STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-7 — Boundary Protection

CCI-001097

Definition

Monitor and control communications at the external managed interfaces to the system and at key managed interfaces within the system.

Parent Control

SC-7Boundary ProtectionSystem and Communications Protection

Linked STIG Checks (182)

V-220133CAT IIThe Arista Multilayer Switch must configure the maximum hop limit value to at least 32.Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide V-256016CAT IThe Arista router must be configured to restrict traffic destined to itself.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256017CAT IIThe Arista router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256018CAT IIThe Arista perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256019CAT IIThe Arista perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256020CAT IIThe Arista BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256021CAT IThe Arista router must be configured to block any traffic that is destined to IP core infrastructure.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256022CAT IIThe Arista router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256023CAT IIThe out-of-band management (OOBM) Arista gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256024CAT IIThe out-of-band management (OOBM) Arista gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the NOC.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256025CAT IIThe Arista router must be configured to only permit management traffic that ingresses and egresses the OOBM interface.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256044CAT IIThe Arista perimeter router must be configured to block all outbound management traffic.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256016CAT IThe Arista router must be configured to restrict traffic destined to itself.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256017CAT IIThe Arista router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256018CAT IIThe Arista perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256019CAT IIThe Arista perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256020CAT IIThe Arista BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256021CAT IThe Arista router must be configured to block any traffic that is destined to IP core infrastructure.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256022CAT IIThe Arista router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256023CAT IIThe out-of-band management (OOBM) Arista gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256024CAT IIThe out-of-band management (OOBM) Arista gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the NOC.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256025CAT IIThe Arista router must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256044CAT IIThe Arista perimeter router must be configured to block all outbound management traffic.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-272079CAT IIThe Cisco ACI must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.Cisco ACI Router Security Technical Implementation Guide V-272081CAT IIThe Cisco ACI must be configured to only permit management traffic that ingresses and egresses the OOBM interface.Cisco ACI Router Security Technical Implementation Guide V-239861CAT IIThe Cisco ASA perimeter firewall must be configured to filter traffic destined to the enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.Cisco ASA Firewall Security Technical Implementation Guide V-216560CAT IThe Cisco router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.Cisco IOS Router RTR Security Technical Implementation Guide V-216580CAT IIThe Cisco perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.Cisco IOS Router RTR Security Technical Implementation Guide V-216581CAT IIThe Cisco perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.Cisco IOS Router RTR Security Technical Implementation Guide V-216582CAT IIThe Cisco perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.Cisco IOS Router RTR Security Technical Implementation Guide V-216587CAT IIThe Cisco perimeter router must be configured to block all outbound management traffic.Cisco IOS Router RTR Security Technical Implementation Guide V-216588CAT IIThe Cisco out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.Cisco IOS Router RTR Security Technical Implementation Guide V-216589CAT IIThe Cisco out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).Cisco IOS Router RTR Security Technical Implementation Guide V-216592CAT IIThe Cisco out-of-band management (OOBM) gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the Network Operations Center (NOC).Cisco IOS Router RTR Security Technical Implementation Guide V-216593CAT IIThe Cisco router must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.Cisco IOS Router RTR Security Technical Implementation Guide V-216594CAT IIThe Cisco router providing connectivity to the Network Operations Center (NOC) must be configured to forward all in-band management traffic via an IPsec tunnel.Cisco IOS Router RTR Security Technical Implementation Guide V-216601CAT IIThe Cisco BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.Cisco IOS Router RTR Security Technical Implementation Guide V-216616CAT IThe Cisco PE router must be configured to block any traffic that is destined to IP core infrastructure.Cisco IOS Router RTR Security Technical Implementation Guide V-216617CAT IIThe Cisco PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.Cisco IOS Router RTR Security Technical Implementation Guide V-220428CAT IThe Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.Cisco IOS Switch RTR Security Technical Implementation Guide V-220445CAT IIThe Cisco perimeter switch must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.Cisco IOS Switch RTR Security Technical Implementation Guide V-220446CAT IIThe Cisco perimeter switch must be configured to filter ingress traffic at the external interface on an inbound direction.Cisco IOS Switch RTR Security Technical Implementation Guide V-220447CAT IIThe Cisco perimeter switch must be configured to filter egress traffic at the internal interface on an inbound direction.Cisco IOS Switch RTR Security Technical Implementation Guide V-220452CAT IIThe Cisco perimeter switch must be configured to block all outbound management traffic.Cisco IOS Switch RTR Security Technical Implementation Guide V-220453CAT IIThe Cisco switch must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.Cisco IOS Switch RTR Security Technical Implementation Guide V-220455CAT IThe Cisco PE switch must be configured to block any traffic that is destined to the IP core infrastructure.Cisco IOS Switch RTR Security Technical Implementation Guide V-220456CAT IIThe Cisco PE switch must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.Cisco IOS Switch RTR Security Technical Implementation Guide V-216650CAT IThe Cisco router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216670CAT IIThe Cisco perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216671CAT IIThe Cisco perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216672CAT IIThe Cisco perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216677CAT IIThe Cisco perimeter router must be configured to block all outbound management traffic.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216678CAT IIThe Cisco out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216679CAT IIThe Cisco out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).Cisco IOS XE Router RTR Security Technical Implementation Guide V-216682CAT IIThe Cisco out-of-band management (OOBM) gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the Network Operations Center (NOC).Cisco IOS XE Router RTR Security Technical Implementation Guide V-216683CAT IIThe Cisco router must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216684CAT IIThe Cisco router providing connectivity to the Network Operations Center (NOC) must be configured to forward all in-band management traffic via an IPsec tunnel.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216691CAT IIThe Cisco BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216711CAT IThe Cisco PE router must be configured to block any traffic that is destined to IP core infrastructure.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216712CAT IIThe Cisco PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.Cisco IOS XE Router RTR Security Technical Implementation Guide V-220995CAT IThe Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221012CAT IIThe Cisco perimeter switch must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221013CAT IIThe Cisco perimeter switch must be configured to filter ingress traffic at the external interface on an inbound direction.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221014CAT IIThe Cisco perimeter switch must be configured to filter egress traffic at the internal interface on an inbound direction.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221019CAT IIThe Cisco perimeter switch must be configured to block all outbound management traffic.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221020CAT IIThe Cisco switch must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221027CAT IIThe Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221047CAT IThe Cisco PE switch must be configured to block any traffic that is destined to the IP core infrastructure.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221048CAT IIThe Cisco PE switch must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-216743CAT IThe Cisco router must be configured to restrict traffic destined to itself.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216744CAT IIThe Cisco router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216760CAT IIThe Cisco perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216761CAT IIThe Cisco perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216762CAT IIThe Cisco perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216767CAT IIThe Cisco perimeter router must be configured to block all outbound management traffic.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216768CAT IIThe Cisco out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216769CAT IIThe Cisco out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).Cisco IOS XR Router RTR Security Technical Implementation Guide V-216772CAT IIThe Cisco out-of-band management (OOBM) gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the Network Operations Center (NOC).Cisco IOS XR Router RTR Security Technical Implementation Guide V-216773CAT IIThe Cisco router must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216774CAT IIThe Cisco router providing connectivity to the Network Operations Center (NOC) must be configured to forward all in-band management traffic via an IPsec tunnel.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216781CAT IIThe Cisco BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216801CAT IThe Cisco PE router must be configured to block any traffic that is destined to IP core infrastructure.