CSCv7|12

Title

Boundary Defense

Reference Item Details

Category: Boundary Defense

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Use a Split-Horizon ArchitectureUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
1.1 Use a Split-Horizon ArchitectureUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
3.5 Ensure proxy-arp is disabledJuniperCIS Juniper OS Benchmark v2.1.0 L2
3.6 Ensure ICMP Redirects are set to disabled (on all untrusted IPv4 networks)JuniperCIS Juniper OS Benchmark v2.1.0 L1
3.7 Ensure ICMP Redirects are set to disabled (on all untrusted IPv6 networks)JuniperCIS Juniper OS Benchmark v2.1.0 L1
4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourlyPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
4.1.4 Ensure Bogon Filtering is set (where EBGP is used)JuniperCIS Juniper OS Benchmark v2.1.0 L2
4.1.5 Ensure Ingress Filtering is set for EBGP peersJuniperCIS Juniper OS Benchmark v2.1.0 L1
4.1.6 Ensure RPKI is set for Origin Validation of EBGP peersJuniperCIS Juniper OS Benchmark v2.1.0 L2
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervalsPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervalsPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
4.6.1 Create administrative boundaries between resources using namespacesGCPCIS Google Kubernetes Engine (GKE) v1.6.1 L1
5.7 Ensure 'WildFire Update Schedule' is set to download and install updates every minutePalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
5.7.1 Create administrative boundaries between resources using namespacesUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
5.7.1 Create administrative boundaries between resources using namespacesUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
5.7.1 Create administrative boundaries between resources using namespacesUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
6.16 Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zonesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.18 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actionsPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packetsPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packetsPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
7.3 Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources ExistsPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured - Invalid CategoriesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured - PoliciesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
8.2 Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLSPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0