{ "name": "stig_free_space_optics_device", "date": "2013-03-14", "description": "This STIG contains the technical security controls for the operation of a Free Space Optics Device in the DoD environment.", "title": "Free Space Optics Device Security Technical Implementation Guide (STIG)", "version": "6", "item_syntax": "^\\w-\\d+$", "section_separator": null, "items": [ { "id": "V-14671", "title": "The network element must authenticate all NTP messages received from NTP servers and peers.", "description": "Since NTP is used to ensure accurate log file timestamp information, NTP could pose a security risk if a malicious user were able to falsify NTP information. To launch an attack on the NTP infrastructure, a hacker could inject time that would be accepted by NTP clients by spoofing the IP address of a valid NTP server. To mitigate this risk, the time messages must be authenticated by the client before accepting them as a time source. \n\nTwo NTP-enabled devices can communicate in either client-server mode or peer-to-peer mode (aka “symmetric mode”). The peering mode is configured manually on the device and indicated in the outgoing NTP packets. The fundamental difference is the synchronization behavior: an NTP server can synchronize to a peer with better stratum, whereas it will never synchronize to its client regardless of the client’s stratum. From a protocol perspective, NTP clients are no different from the NTP servers. The NTP client can synchronize to multiple NTP servers, select the best server and synchronize with it, or synchronize to the averaged value returned by the servers.\n\nA hierarchical model can be used to improve scalability. With this implementation, an NTP client can also become an NTP server providing time to downstream clients at a higher stratum level and of decreasing accuracy than that of its upstream server. To increase availability, NTP peering can be used between NTP servers. In the event the device looses connectivity to it upstream NTP server, it will be able to choose time from one of its peers. \n\nThe NTP authentication model is opposite of the typical client-server authentication model. NTP authentication enables an NTP client or peer to authenticate time received from their servers and peers. It’s not used to authenticate NTP clients because NTP servers don’t care about the authenticity of their clients, as they never accept any time from them. \n", "severity": "medium" }, { "id": "V-14717", "title": "The network element must not allow SSH Version 1 to be used for administrative access.", "description": "SSH Version 1 is a protocol that has never been defined in a standard. Since SSH-1 has inherent design flaws which make it vulnerable to attacks, e.g., man-in-the-middle attacks, it is now generally considered obsolete and should be avoided by explicitly disabling fallback to SSH-1. ", "severity": "medium" }, { "id": "V-14886", "title": "Wireless access points and bridges must be placed in dedicated subnets outside the enclave’s perimeter.", "description": "If an adversary is able to compromise an access point or controller that is directly connected to an enclave network, then the adversary can easily surveil and attack other devices from that beachhead. A defense-in-depth approach requires an additional layer of protection exist between the WLAN and the enclave network. This is particularly important for wireless networks, which may be vulnerable to attack from outside physical perimeter of the facility or base given the inherent nature of radio communications to penetrate walls, fences, and other physical boundaries.\nSee diagram in checklist. \n", "severity": "medium" }, { "id": "V-14891", "title": "FIPS 140-2 validated encryption modules must be used to secure data in transit between free space optical (FSO) communication devices", "description": "Encryption is required to protect the confidentiality and integrity of the transmitted data.", "severity": "medium" }, { "id": "V-17821", "title": "The network element’s OOBM interface must be configured with an OOBM network address.", "description": "The OOBM access switch will connect to the management interface of the managed network elements. The management interface of the managed network element will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the OOBM interface does not have an IP address from the managed network address space, it will not have reachability from the NOC using scalable and normal control plane and forwarding mechanisms.", "severity": "medium" }, { "id": "V-17822", "title": "The network elements management interface must be configured with both an ingress and egress ACL.", "description": "The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will be directly connected to the OOBM network.\n\nAn OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic does not leak into the managed network and that production traffic does not leak into the management network.", "severity": "medium" }, { "id": "V-23747", "title": "The network element must use two or more NTP servers to synchronize time.", "description": "Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. If logs cannot be successfully compared between each of the routers, switches, and firewalls, it will be very difficult to determine the exact events that resulted in a network breach incident. NTP provides an efficient and scalable method for network elements to synchronize to an accurate time source.", "severity": "low" }, { "id": "V-28784", "title": "A service or feature that calls home to the vendor must be disabled. \n", "description": "Call home services or features will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. The risk that transmission of sensitive data sent to unauthorized persons could result in data loss or downtime due to an attack.", "severity": "medium" }, { "id": "V-3014", "title": "The network element must timeout management connections for administrative access after 10 minutes or less of inactivity.", "description": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled between the managed network element and a PC or terminal server when the later has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed network element as well as reduce the risk of a management session from being hijacked. Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.", "severity": "medium" }, { "id": "V-3056", "title": "Group accounts must not be configured or used for administrative access.