CCI|CCI-004891

Title

Implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.

Reference Item Details

Category: 2024

Audit Items

View all Reference Audit Items

NamePluginAudit Name
ARST-L2-000170 - The Arista MLS layer 2 switch must have all disabled switch ports assigned to an unused VLAN.AristaDISA STIG Arista MLS EOS 4.2x L2S v2r1
ARST-L2-000180 - The Arista MLS layer 2 switch must not have the default VLAN assigned to any host-facing switch ports.AristaDISA STIG Arista MLS EOS 4.2x L2S v2r1
ARST-L2-000190 - The Arista MLS layer 2 switch must have the default VLAN pruned from all trunk ports that do not require it.AristaDISA STIG Arista MLS EOS 4.2x L2S v2r1
ARST-L2-000210 - The Arista MLS layer 2 switch must have all user-facing or untrusted ports configured as access switch ports.AristaDISA STIG Arista MLS EOS 4.2x L2S v2r1
ARST-L2-000220 - The Arista MLS layer 2 switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.AristaDISA STIG Arista MLS EOS 4.2x L2S v2r1
ARST-L2-000230 - The Arista MLS layer 2 switch must not have any switch ports assigned to the native VLAN.AristaDISA STIG Arista MLS EOS 4.2x L2S v2r1
CASA-FW-000230 - The Cisco ASA must be configured to filter inbound traffic on all external interfaces - ACLCiscoDISA STIG Cisco ASA FW v2r1
CASA-FW-000230 - The Cisco ASA must be configured to filter inbound traffic on all external interfaces - InterfaceCiscoDISA STIG Cisco ASA FW v2r1
CASA-FW-000240 - The Cisco ASA must be configured to filter outbound traffic on all internal interfaces - ACLCiscoDISA STIG Cisco ASA FW v2r1
CASA-FW-000240 - The Cisco ASA must be configured to filter outbound traffic on all internal interfaces - InterfaceCiscoDISA STIG Cisco ASA FW v2r1
CISC-L2-000210 - The Cisco switch must have all disabled switch ports assigned to an unused VLAN.CiscoDISA STIG Cisco IOS Switch L2S v3r1
CISC-L2-000210 - The Cisco switch must have all disabled switch ports assigned to an unused VLAN.CiscoDISA STIG Cisco IOS XE Switch L2S v3r1
CISC-L2-000210 - The Cisco switch must have all disabled switch ports assigned to an unused VLAN.CiscoDISA STIG Cisco NX-OS Switch L2S v3r1
CISC-L2-000220 - The Cisco switch must not have the default VLAN assigned to any host-facing switch ports.CiscoDISA STIG Cisco IOS XE Switch L2S v3r1
CISC-L2-000220 - The Cisco switch must not have the default VLAN assigned to any host-facing switch ports.CiscoDISA STIG Cisco IOS Switch L2S v3r1
CISC-L2-000220 - The Cisco switch must not have the default VLAN assigned to any host-facing switch ports.CiscoDISA STIG Cisco NX-OS Switch L2S v3r1
CISC-L2-000230 - The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it.CiscoDISA STIG Cisco IOS XE Switch L2S v3r1
CISC-L2-000230 - The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it.CiscoDISA STIG Cisco NX-OS Switch L2S v3r1
CISC-L2-000230 - The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it.CiscoDISA STIG Cisco IOS Switch L2S v3r1
CISC-L2-000250 - The Cisco switch must have all user-facing or untrusted ports configured as access switch ports.CiscoDISA STIG Cisco NX-OS Switch L2S v3r1
CISC-L2-000250 - The Cisco switch must have all user-facing or untrusted ports configured as access switch ports.CiscoDISA STIG Cisco IOS Switch L2S v3r1
CISC-L2-000250 - The Cisco switch must have all user-facing or untrusted ports configured as access switch ports.CiscoDISA STIG Cisco IOS XE Switch L2S v3r1
CISC-L2-000260 - The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.CiscoDISA STIG Cisco IOS Switch L2S v3r1
CISC-L2-000260 - The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.CiscoDISA STIG Cisco IOS XE Switch L2S v3r1
CISC-L2-000260 - The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.CiscoDISA STIG Cisco NX-OS Switch L2S v3r1
