The following are some of the samples available under Compliance, Regulatory in the Library Manager.

Move your cursor over each sample to view a description of the samples within this category.

Note: The compliance reporting capability of NCM is enhanced to support DISA/NSA compliance testing. The DISA STIG compliance reports are separate reports that can be run from within the Report Advisor. The PCI Compliance tab in the Report Advisor (RA) is now replaced with Compliance and DISA STIG samples are included in the Automation Library. The DISA STIG compliance reports are now accessible through the "Compliance" tab. The compliance reports are now updated to include DISA Compliance requirements. The required definitions and compliance definitions are available at: http://iase.disa.mil/stigs.

regulatory

PCI-DSS-1.1.1 – RADIUS Server

This test ensures that a user-specified server is setup as a RADIUS server with proper authentication, and also ensures there are no other RADIUS servers other than the specified server.

PCI-DSS-1.1.1 – SNMP Traps

This test ensures that SNMP Traps are enabled, have been directed at the specified host, and will not be sent to any other location. This sample test only works for SNMPv1 and SNMPv2.

PCI-DSS-1.1.1 – Syslogs

This test ensures that Syslogs are enabled, pointed at the correct IP address for the Network Configuration Manager Device Server, and ensures that Syslogs will not be sent to any other location.

PCI-DSS-1.1.1 – TACACS Server

This test ensures that the specified server is configured as the only TACACS+ server, and ensures authentication is setup correctly.

PCI-DSS-1.1.1 – VTY Access

This test ensures that the specified local account is setup on a device for VTY access, and ensures no other local account is active. This test also deletes all usernames that are not specified by the user, if they exist.

PCI-DSS-1.2-1.3 – Named Egress Access List – By ACL Name

This test ensures that only valid IP addresses are allowed to exit the network, and ensures that the simple egress access list ends with a Deny Any Any.

PCI-DSS-1.2-1.3 – Named Ingress Access List – By ACL Name

This test ensures that only valid IP addresses are allowed to enter the network, and ensures that the simple ingress access-list ends with a Deny Any Any.

PCI-DSS-1.2-1.3 – Named Egress Access List

This test ensures that only valid IP addresses are allowed to enter the network, and ensures that the numbered egress access-list ends with a Deny Any Any.

PCI-DSS-1.2-1.3 – Named Ingress Access List

This test ensures that only valid IP addresses are allowed to enter the network, and ensures that the numbered ingress access-list ends with a Deny Any Any.

PCI-DSS-1.3.1 – Restrict Unauthorized Traffic

This test ensures that a specified access list is configured on the identified interface.  The specified access list denies unauthorized traffic from the internet into the DMZ, and allows only traffic that is explicitly permitted.

PCI-DSS-1.3.3 – Stateful Inspection of Firewall

This test ensures stateful packet inspection is enabled on a firewall, and turned on for UDP and ICMP traffic.

PCI-DSS-1.3.7 – Test That Denies Traffic on All Ports Other Than Port 23

This test ensures that a user-specified access list denies all traffic connections that are open, except for the traffic that is coming in on Port 23.

PCI-DSS-1.3.7 – Test That Allows Traffic on No Other Open Port Other Than Port 23

This test ensures that a user-specified access list denies all traffic connections that are open, except for the traffic that is coming in on Port 23.

PCI-DSS-1.4.1 – Approved Routes Re-Distribution

This test ensures that only specified routes are redistributed from RIP into a neighboring OSPF or BGP domain. If not, the device is flagged as non-compliant, and the remedy pushes the user-specified distribute list in the appropriate direction. Distribute lists serve as the basic form of network security.

The Access Control List identified by the user ensures:

  • Only approved routes from RIP are redistributed into OSPF

  • Only approved routes from RIP are distributed in the appropriate direction

  • No other routes are being distributed into the OSPF domain

PCI-DSS-1.4.1 – Check for Approved Static Routes Only

This test checks for the existence of approved static routes, as specified by the user, and no other static routes.

PCI-DSS-1.5 – Inside NAT Setup

This test checks that Network Time Protocol has been setup correctly on the inside interface of the device.

PCI-DSS-1.5 – Outside NAT Setup

This test checks that Network Time Protocol has been setup correctly on the outside interface of the device.

PCI-DSS-10.4 – Test for Network Time Protocol

This test checks if Network Time Protocol authentication is MD5.

PCI-DSS-2.1 – Detecting Default Username

This test ensures the default username cisco does not exist in the configuration. If it does contain the default username, then it removes it ,and adds a username defined by the user.

PCI-DSS-4.1 – VPN Encryption

This test ensures that an IpSec VPN is configured to use strong encryption.

PCI-DSS-4.1.1 – WAP Encryption

This test ensures that WAP is configured to use strong encryption.

Block cipher encryption techniques are designed to disguise plain text patterns that might otherwise generate patterns of encrypted cipher text. Any repeated sequences can facilitate cracking of the algorithm. The WAP gateway can be configured to operate all the encryption algorithms, or a list specifying one or more of the options.

To decide which encryption algorithms to configure, you must consider several factors. A shorter key length is easier to compute, and will impose less overhead on the processor than a longer key length, but a shorter key length can compromise security.

The level of security you need to configure  is also determined by the type of information that can be accessed through the gateway. Confidential corporate information often requires a high level of security

Use the WAP WTLS encryption command in conjunction with the WAP WTLS hash global configuration commands to help establish and operate a secure WAP session.

PCI-DSS-4.1.1 – WAP Hash Algorithm

This test ensures that WAP is configured to use strong hash algorithm. Hash algorithms are used to construct a digital signature for encrypted text to prevent attempts to modify the original encrypted text. The WAP gateway can be configured to operate all the hash algorithms or a list specifying one or more of the options.

The level of security you need to configure is determined by the type of information that can be accessed through the gateway. Confidential corporate information often requires a high level of security.