\n", "description": "Group accounts on any device are strictly prohibited. If these group accounts are not changed when someone leaves the group, that person could possibly gain control of the network device. Having group accounts does not allow for proper auditing of who is accessing or changing the network.", "severity": "high" }, { "id": "V-3057", "title": "The network element must have all user accounts assigned to the lowest privilege level that allows each administrator to perform his or her duties.\n\n", "description": "By not restricting administrators and operations personnel to their proper privilege levels, access to restricted functions may be allowed before they are trained or experienced enough to use those functions. Network disruptions or outages could be caused by mistakes made by inexperienced administrators.", "severity": "medium" }, { "id": "V-3069", "title": "The network element must only allow management connections for administrative access using FIPS 140-2 validated encryption algorithms or protocols.", "description": "Remote administration using non-FIPS 140-2 validated encryption is inherently dangerous because anyone with a sniffer and access to the right LAN segment can acquire the device's account and password information. With this intercepted information they could gain access to the device and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.", "severity": "medium" }, { "id": "V-3070", "title": "The network element must log all attempts to establish a management connection for administrative access.", "description": "Audit logs are necessary to provide a trail of evidence in case the network is compromised. Without an audit trail that provides a when, where, who and how set of information, repeat offenders could continue attacks against the network indefinitely. With this information, the network administrator can devise ways to block the attack and possibly identify and prosecute the attacker.", "severity": "low" }, { "id": "V-3143", "title": "The network element must not have any default manufacturer passwords.", "description": "Network elements not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing network outage or denial of service. Many default vendor passwords are well known; hence, not removing them prior to deploying the network element into production provides an opportunity for a malicious user to gain unauthorized access to the device.", "severity": "high" }, { "id": "V-3175", "title": "The network device must require authentication prior to establishing a management connection for administrative access.", "description": "Network devices with no password for administrative access via a management connection provide the opportunity for anyone with network access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.", "severity": "high" }, { "id": "V-3210", "title": "The network element must not use the default or well-known SNMP community strings public and private.", "description": "Network elements may be distributed by the vendor pre-configured with an SNMP agent using the well known SNMP community strings public for read only and private for read and write authorization. An attacker can obtain information about a network element using the read community string \"public\". In addition, an attacker can change a system configuration using the write community string \"private\".", "severity": "high" }, { "id": "V-3967", "title": "The network element must time out access to the console port after 10 minutes or less of inactivity.", "description": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed network element. Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.", "severity": "medium" }, { "id": "V-4582", "title": "The network device must require authentication for console access.", "description": "Network devices with no password for administrative access via the console provide the opportunity for anyone with physical access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.", "severity": "high" }, { "id": "V-5611", "title": "The network element must only allow management connections for administrative access from hosts residing in the management network.", "description": "Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment, could acquire the device account and password information. With this intercepted information they could gain access to the infrastructure and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.", "severity": "medium" }, { "id": "V-5612", "title": "The network element must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.", "description": "An attacker may attempt to connect to the device using SSH by guessing the authentication method, encryption algorithm, and keys. Limiting the amount of time allowed for authenticating and negotiating the SSH session reduces the window of opportunity for the malicious user attempting to make a connection to the network element.", "severity": "medium" }, { "id": "V-5613", "title": "The network element must be configured for a maximum number of unsuccessful SSH login attempts set at 3 before resetting the interface. ", "description": "An attacker may attempt to connect to the device using SSH by guessing the authentication method and authentication key or shared secret. Setting the authentication retry to 3 or less strengthens against a Brute Force attack.", "severity": "medium" }, { "id": "V-7011", "title": "The network element’s auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.", "description": "The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. Additional war dial attacks on the device could degrade the device and the production network.\n\nSecured modem devices must be able to authenticate users and must negotiate a key exchange before full encryption takes place. The modem will provide full encryption capability (Triple DES) or stronger. The technician who manages these devices will be authenticated using a key fob and granted access to the appropriate maintenance port, thus the technician will gain access to the managed device (router, switch, etc.). The token provides a method of strong (two-factor) user authentication. The token works in conjunction with a server to generate one-time user passwords that will change values at second intervals. The user must know a personal identification number (PIN) and possess the token to be allowed access to the device.", "severity": "low" } ] }