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216802CAT IIThe Cisco PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.Cisco IOS XR Router RTR Security Technical Implementation Guide V-221079CAT IIThe Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221081CAT IIThe Cisco switch must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221092CAT IIThe Cisco perimeter switch must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221093CAT IIThe Cisco perimeter switch must be configured to filter ingress traffic at the external interface on an inbound direction.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221094CAT IIThe Cisco perimeter switch must be configured to filter egress traffic at the internal interface on an inbound direction.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221099CAT IIThe Cisco perimeter switch must be configured to block all outbound management traffic.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221100CAT IIThe Cisco switch must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221107CAT IIThe Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221126CAT IThe Cisco PE switch must be configured to block any traffic that is destined to the IP core infrastructure.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221127CAT IIThe Cisco PE switch must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.Cisco NX OS Switch RTR Security Technical Implementation Guide V-259863CAT IThe Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must implement a security stack that restricts traffic flow inbound and outbound between the IaaS and the Boundary Cloud Access Point (BCAP) or Internal Cloud Access Point (ICAP) connection.Cloud Computing Mission Owner Network Security Requirements Guide V-259864CAT IThe Mission Owner's internet-facing applications must be configured to traverse the Cloud Access Point (CAP) and Virtual Datacenter Security Stack (VDSS) prior to communicating with the internet.Cloud Computing Mission Owner Network Security Requirements Guide V-259865CAT IIThe Mission Owner of the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must configure scanning using an Assured Compliance Assessment Solution (ACAS) server or solution that meets DOD scanning and reporting requirements.Cloud Computing Mission Owner Network Security Requirements Guide V-259866CAT IIThe Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must be configured to maintain separation of all management and data traffic.Cloud Computing Mission Owner Network Security Requirements Guide V-269872CAT IThe Dell OS10 Router must be configured to restrict traffic destined to itself.Dell OS10 Switch Router Security Technical Implementation Guide V-269873CAT IIThe Dell OS10 Router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.Dell OS10 Switch Router Security Technical Implementation Guide V-269877CAT IIThe Dell OS10 BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.Dell OS10 Switch Router Security Technical Implementation Guide V-269879CAT IIThe Dell OS10 out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).Dell OS10 Switch Router Security Technical Implementation Guide V-269880CAT IIThe Dell OS10 out-of-band management (OOBM) gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the NOC.Dell OS10 Switch Router Security Technical Implementation Guide V-266173CAT IIThe F5 BIG-IP appliance providing remote access intermediary services must be configured to route sessions to an IDPS for inspection.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-266267CAT IIThe BIG-IP appliance perimeter firewall must be configured to filter traffic destined to the enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.F5 BIG-IP TMOS Firewall Security Technical Implementation Guide V-206695CAT IIThe perimeter firewall must filter traffic destined to the internal enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL), Vulnerability Assessments (VAs) for that the enclave.Firewall Security Requirements Guide V-234147CAT IIThe FortiGate firewall must filter traffic destined to the internal enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL), Vulnerability Assessments (VAs) for that the enclave.Fortinet FortiGate Firewall Security Technical Implementation Guide V-66125CAT IIThe HP FlexFabric Switch must configure the maximum hop limit value to at least 32.HP FlexFabric Switch RTR Security Technical Implementation Guide V-266999CAT IIAOS, when used as a VPN Gateway, must be configured to route sessions to an intrusion detection and prevention system (IDPS) for inspection.HPE Aruba Networking AOS VPN Security Technical Implementation Guide V-266707CAT IIAOS, when used as a WLAN bridge or controller, must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.HPE Aruba Networking AOS Wireless Security Technical Implementation Guide V-254010CAT IThe Juniper router must be configured to restrict traffic destined to itself.Juniper EX Series Switches Router Security Technical Implementation Guide V-254011CAT IIThe Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.Juniper EX Series Switches Router Security Technical Implementation Guide V-254012CAT IIThe Juniper perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.Juniper EX Series Switches Router Security Technical Implementation Guide V-254013CAT IIThe Juniper perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.Juniper EX Series Switches Router