List of recommendations

R1 SNS-SMC Use accounts assigned to users by name
R2 SNS-SMC Protect the local administrator account
R3 SNS Restrict administration via SSH
R4 SNS Use SSH key-based authentication
R5 SNS Authenticate locally using certificates
R6 SNS Define an appropriate password policy
R7 SNS Dedicate an external directory to administrators
R8 SNS Use a restricted-access and secure account
R9 SNS Adjust administration privileges to strictly what is required
R10 SNS-SMC Use groups to manage privileges
R11 SNS Define administration sub-networks clearly
R12 SNS Use an administrator object group
R13 SNS Dedicate an Ethernet interface to administration
R14 SNS Keep default cryptographic suites
R14+ SNS Harden TLS parameters in the web administration interface
R15 SNS Replace the web administration interface certificate
R16 SNS Use NSRPC from the web interface
R16- SNS Use accounts dedicated to direct NSRPC connections
R17 SNS Use the same language in logs
R18 SNS-SMC Use a language that users understand
R19 SNS Enable the “Diffusion Restreinte” option
R19 SMC Enable the “Diffusion Restreinte” option
R20 SNS Disable unused interfaces
R21 SNS-SMC Declare internal interfaces
R22 SNS Define static routes for internal networks
R23 SNS Complete IP anti-spoofing rules
R24 SNS Update from an internal mirror
R24- SNS Update through a proxy
R25 SNS Choose controlled DNS servers
R25- SNS Change default DNS servers
R26 SNS Restrict the use of dynamic objects
R26 SMC Restrict the use of dynamic objects
R27 SNS-SMC Synchronize system time
R28 SNS-SMC Configure the LDAP securely
R29 SNS-SMC Rename the production policy
R30 SNS Disable implicit rules
R31 SNS-SMC Adapt traffic inspection type to the role of the SNS firewall
R32 SNS-SMC Adapt inspection profiles to the SNS firewall’s use context
R33 SNS-SMC Use object groups
R34 SNS-SMC Use a controlled external PKI
R34- SNS Use the SNS firewall’s PKI
R34- SMC Use the SNS firewall’s PKI
R35 SNS-SMC Impose CRL verification
R36 SNS Adapt the automatic refreshment of CRLs
R37 SNS-SMC Configure the CRL retrieval URL and enable automatic retrieval
R37- SNS-SMC Manually import CRLs
R38 SNS-SMC Use strong algorithms for IKE and IPsec
R39 SNS-SMC Use version 2 of the IKE protocol
R40 SNS-SMC Use mutual certificate-based authentication
R40- SNS-SMC Use a robust pre-shared key
R41 SNS-SMC Configure IPsec VPN tunnels securely
R41+ SNS-SMC Do not use the default route
R42 SNS-SMC Confirm the source of incoming traffic
R43 SNS-SMC Declare the internal IPsec VPN interface
R44 SNS Configure mobile tunnels in config mode
R45 SNS Authenticate mobile devices and/or users with certificates
R46 SNS Use a dedicated intermediate certification authority
R47 SNS-SMC Enable Dead Peer Detection
R47- SNS-SMC Use passive DPD mode
R48 SNS Configure Keepalive
R49 SNS-SMC Keep the DSCP field
R49+ SNS-SMC Control the DSCP field
R50 SNS-SMC Filter SNMP queries
R51 SNS Use SNMPv3
R52 SNS Configure access to the SNMP agent
R53 SNS-SMC Set up automatic backup on a controlled server
R53- SNS Set up automatic backup via SSH
R54 SNS Define a log policy
R55 SNS Secure log transfers with the TLS protocol
R56 SNS Determine the events to log