The following are some of the samples available under Compliance, Regulatory in the Library Manager.
Move your cursor over each sample to view a description of the samples within this category.
PCI-DSS-1.1.1 – RADIUS Server
This test ensures that a user-specified server is setup as a RADIUS server with proper authentication, and also ensures there are no other RADIUS servers other than the specified server.
PCI-DSS-1.1.1 – SNMP Traps
This test ensures that SNMP Traps are enabled, have been directed at the specified host, and will not be sent to any other location. This sample test only works for SNMPv1 and SNMPv2.
PCI-DSS-1.1.1 – Syslogs
This test ensures that Syslogs are enabled, pointed at the correct IP address for the Network Configuration Manager Device Server, and ensures that Syslogs will not be sent to any other location.
PCI-DSS-1.1.1 – TACACS Server
This test ensures that the specified server is configured as the only TACACS+ server, and ensures authentication is setup correctly.
PCI-DSS-1.1.1 – VTY Access
This test ensures that the specified local account is setup on a device for VTY access, and ensures no other local account is active. This test also deletes all usernames that are not specified by the user, if they exist.
PCI-DSS-1.2-1.3 – Named Egress Access List – By ACL Name
This test ensures that only valid IP addresses are allowed to exit the network, and ensures that the simple egress access list ends with a Deny Any Any.
PCI-DSS-1.2-1.3 – Named Ingress Access List – By ACL Name
This test ensures that only valid IP addresses are allowed to enter the network, and ensures that the simple ingress access-list ends with a Deny Any Any.
PCI-DSS-1.2-1.3 – Named Egress Access List
This test ensures that only valid IP addresses are allowed to enter the network, and ensures that the numbered egress access-list ends with a Deny Any Any.
PCI-DSS-1.2-1.3 – Named Ingress Access List
This test ensures that only valid IP addresses are allowed to enter the network, and ensures that the numbered ingress access-list ends with a Deny Any Any.
PCI-DSS-1.3.1 – Restrict Unauthorized Traffic
This test ensures that a specified access list is configured on the identified interface. The specified access list denies unauthorized traffic from the internet into the DMZ, and allows only traffic that is explicitly permitted.
PCI-DSS-1.3.3 – Stateful Inspection of Firewall
This test ensures stateful packet inspection is enabled on a firewall, and turned on for UDP and ICMP traffic.
PCI-DSS-1.3.7 – Test That Denies Traffic on All Ports Other Than Port 23
This test ensures that a user-specified access list denies all traffic connections that are open, except for the traffic that is coming in on Port 23.
PCI-DSS-1.3.7 – Test That Allows Traffic on No Other Open Port Other Than Port 23
This test ensures that a user-specified access list denies all traffic connections that are open, except for the traffic that is coming in on Port 23.
PCI-DSS-1.4.1 – Approved Routes Re-Distribution
This test ensures that only specified routes are redistributed from RIP into a neighboring OSPF or BGP domain. If not, the device is flagged as non-compliant, and the remedy pushes the user-specified distribute list in the appropriate direction. Distribute lists serve as the basic form of network security.
The Access Control List identified by the user ensures:
-
Only approved routes from RIP are redistributed into OSPF
-
Only approved routes from RIP are distributed in the appropriate direction
-
No other routes are being distributed into the OSPF domain
PCI-DSS-1.4.1 – Check for Approved Static Routes Only
This test checks for the existence of approved static routes, as specified by the user, and no other static routes.
PCI-DSS-1.5 – Inside NAT Setup
This test checks that Network Time Protocol has been setup correctly on the inside interface of the device.
PCI-DSS-1.5 – Outside NAT Setup
This test checks that Network Time Protocol has been setup correctly on the outside interface of the device.
PCI-DSS-10.4 – Test for Network Time Protocol
This test checks if Network Time Protocol authentication is MD5.
PCI-DSS-2.1 – Detecting Default Username
This test ensures the default username cisco does not exist in the configuration. If it does contain the default username, then it removes it ,and adds a username defined by the user.
PCI-DSS-4.1 – VPN Encryption
This test ensures that an IpSec VPN is configured to use strong encryption.
PCI-DSS-4.1.1 – WAP Encryption
This test ensures that WAP is configured to use strong encryption.
Block cipher encryption techniques are designed to disguise plain text patterns that might otherwise generate patterns of encrypted cipher text. Any repeated sequences can facilitate cracking of the algorithm. The WAP gateway can be configured to operate all the encryption algorithms, or a list specifying one or more of the options.
To decide which encryption algorithms to configure, you must consider several factors. A shorter key length is easier to compute, and will impose less overhead on the processor than a longer key length, but a shorter key length can compromise security.
The level of security you need to configure is also determined by the type of information that can be accessed through the gateway. Confidential corporate information often requires a high level of security
Use the WAP WTLS encryption command in conjunction with the WAP WTLS hash global configuration commands to help establish and operate a secure WAP session.
PCI-DSS-4.1.1 – WAP Hash Algorithm
This test ensures that WAP is configured to use strong hash algorithm. Hash algorithms are used to construct a digital signature for encrypted text to prevent attempts to modify the original encrypted text. The WAP gateway can be configured to operate all the hash algorithms or a list specifying one or more of the options.
The level of security you need to configure is determined by the type of information that can be accessed through the gateway. Confidential corporate information often requires a high level of security.