CISC-L2-000270 - The Cisco switch must not have any switchports assigned to the native VLAN.CiscoDISA STIG Cisco IOS XE Switch L2S v3r1
CISC-L2-000270 - The Cisco switch must not have any switchports assigned to the native VLAN.CiscoDISA STIG Cisco NX-OS Switch L2S v3r1
CISC-L2-000270 - The Cisco switch must not have any switchports assigned to the native VLAN.CiscoDISA STIG Cisco IOS Switch L2S v3r1
CISC-RT-000400 - The Cisco out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.CiscoDISA STIG Cisco IOS XE Router RTR v3r1
CISC-RT-000400 - The Cisco out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.CiscoDISA STIG Cisco IOS-XR Router RTR v3r1
CISC-RT-000400 - The Cisco out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.CiscoDISA STIG Cisco IOS Router RTR v3r1
CISC-RT-000450 - The Cisco switch must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.CiscoDISA STIG Cisco IOS XE Switch RTR v3r1
CISC-RT-000450 - The Cisco switch must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.CiscoDISA STIG Cisco IOS Switch RTR v3r1
JUEX-L2-000190 - The Juniper EX switch must be configured to assign all disabled access interfaces to an unused VLAN.JuniperDISA Juniper EX Series Layer 2 Switch v2r1
JUEX-L2-000200 - The Juniper EX switch must not be configured with VLANs used for L2 control traffic assigned to any host-facing access interface.JuniperDISA Juniper EX Series Layer 2 Switch v2r1
JUEX-L2-000220 - The Juniper EX switch must not use the default VLAN for management traffic.JuniperDISA Juniper EX Series Layer 2 Switch v2r1
JUEX-RT-000460 - The Juniper out-of-band management (OOBM) gateway must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.JuniperDISA Juniper EX Series Router v2r1
JUEX-RT-000490 - The Juniper router must be configured to only permit management traffic that ingresses and egresses the OOBM interface.JuniperDISA Juniper EX Series Router v2r1
JUEX-RT-000920 - The Juniper PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.JuniperDISA Juniper EX Series Router v2r1
JUEX-RT-000930 - The Juniper PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT).JuniperDISA Juniper EX Series Router v2r1
JUEX-RT-000960 - The Juniper PE router providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN.JuniperDISA Juniper EX Series Router v2r1
JUNI-RT-000390 - The Juniper out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel - IPsecJuniperDISA STIG Juniper Router RTR v3r1
JUNI-RT-000390 - The Juniper out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel - MgmtJuniperDISA STIG Juniper Router RTR v3r1
JUSX-AG-000019 - For User Role Firewalls, the Juniper SRX Services Gateway Firewall must employ user attribute-based security policies to enforce approved authorizations for logical access to information and system resources.JuniperDISA Juniper SRX Services Gateway ALG v3r1
JUSX-AG-000126 - The Juniper SRX Services Gateway Firewall must only allow inbound communications from organization-defined authorized sources routed to organization-defined authorized destinations.JuniperDISA Juniper SRX Services Gateway ALG v3r1
JUSX-VN-000005 - The Juniper SRX Services Gateway VPN must use AES encryption for the IPsec proposal to protect the confidentiality of remote access sessions.JuniperDISA Juniper SRX Services Gateway VPN v3r1
JUSX-VN-000006 - The Juniper SRX Services Gateway VPN must use AES encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions.JuniperDISA Juniper SRX Services Gateway VPN v3r1
JUSX-VN-000007 - The Juniper SRX Services Gateway VPN must implement a FIPS-140-2 validated Diffie-Hellman (DH) group.JuniperDISA Juniper SRX Services Gateway VPN v3r1
PANW-AG-000107 - The Palo Alto Networks security platform must only allow incoming communications from organization-defined authorized sources forwarded to organization-defined authorized destinations.Palo_AltoDISA STIG Palo Alto ALG v3r1