Security Technical Implementation Guide V-254014CAT IIThe Juniper perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.Juniper EX Series Switches Router Security Technical Implementation Guide V-254015CAT IIThe Juniper BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.Juniper EX Series Switches Router Security Technical Implementation Guide V-254016CAT IThe Juniper PE router must be configured to block any traffic that is destined to IP core infrastructure.Juniper EX Series Switches Router Security Technical Implementation Guide V-254017CAT IIThe Juniper PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode, or a firewall filter, enabled on all CE-facing interfaces.Juniper EX Series Switches Router Security Technical Implementation Guide V-254018CAT IIThe Juniper out-of-band management (OOBM) gateway must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.Juniper EX Series Switches Router Security Technical Implementation Guide V-254019CAT IIThe Juniper out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).Juniper EX Series Switches Router Security Technical Implementation Guide V-254020CAT IIThe Juniper out-of-band management (OOBM) gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the NOC.Juniper EX Series Switches Router Security Technical Implementation Guide V-254021CAT IIThe Juniper router must be configured to only permit management traffic that ingresses and egresses the OOBM interface.Juniper EX Series Switches Router Security Technical Implementation Guide V-254049CAT IIThe Juniper perimeter router must be configured to block all outbound management traffic.Juniper EX Series Switches Router Security Technical Implementation Guide V-217019CAT IThe Juniper router must be configured to restrict traffic destined to itself.Juniper Router RTR Security Technical Implementation Guide V-217020CAT IIThe Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.Juniper Router RTR Security Technical Implementation Guide V-217037CAT IIThe Juniper perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.Juniper Router RTR Security Technical Implementation Guide V-217038CAT IIThe Juniper perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.Juniper Router RTR Security Technical Implementation Guide V-217039CAT IIThe Juniper perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.Juniper Router RTR Security Technical Implementation Guide V-217043CAT IIThe Juniper perimeter router must be configured to block all outbound management traffic.Juniper Router RTR Security Technical Implementation Guide V-217044CAT IIThe Juniper out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.Juniper Router RTR Security Technical Implementation Guide V-217045CAT IIThe Juniper out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).Juniper Router RTR Security Technical Implementation Guide V-217048CAT IIThe Juniper out-of-band management (OOBM) gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the NOC.Juniper Router RTR Security Technical Implementation Guide V-217049CAT IIThe Juniper router must be configured to only permit management traffic that ingresses and egresses the OOBM interface.Juniper Router RTR Security Technical Implementation Guide V-217050CAT IIThe Juniper router providing connectivity to the NOC must be configured to forward all in-band management traffic via an IPsec tunnel.Juniper Router RTR Security Technical Implementation Guide V-217057CAT IIThe Juniper BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.Juniper Router RTR Security Technical Implementation Guide V-217076CAT IThe Juniper PE router must be configured to block any traffic that is destined to IP core infrastructure.Juniper Router RTR Security Technical Implementation Guide V-217077CAT IIThe Juniper PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.Juniper Router RTR Security Technical Implementation Guide V-251335CAT IIAn Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor all Demilitarized Zone (DMZ) segments housing public servers.Network Infrastructure Policy Security Technical Implementation Guide V-251336CAT IIAn Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor the network segment hosting web, application, and database servers.Network Infrastructure Policy Security Technical Implementation Guide V-251337CAT IIAn Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor network segments that house network security management servers.Network Infrastructure Policy Security Technical Implementation Guide V-251338CAT IIAn Intrusion Detection and Prevention System (IDPS) must be deployed to monitor all unencrypted traffic entering and leaving the enclave.Network Infrastructure Policy Security Technical Implementation Guide V-251384CAT IIMulti-Protocol Labeled Switching (MPLS) labels must not be exchanged between the enclaves edge routers and any external neighbor routers.Network Infrastructure Policy Security Technical Implementation Guide V-243214CAT IIThe network device must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.Network WLAN AP-IG Platform Security Technical Implementation Guide V-243225CAT IIThe network device must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.Network WLAN AP-NIPR Platform Security Technical Implementation Guide V-243231CAT IIThe network device must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.Network WLAN Bridge Platform Security Technical Implementation Guide V-243237CAT IIThe network device must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.Network WLAN Controller Platform Security