041-VPN-000110

    Group
    Show

  • The Remote Access VPN Gateway and/or client must display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the network.

    Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Exe...
    Rule Medium Severity
    Show

  • SRG-NET-000213-VPN-000720

    Group
    Show

  • AOS, when used as a VPN Gateway, must terminate all network connections associated with a communications session at the end of the session.

    Idle Transmission Control Protocol (TCP) sessions can be susceptible to unauthorized access and hijacking attacks. By default, routers do not continually test whether a previously connected TCP end...
    Rule Low Severity
    Show

  • SRG-NET-000132-VPN-000480

    Group
    Show

  • For site-to-site VPN implementations using AOS, the Layer 2 Tunneling Protocol (L2TP) must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave.

    Unlike Generic Routing Encapsulation (GRE) (a simple encapsulating header), L2TP is a full-fledged communications protocol with control channel, data channels, and a robust command structure. In ad...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules