|
ID
|
Name
|
Description
|
|
FW205
|
Check that no rules are configured with both: 'Service & Applications' set to 'Any' and 'Action' set to 'Accept'
|
The Service setting of Any should not be used for any policies that allow traffic. Create security policies specifying the desired ports. We highly recommended that you do not select 'Any' in the 'Service & Applications' column. In particular, do not allow any service when the Action is selected as 'Accept'.
|
|
OS130
|
Check that the password contains at least 12 characters
|
Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. The strength of a password is a function of length, complexity, and unpredictability. We recommend that your password contains at least 12 characters.
|
|
OS131
|
Check that the password complexity requires four character types
|
Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. The strength of a password is a function of length, complexity, and unpredictability. We recommend that your password contains upper case letters, lower case letters, numbers and special characters.
|
|
OS132
|
Check that the password expiration value is set to a maximum of 365 days
|
Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. The strength of a password is a function of length, complexity, and unpredictability. We recommend that you set the password expiration value to a maximum of 365 days, depending on your environment. This way, an attacker has a limited amount of time to compromise a user's password and have access to your network resources.
|
|
OS133
|
Check that the password history is enabled
|
The longer the same password is used for a particular account, the greater the chance that an attacker will be able to determine the password through brute-force attacks. If users are required to change their password, but can still reuse an old one, the effectiveness of the policy is greatly reduced.
|
|
OS134
|
Check that the password history prohibits password reuse for a minimum of 3 generations
|
The longer the same password is used for a particular account, the greater the chance that an attacker will be able to determine the password through brute-force attacks. If users are required to change their password, but can still reuse an old one, the effectiveness of the policy is greatly reduced. We recommend prohibiting password reuse for a minimum of 3 generations.
|
|
OS135
|
Check that the hashing algorithm for password storage is enabled
|
For security reasons, you may want to store passwords in hashed form. These guards against the possibility that someone who gains unauthorized access to the database can retrieve the passwords of every user in the system. We recommend that you use the most recent hashing algorithm.
|
|
OS150
|
Check that there are defined TACACS+ Server IP address and key for authentication
|
TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. We recommend that you define the TACACS+ Server IP address and key for authentication.
|
|
OS155
|
Check that only permitted IP addresses are allowed to access and manage the firewall via SSH and HTTPS
|
By default, the firewall for each service allows access to all IP addresses. To restrict traffic, change each service to allow traffic only from your management subnet. Allow only permitted IP address to access and manage the firewall via SSH and HTTPS.
|
|
OS160
|
Check that SNMP agent usage is enabled
|
SNMP monitoring is useful for anyone who is responsible for servers and network devices such as hosts, routers, hubs and switches. It lets you keep an eye on network and bandwidth usage, and track important issues such as uptime and traffic levels. We recommend that you use SNMP Polling.
|
|
OS161
|
Check that the SNMP agent version is set to v3
|
SNMP v3 has added cryptographic security and new concepts, terminology, remote configuration enhancements, and textual conventions. We therefore recommend you use SNMP v3 Polling.
|
|
OS162
|
Check that the SNMP traps are configured to generate SNMP traps for system, traffic, or threat logs
|
You can use logging and SNMP to monitor cluster units for failover. Both the primary and subordinate units can be configured to write log messages and send SNMP traps if a failover occurs.
|
|
OS163
|
Check that the SNMP 'clusterXLFailover' trap is defined
|
You can use logging and SNMP to monitor cluster units for failover. Both the primary and subordinate units can be configured to write log messages and send SNMP traps if a failover occurs. We recommend that you apply the 'clusterXLFailover' trap.
|
|
OS164
|
Check that the SNMP 'fanFailure' trap is defined
|
You can use logging and SNMP to monitor the fan status. If there are issues with the fan, you will be able to address them immediately.
|
|
OS165
|
Check that the SNMP 'lowDiskSpace' trap is defined
|
You can use logging and SNMP to monitor the disk space status. If you have low disk space, you will be able to address it immediately.
|
|
OS170
|
Check that Advanced Routing for OSFP is configured
|
OSPF (Open Shortest Path First) is a popular link-state routing protocol. Network devices will exchange pieces of information in order to build a complete topology database.
|
