Audits
Settings
Links
Tenable Cloud
Tenable Community & Support
Tenable University
Theme
Light
Dark
Auto
Help
Plugins
Overview
Plugins Pipeline
Newest
Updated
Search
Nessus Families
WAS Families
NNM Families
LCE Families
Tenable OT Security Families
About Plugin Families
Release Notes
Audits
Overview
Newest
Updated
Search Audit Files
Search Items
References
Authorities
Documentation
Download All Audit Files
Indicators
Overview
Search
Indicators of Attack
Indicators of Exposure
CVEs
Overview
Newest
Updated
Search
Attack Path Techniques
Overview
Search
Links
Tenable Cloud
Tenable Community & Support
Tenable University
Settings
Theme
Light
Dark
Auto
Detections
Plugins
Overview
Plugins Pipeline
Release Notes
Newest
Updated
Search
Nessus Families
WAS Families
NNM Families
LCE Families
Tenable OT Security Families
About Plugin Families
Audits
Overview
Newest
Updated
Search Audit Files
Search Items
References
Authorities
Documentation
Download All Audit Files
Indicators
Overview
Search
Indicators of Attack
Indicators of Exposure
Analytics
CVEs
Overview
Newest
Updated
Search
Attack Path Techniques
Overview
Search
Audits
References
CCI
CCI-004891
CCI
CCI|CCI-004891
Title
Implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
Reference Item Details
Reference:
CCI - DISA Control Correlation Identifier
Category:
2024
Audit Items
View all Reference Audit Items
Name
Plugin
Audit Name
ARST-L2-000170 - The Arista MLS layer 2 switch must have all disabled switch ports assigned to an unused VLAN.
Arista
DISA STIG Arista MLS EOS 4.2x L2S v2r1
ARST-L2-000180 - The Arista MLS layer 2 switch must not have the default VLAN assigned to any host-facing switch ports.
Arista
DISA STIG Arista MLS EOS 4.2x L2S v2r1
ARST-L2-000190 - The Arista MLS layer 2 switch must have the default VLAN pruned from all trunk ports that do not require it.
Arista
DISA STIG Arista MLS EOS 4.2x L2S v2r1
ARST-L2-000210 - The Arista MLS layer 2 switch must have all user-facing or untrusted ports configured as access switch ports.
Arista
DISA STIG Arista MLS EOS 4.2x L2S v2r1
ARST-L2-000220 - The Arista MLS layer 2 switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.
Arista
DISA STIG Arista MLS EOS 4.2x L2S v2r1
ARST-L2-000230 - The Arista MLS layer 2 switch must not have any switch ports assigned to the native VLAN.
Arista
DISA STIG Arista MLS EOS 4.2x L2S v2r1
CASA-FW-000230 - The Cisco ASA must be configured to filter inbound traffic on all external interfaces - ACL
Cisco
DISA STIG Cisco ASA FW v2r1
CASA-FW-000230 - The Cisco ASA must be configured to filter inbound traffic on all external interfaces - Interface
Cisco
DISA STIG Cisco ASA FW v2r1
CASA-FW-000240 - The Cisco ASA must be configured to filter outbound traffic on all internal interfaces - ACL
Cisco
DISA STIG Cisco ASA FW v2r1
CASA-FW-000240 - The Cisco ASA must be configured to filter outbound traffic on all internal interfaces - Interface
Cisco
DISA STIG Cisco ASA FW v2r1
CISC-L2-000210 - The Cisco switch must have all disabled switch ports assigned to an unused VLAN.
Cisco
DISA STIG Cisco IOS Switch L2S v3r1
CISC-L2-000210 - The Cisco switch must have all disabled switch ports assigned to an unused VLAN.
Cisco
DISA STIG Cisco IOS XE Switch L2S v3r1
CISC-L2-000210 - The Cisco switch must have all disabled switch ports assigned to an unused VLAN.
Cisco
DISA STIG Cisco NX-OS Switch L2S v3r1
CISC-L2-000220 - The Cisco switch must not have the default VLAN assigned to any host-facing switch ports.
Cisco
DISA STIG Cisco IOS XE Switch L2S v3r1
CISC-L2-000220 - The Cisco switch must not have the default VLAN assigned to any host-facing switch ports.
Cisco
DISA STIG Cisco IOS Switch L2S v3r1
CISC-L2-000220 - The Cisco switch must not have the default VLAN assigned to any host-facing switch ports.
Cisco
DISA STIG Cisco NX-OS Switch L2S v3r1
CISC-L2-000230 - The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it.
Cisco
DISA STIG Cisco IOS XE Switch L2S v3r1
CISC-L2-000230 - The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it.
Cisco
DISA STIG Cisco NX-OS Switch L2S v3r1
CISC-L2-000230 - The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it.
Cisco
DISA STIG Cisco IOS Switch L2S v3r1
CISC-L2-000250 - The Cisco switch must have all user-facing or untrusted ports configured as access switch ports.
