UNCLASSIFIED

Skip to content
Snippets Groups Projects

added initial firewall check script in python

Closed added initial firewall check script in python
frederick.r.ulrich/saltstack:master into master
Closed Frederick Ulrich requested to merge frederick.r.ulrich/saltstack:master into master
Compare
and
2 files
+ 928
0
Preferences
Compare changes
Files
2
srg/firewall/README.md 0 → 100644
+ 148
0
## Firewall Rules
[ ] Rule V-3000: The network device must log all interface access control lists (ACL) deny statements.
[ ] Rule V-3008: The IAO will ensure IPSec VPNs are established as tunnel type VPNs when transporting management traffic across an ip backbone network.
[ ] Rule V-3012: Network devices must be password protected.
[ ] Rule V-3013: Network devices must display the DoD-approved logon banner warning.
[ ] Rule V-3014: The network devices must timeout management connections for administrative access after 10 minutes or less of inactivity.
[ ] Rule V-3020: Network devices must have DNS servers defined if it is configured as a client resolver.
[ ] Rule V-3021: Network devices must only allow SNMP access from addresses belonging to the management network.
[ ] Rule V-3043: The network device must use different SNMP community names or groups for various levels of read and write access.
[ ] Rule V-3054: The firewall must not utilize any services or capabilities that are not necessary for the administration of the firewall.
[ ] Rule V-3056: Group accounts must not be configured for use on the network device.
[ ] Rule V-3057: Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.
[ ] Rule V-3058: Unauthorized accounts must not be configured for access to the network device.
[ ] Rule V-3062: Network devices must be configured to ensure passwords are not viewable when displaying configuration information.
[ ] Rule V-3069: Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
[ ] Rule V-3070: Network devices must log all attempts to establish a management connection for administrative access.
[ ] Rule V-3085: Network devices must have HTTP service for administrative access disabled.
[ ] Rule V-3143: Network devices must not have any default manufacturer passwords.
[ ] Rule V-3156: The device must be configured to protect the network against denial of service attacks such as Ping of Death, TCP SYN floods, etc.
[ ] Rule V-3160: Network devices must be running a current and supported operating system with all IAVMs addressed.
[ ] Rule V-3175: The network device must require authentication prior to establishing a management connection for administrative access.
[ ] Rule V-3176: The network devices must be configured to alert the administrator of a potential attack or system failure.
[ ] Rule V-3178: Administrator logons, changes to the administrator group, and account lockouts must be logged.
[ ] Rule V-3196: The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.
[ ] Rule V-3210: The network device must not use the default or well-known SNMP community strings public and private.
[ ] Rule V-3966: In the event the authentication server is unavailable, the network device must have a single local account of last resort defined.
[ ] Rule V-3967: The network devices must time out access to the console port at 10 minutes or less of inactivity.
[ ] Rule V-3969: Network devices must only allow SNMP read-only access.
[ ] Rule V-3982: L2TP must not pass into the private network of an enclave.
[ ] Rule V-4582: The network device must require authentication for console access.
[ ] Rule V-4619: The FA will ensure that if the firewall product operates on an OS platform, the host must be STIG compliant prior to the installation of the firewall product.
[ ] Rule V-5611: The network devices must only allow management connections for administrative access from hosts residing in the management network.
[ ] Rule V-5612: The network devices must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
[ ] Rule V-5613: The network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface.
[ ] Rule V-5646: The network device must drop half-open TCP connections through filtering thresholds or timeout periods.
[ ] Rule V-5731: The SA will utilize ingress and egress ACLs to restrict traffic destined to the enclave perimeter in accordance with the guidelines contained in DoD Instruction 8551.1 for all ports and protocols required for operational commitments.
[ ] Rule V-7011): The auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
[ ] Rule V-14637: Router advertisements must be suppressed on all external-facing IPv6-enabled interfaces.
[ ] Rule V-14643: The SA must configure the firewall for the minimum content and protocol inspection requirements.
[ ] Rule V-14644: The firewall must reject requests for access or services where the source address received by the firewall specifies a loopback address.
