| ACLs: Filter for RFC 1918 addresses (10.0.0.0/8) | SYSTEM AND COMMUNICATIONS PROTECTION |
| ACLs: Filter for RFC 1918 addresses (172.16.0.0/12) | SYSTEM AND COMMUNICATIONS PROTECTION |
| ACLs: Filter for RFC 1918 addresses (192.168.0.0/16) | SYSTEM AND COMMUNICATIONS PROTECTION |
| ACLs: Filter for RFC 3330 addresses (0.0.0.0/8) | SYSTEM AND COMMUNICATIONS PROTECTION |
| ACLs: Filter for RFC 3330 addresses (127.0.0.0/8) | SYSTEM AND COMMUNICATIONS PROTECTION |
| ACLs: Filter for RFC 3330 addresses (169.254.0.0/16) | SYSTEM AND COMMUNICATIONS PROTECTION |
| ACLs: Filter for RFC 3330 addresses (192.0.0.0/24) | SYSTEM AND COMMUNICATIONS PROTECTION |
| ACLs: Filter for RFC 3330 addresses (192.0.2.0/24) | SYSTEM AND COMMUNICATIONS PROTECTION |
| ACLs: Filter for RFC 3330 addresses (192.42.172.0/24) | SYSTEM AND COMMUNICATIONS PROTECTION |
| ACLs: Filter for RFC 3330 addresses (198.18.0.0/15) | SYSTEM AND COMMUNICATIONS PROTECTION |
| ACLs: Filter for RFC 3330 addresses (198.51.100.0/24) | SYSTEM AND COMMUNICATIONS PROTECTION |
| ACLs: Filter for RFC 3330 addresses (203.0.113.0/24) | SYSTEM AND COMMUNICATIONS PROTECTION |
| ACLs: Filter for RFC 3330 addresses (224.0.0.0/4) | SYSTEM AND COMMUNICATIONS PROTECTION |
| ACLs: Filter for RFC 3330 addresses (240.0.0.0/4) | SYSTEM AND COMMUNICATIONS PROTECTION |
| ACLs: Filter for RFC 3330 addresses (255.255.255.255/32) | SYSTEM AND COMMUNICATIONS PROTECTION |
| Authentication: a backup remote authentication server is available | ACCESS CONTROL |
| Authentication: enable remote authentication | IDENTIFICATION AND AUTHENTICATION |
| Authentication: local authentication is available as a last resort | IDENTIFICATION AND AUTHENTICATION |
| Authentication: use a remote authentication server | ACCESS CONTROL |
| BGP: Authenticate peers | ACCESS CONTROL |
| BGP: Disable Capability Negotiation | SYSTEM AND COMMUNICATIONS PROTECTION |
| CPM Filtering: Filter for ICMP - dest-unreachable | SYSTEM AND COMMUNICATIONS PROTECTION |
| CPM Filtering: Filter for ICMP - echo request | SYSTEM AND COMMUNICATIONS PROTECTION |
| CPM Filtering: Filter for ICMP - echo-reply | SYSTEM AND COMMUNICATIONS PROTECTION |
| CPM Filtering: Filter for ICMP - source quench | SYSTEM AND COMMUNICATIONS PROTECTION |
| CPM Filtering: Filter for ICMP - time exceeded | SYSTEM AND COMMUNICATIONS PROTECTION |
| CPM Filtering: Filter for IGMP | SYSTEM AND COMMUNICATIONS PROTECTION |
| CPM Filtering: Filter for IGP | SYSTEM AND COMMUNICATIONS PROTECTION |
| CPM Filtering: Filter for L2TP | SYSTEM AND COMMUNICATIONS PROTECTION |
| CPM Filtering: Filter for PIM | SYSTEM AND COMMUNICATIONS PROTECTION |
| CPM Filtering: Filter for RSVP | SYSTEM AND COMMUNICATIONS PROTECTION |
| CPM Filtering: Filter for VRRP | SYSTEM AND COMMUNICATIONS PROTECTION |
| Disable unused network ports | SYSTEM AND COMMUNICATIONS PROTECTION |
| DNS: A trusted primary DNS server is configured | SYSTEM AND COMMUNICATIONS PROTECTION |
| DNS: A trusted secondary DNS server is configured | SYSTEM AND COMMUNICATIONS PROTECTION |
| ICMP: Do not return Proxy ARP requests | SYSTEM AND COMMUNICATIONS PROTECTION |
| ICMP: Do not return redirect messages | SYSTEM AND COMMUNICATIONS PROTECTION |
| ICMP: Do not return unreachable messages | SYSTEM AND COMMUNICATIONS PROTECTION |
| Logging: capture level is set to at least info | AUDIT AND ACCOUNTABILITY |
| Logging: Use an external syslog host | AUDIT AND ACCOUNTABILITY |
| Login: Accounts are locked after 3 failed password attempts | ACCESS CONTROL |
| Login: Configure Pre-login Banner | ACCESS CONTROL |
| Login: Exponential Backoff is set | ACCESS CONTROL |
| Login: FTP is disabled | CONFIGURATION MANAGEMENT |
| Login: Idle connections time out after 5 minutes or less | CONFIGURATION MANAGEMENT |
| Login: ssh - limit consecutive logins to 16 or less | ACCESS CONTROL |
| Login: ssh - v1 is disabled | CONFIGURATION MANAGEMENT |
| Login: ssh - v2 and later is enabled | CONFIGURATION MANAGEMENT |
| Login: SSH is enabled | CONFIGURATION MANAGEMENT |
| Login: Telnet is disabled (IPv4) | CONFIGURATION MANAGEMENT |
