DISA STIG Cisco Firewall v8r25

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Cisco Firewall v8r25

Updated: 9/12/2022

Authority: DISA STIG

Plugin: Cisco

Revision: 1.10

Estimated Item Count: 112

Audit Items

Description	Categories
NET-IPV6-004 - Router advertisements must be suppressed on all external-facing IPv6-enabled interfaces.	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-005 - The IAO must ensure firewalls deployed in an IPv6 enclave meet the requirements defined by DITO and NSA milestone objective 3
NET-IPV6-024 - IPv6 6-to-4 addresses with a prefix of 2002::/16 must be filtered at the perimeter. - 2002 inbound	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-024 - IPv6 6-to-4 addresses with a prefix of 2002::/16 must be filtered at the perimeter. - 2002 outbound	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-025 - The network device must be configured to ensure IPv6 Site Local Unicast addresses are not defined in the enclave	CONFIGURATION MANAGEMENT
NET-IPV6-035 - IPv6 Jumbo Payload hop by hop header must be blocked.
NET-IPV6-047 - Interfaces supporting IPv4 in NAT-PT Architecture must not receive IPv6 traffic. - inside IPv6 block in	SYSTEM AND COMMUNICATIONS PROTECTION
NET-IPV6-047 - Interfaces supporting IPv4 in NAT-PT Architecture must not receive IPv6 traffic. - inside IPv6 block out	SYSTEM AND COMMUNICATIONS PROTECTION
NET-SRVFRM-003 - Server VLAN interfaces must be protected by restrictive ACLs using a deny-by-default security posture.
NET-SRVFRM-004 - The IAO will ensure the Server Farm infrastructure is secured by ACLs on VLAN interfaces between server farms
NET-SRVFRM-005 - The IAO will ensure the Server Farm VLANs are protected by severely restricting the actions hosts can perform on servers
NET-TUNL-013 - L2TP must not pass into the private network of an enclave.
NET-TUNL-020 - Teredo packets must be blocked inbound to the enclave and outbound from the enclave. - 'outside in ACL'	SYSTEM AND COMMUNICATIONS PROTECTION
NET-TUNL-020 - Teredo packets must be blocked inbound to the enclave and outbound from the enclave. - 'outside out ACL'	SYSTEM AND COMMUNICATIONS PROTECTION
NET0230 - Network devices must be password protected. - 'ASDM authentication'	IDENTIFICATION AND AUTHENTICATION
NET0230 - Network devices must be password protected. - 'enable authentication'	IDENTIFICATION AND AUTHENTICATION
NET0230 - Network devices must be password protected. - 'no telnet authentication'	IDENTIFICATION AND AUTHENTICATION
NET0230 - Network devices must be password protected. - 'serial authentication'	IDENTIFICATION AND AUTHENTICATION
NET0230 - Network devices must be password protected. - 'ssh authentication'	IDENTIFICATION AND AUTHENTICATION
NET0240 - Network devices must not have any default manufacturer passwords.
NET0340 - Network devices must display the DoD-approved logon banner warning.	ACCESS CONTROL
NET0366 - The SA must configure the firewall for the minimum content and protocol inspection requirements.
NET0375 - The device must be configured to protect the network against denial of service attacks such as Ping of Death, TCP SYN floods, etc.	SYSTEM AND COMMUNICATIONS PROTECTION
NET0377 - The firewall must not utilize any services or capabilities that are not necessary for the administration of the firewall.
NET0378 - The firewall must not be listening for telnet service. - 'no telnet'	CONFIGURATION MANAGEMENT
NET0378 - The firewall must not be listening for telnet service. - 'open ports'	CONFIGURATION MANAGEMENT
NET0379 - The FA will ensure that if the firewall product operates on an OS platform, the host must be STIG compliant prior to the install
NET0380 - The firewall must reject requests for access from loopback address - 'inside in'	SYSTEM AND COMMUNICATIONS PROTECTION
NET0380 - The firewall must reject requests for access from loopback address - 'inside out'	SYSTEM AND COMMUNICATIONS PROTECTION
NET0380 - The firewall must reject requests for access from loopback address - 'mgmt in'	SYSTEM AND COMMUNICATIONS PROTECTION
NET0380 - The firewall must reject requests for access from loopback address - 'mgmt out'	SYSTEM AND COMMUNICATIONS PROTECTION
NET0380 - The firewall must reject requests for access from loopback address - 'outside in'	SYSTEM AND COMMUNICATIONS PROTECTION
NET0380 - The firewall must reject requests for access from loopback address - 'outside out'	SYSTEM AND COMMUNICATIONS PROTECTION
NET0386 - Alerts must be automatically generated to notify the administrator when log storage reaches seventy-five percent or more
NET0388 - The network device must dump logs when they reach 75% capacity to a syslog server.	AUDIT AND ACCOUNTABILITY
NET0390 - The network devices must be configured to alert the administrator of a potential attack or system failure.
NET0391 - Critical alerts must be generated and notifications sent to authorized personnel regardless if the person is logged in.
NET0392 - The ISSO must ensure the message is displayed at the remote console if an administrator is already logged in - 'console alerts'	AUDIT AND ACCOUNTABILITY
NET0392 - The ISSO must ensure the message is displayed at the remote console if an administrator is already logged in - 'monitor alerts'	AUDIT AND ACCOUNTABILITY
NET0395 - The ISSO must ensure the alarm message identifying the potential security violation makes accessible the audit record contents
NET0396 - The ISSO must ensure an alert will remain written on the consoles until acknowledged by an administrator.
NET0398 - The ISSO must ensure an acknowledgement message identifying a reference to the potential security violation is logged
NET0405 - A service or feature that calls home to the vendor must be disabled.	ACCESS CONTROL
NET0422 - Network devices must be configured with rotating keys used for authenticating IGP peers that have a duration of 180 days or less.	IDENTIFICATION AND AUTHENTICATION
NET0433 - Network devices must use two or more authentication servers for the purpose of granting administrative access. - 'AAA server 1'	IDENTIFICATION AND AUTHENTICATION
NET0433 - Network devices must use two or more authentication servers for the purpose of granting administrative access. - 'AAA server 2'	IDENTIFICATION AND AUTHENTICATION
NET0433 - Network devices must use two or more authentication servers for the purpose of granting administrative access. - 'AAA servr group'	IDENTIFICATION AND AUTHENTICATION
NET0440 - In the event the authentication server is unavailable, the network device must have a single local account of last resort defined.	ACCESS CONTROL
NET0441 - The emergency administration account must be set to an appropriate authorization level to perform necessary admin functions.	IDENTIFICATION AND AUTHENTICATION
NET0460 - Group accounts must not be configured for use on the network device.	ACCESS CONTROL

Detections

Analytics

DISA STIG Cisco Firewall v8r25

Warning! Audit Deprecated

Audit Details

Audit Items