[ ] Rule V-14646: Alerts must be automatically generated to notify the administrator when log storage reaches seventy-five percent or more of its maximum capacity.
[ ] Rule V-14647: The network device must dump logs when they reach 75% capacity to a syslog server.
[ ] Rule V-14648: Critical alerts must be generated and notifications sent to authorized personnel regardless if the person is logged in.
[ ] Rule V-14649: The ISSO must ensure the message is displayed at the remote console if an administrator is already logged in, or when an administrator logs in if the alarm message has not been acknowledged.
[ ] Rule V-14653: The ISSO must ensure the alarm message identifying the potential security violation makes accessible the audit record contents associated with the event(s).
[ ] Rule V-14655: The ISSO must ensure an alert will remain written on the consoles until acknowledged by an administrator.
[ ] Rule V-14656: The ISSO must ensure an acknowledgement message identifying a reference to the potential security violation is logged and it contains a notice that it has been acknowledged, the time of the acknowledgement and the user identifier that acknowledged the alarm, at the remote administrator session that received the alarm.
[ ] Rule V-14667: Network devices must be configured with rotating keys used for authenticating IGP peers that have a duration of 180 days or less.
[ ] Rule V-14671: Network devices must authenticate all NTP messages received from NTP servers and peers.
[ ] Rule V-14693: The network device must be configured to ensure IPv6 Site Local Unicast addresses are not defined in the enclave, (FEC0::/10). Note that this consist of all addresses that begin with FEC, FED, FEE and FEF.
[ ] Rule V-14717: The network device must not allow SSH Version 1 to be used for administrative access.
[ ] Rule V-15294: Teredo packets must be blocked inbound to the enclave and outbound from the enclave.
[ ] Rule V-15296: Interfaces supporting IPv4 in NAT-PT Architecture must not receive IPv6 traffic.
[ ] Rule V-15432: Network devices must use two or more authentication servers for the purpose of granting administrative access.
[ ] Rule V-15434: The emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.
[ ] Rule V-17754: Management traffic is not restricted to only the authorized management packets based on destination and source IP address.
[ ] Rule V-17814: Gateway configuration at the remote VPN end-point is a not a mirror of the local gateway
[ ] Rule V-17821: The network devices OOBM interface must be configured with an OOBM network address.
[ ] Rule V-17822: The network devices management interface must be configured with both an ingress and egress ACL.
[ ] Rule V-17823: The management interface must be configured as passive for the IGP instance deployed in the managed network.
[ ] Rule V-17830: The firewall located behind the premise router must be configured to block all outbound management traffic.
[ ] Rule V-17835: Traffic entering the tunnels is not restricted to only the authorized management packets based on destination address.
[ ] Rule V-18522: Server VLAN interfaces must be protected by restrictive ACLs using a deny-by-default security posture.
[ ] Rule V-18523: The IAO will ensure the Server Farm infrastructure is secured by ACLs on VLAN interfaces that restrict data originating from one server farm segment destined to another server farm segment.
[ ] Rule V-18525: The IAO will ensure the Server Farm VLANs are protected by severely restricting the actions the hosts can perform on the servers by firewall content filtering.
[ ] Rule V-18608: IPv6 6-to-4 addresses with a prefix of 2002::/16 must be filtered at the perimeter.
[ ] Rule V-18815: IPv6 Jumbo Payload hop by hop header must be blocked.
[ ] Rule V-23747: Network devices must use at least two NTP servers to synchronize time.
[ ] Rule V-25037: The IAO will ensure that the router or firewall software has been upgraded to mitigate the risk of DNS cache poisoning attack caused by a flawed PAT implementation using a predictable source port allocation method for DNS query traffic.
[ ] Rule V-25890: Network device logs must be timestamped.
[ ] Rule V-25891: Network device logs must include source IP, destination IP, port, protocol used and action taken.
[ ] Rule V-28784: A service or feature that calls home to the vendor must be disabled.
[ ] Rule V-30638: The IAO must ensure firewalls deployed in an IPv6 enclave meet the requirements defined by DITO and NSA milestone objective 3 guidance.
[ ] Rule V-72881: The firewall must not be listening for telnet service.

This GitLab instance is accredited for unclassified information without any handling caveats (releasable content only)