Cisco
DISA STIG Cisco NX-OS Switch L2S v3r1
CISC-L2-000250 - The Cisco switch must have all user-facing or untrusted ports configured as access switch ports.
Cisco
DISA STIG Cisco IOS Switch L2S v3r1
CISC-L2-000250 - The Cisco switch must have all user-facing or untrusted ports configured as access switch ports.
Cisco
DISA STIG Cisco IOS XE Switch L2S v3r1
CISC-L2-000260 - The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.
Cisco
DISA STIG Cisco IOS Switch L2S v3r1
CISC-L2-000260 - The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.
Cisco
DISA STIG Cisco IOS XE Switch L2S v3r1
CISC-L2-000260 - The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.
Cisco
DISA STIG Cisco NX-OS Switch L2S v3r1
CISC-L2-000270 - The Cisco switch must not have any switchports assigned to the native VLAN.
Cisco
DISA STIG Cisco IOS XE Switch L2S v3r1
CISC-L2-000270 - The Cisco switch must not have any switchports assigned to the native VLAN.
Cisco
DISA STIG Cisco NX-OS Switch L2S v3r1
CISC-L2-000270 - The Cisco switch must not have any switchports assigned to the native VLAN.
Cisco
DISA STIG Cisco IOS Switch L2S v3r1
CISC-RT-000400 - The Cisco out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.
Cisco
DISA STIG Cisco IOS XE Router RTR v3r1
CISC-RT-000400 - The Cisco out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.
Cisco
DISA STIG Cisco IOS-XR Router RTR v3r1
CISC-RT-000400 - The Cisco out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.
Cisco
DISA STIG Cisco IOS Router RTR v3r1
CISC-RT-000450 - The Cisco switch must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.
Cisco
DISA STIG Cisco IOS XE Switch RTR v3r1
CISC-RT-000450 - The Cisco switch must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.
Cisco
DISA STIG Cisco IOS Switch RTR v3r1
JUEX-L2-000190 - The Juniper EX switch must be configured to assign all disabled access interfaces to an unused VLAN.
Juniper
DISA Juniper EX Series Layer 2 Switch v2r1
JUEX-L2-000200 - The Juniper EX switch must not be configured with VLANs used for L2 control traffic assigned to any host-facing access interface.
Juniper
DISA Juniper EX Series Layer 2 Switch v2r1
JUEX-L2-000220 - The Juniper EX switch must not use the default VLAN for management traffic.
Juniper
DISA Juniper EX Series Layer 2 Switch v2r1
JUEX-RT-000460 - The Juniper out-of-band management (OOBM) gateway must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.
Juniper
DISA Juniper EX Series Router v2r1
JUEX-RT-000490 - The Juniper router must be configured to only permit management traffic that ingresses and egresses the OOBM interface.
Juniper
DISA Juniper EX Series Router v2r1
JUEX-RT-000920 - The Juniper PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.
Juniper
DISA Juniper EX Series Router v2r1
JUEX-RT-000930 - The Juniper PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT).
Juniper
DISA Juniper EX Series Router v2r1
JUEX-RT-000960 - The Juniper PE router providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN.
Juniper
DISA Juniper EX Series Router v2r1
JUNI-RT-000390 - The Juniper out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel - IPsec
Juniper
DISA STIG Juniper Router RTR v3r1
JUNI-RT-000390 - The Juniper out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel - Mgmt
Juniper
DISA STIG Juniper Router RTR v3r1
JUSX-AG-000019 - For User Role Firewalls, the Juniper SRX Services Gateway Firewall must employ user attribute-based security policies to enforce approved authorizations for logical access to information and system resources.
Juniper
DISA Juniper SRX Services Gateway ALG v3r1
JUSX-AG-000126 - The Juniper SRX Services Gateway Firewall must only allow inbound communications from organization-defined authorized sources routed to organization-defined authorized destinations.
Juniper
DISA Juniper SRX Services Gateway ALG v3r1
JUSX-VN-000005 - The Juniper SRX Services Gateway VPN must use AES encryption for the IPsec proposal to protect the confidentiality of remote access sessions.
Juniper
DISA Juniper SRX Services Gateway VPN v3r1
JUSX-VN-000006 - The Juniper SRX Services Gateway VPN must use AES encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions.
Juniper
DISA Juniper SRX Services Gateway VPN v3r1
JUSX-VN-000007 - The Juniper SRX Services Gateway VPN must implement a FIPS-140-2 validated Diffie-Hellman (DH) group.
Juniper
DISA Juniper SRX Services Gateway VPN v3r1
PANW-AG-000107 - The Palo Alto Networks security platform must only allow incoming communications from organization-defined authorized sources forwarded to organization-defined authorized destinations.
Palo_Alto
DISA STIG Palo Alto ALG v3r1