Technical Implementation Guide V-273605CAT IThe RUCKUS ICX router must be configured to restrict traffic destined to itself.RUCKUS ICX Router Security Technical Implementation Guide V-273606CAT IIThe RUCKUS ICX router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.RUCKUS ICX Router Security Technical Implementation Guide V-273607CAT IIThe RUCKUS ICX perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DOD Instruction 8551.1.RUCKUS ICX Router Security Technical Implementation Guide V-273608CAT IIThe RUCKUS ICX perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.RUCKUS ICX Router Security Technical Implementation Guide V-273609CAT IIThe RUCKUS ICX perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.RUCKUS ICX Router Security Technical Implementation Guide V-273610CAT IIThe RUCKUS ICX BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.RUCKUS ICX Router Security Technical Implementation Guide V-273611CAT IThe RUCKUS ICX PE router must be configured to block any traffic destined to IP core infrastructure.RUCKUS ICX Router Security Technical Implementation Guide V-273612CAT IIThe RUCKUS ICX PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.RUCKUS ICX Router Security Technical Implementation Guide V-273613CAT IIThe RUCKUS ICX management network gateway must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit.RUCKUS ICX Router Security Technical Implementation Guide V-273614CAT IIThe RUCKUS ICX out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).RUCKUS ICX Router Security Technical Implementation Guide V-273615CAT IIThe RUCKUS ICX out-of-band management (OOBM) gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the Network Operations Center (NOC).RUCKUS ICX Router Security Technical Implementation Guide V-273616CAT IIThe RUCKUS ICX router must be configured to only permit management traffic that ingresses and egresses the OOBM interface.RUCKUS ICX Router Security Technical Implementation Guide V-273618CAT IThe RUCKUS ICX perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).RUCKUS ICX Router Security Technical Implementation Guide V-273619CAT IIThe RUCKUS ICX perimeter router must be configured to block all packets with any IP options.RUCKUS ICX Router Security Technical Implementation Guide V-273620CAT IIThe RUCKUS ICX PE router must be configured to ignore or block all packets with any IP options.RUCKUS ICX Router Security Technical Implementation Guide V-281342CAT IIRHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed packets.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-207133CAT IThe router must be configured to restrict traffic destined to itself.Router Security Requirements Guide V-207134CAT IIThe router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.Router Security Requirements Guide V-207135CAT IIThe perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.Router Security Requirements Guide V-207136CAT IIThe perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.Router Security Requirements Guide V-207137CAT IIThe perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.Router Security Requirements Guide V-207138CAT IIThe BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.Router Security Requirements Guide V-207139CAT IThe PE router must be configured to block any traffic that is destined to IP core infrastructure.Router Security Requirements Guide V-207140CAT IIThe PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces..Router Security Requirements Guide V-207141CAT IIThe out-of-band management (OOBM) gateway must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.Router Security Requirements Guide V-207142CAT IIThe out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).Router Security Requirements Guide V-207143CAT IIThe out-of-band management (OOBM) gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the NOC.Router Security Requirements Guide V-207144CAT IIThe router must be configured to only permit management traffic that ingresses and egresses the OOBM interface.Router Security Requirements Guide V-207145CAT IIThe router providing connectivity to the NOC must be configured to forward all in-band management traffic via an IPsec tunnel.Router Security Requirements Guide V-216979CAT IThe perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).Router Security Requirements Guide V-216980CAT IIThe perimeter router must be configured to block all packets with any IP options.Router Security Requirements Guide V-216981CAT IIThe PE router must be configured to ignore or block all packets with any IP options.Router Security Requirements Guide V-265368CAT IIThe NSX Tier-0 Gateway Firewall must deny network communications traffic by default and allow network communications traffic by exception.VMware NSX 4.x Tier-0 Gateway Firewall Security Technical Implementation Guide V-265494CAT IIThe NSX Tier-1 Gateway firewall must deny network communications traffic by default and allow network communications traffic by exception.VMware NSX 4.x Tier-1 Gateway Firewall Security Technical Implementation Guide V-251740CAT IIThe NSX-T Tier-1 Gateway Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).VMware NSX-T Tier-0 Gateway Firewall Security Technical Implementation Guide V-251749CAT IThe NSX-T Tier-0 Gateway must be configured to restrict traffic destined to itself.VMware NSX-T Tier-0 Gateway RTR Security Technical Implementation Guide V-207220CAT IIThe VPN Gateway must be configured to route sessions to an IDPS for inspection.Virtual Private Network (VPN) Security Requirements Guide