| R1
|
SNS-SMC |
Use accounts assigned to users by name |
| R2
|
SNS-SMC |
Protect the local administrator account |
| R3
|
SNS |
Restrict administration via SSH |
| R4
|
SNS |
Use SSH key-based authentication |
| R5
|
SNS |
Authenticate locally using certificates |
| R6
|
SNS |
Define an appropriate password policy |
| R7
|
SNS |
Dedicate an external directory to administrators |
| R8
|
SNS |
Use a restricted-access and secure account |
| R9
|
SNS |
Adjust administration privileges to strictly what is required |
| R10
|
SNS-SMC |
Use groups to manage privileges |
| R11
|
SNS |
Define administration sub-networks clearly |
| R12
|
SNS |
Use an administrator object group |
| R13
|
SNS |
Dedicate an Ethernet interface to administration |
| R14
|
SNS |
Keep default cryptographic suites |
| R14+
|
SNS |
Harden TLS parameters in the web administration interface |
| R15
|
SNS |
Replace the web administration interface certificate |
| R16
|
SNS |
Use NSRPC from the web interface |
| R16-
|
SNS |
Use accounts dedicated to direct NSRPC connections |
| R17
|
SNS |
Use the same language in logs |
| R18
|
SNS-SMC |
Use a language that users understand |
| R19
|
SNS |
Enable the “Diffusion Restreinte” option |
| R19
|
SMC |
Enable the “Diffusion Restreinte” option |
| R20
|
SNS |
Disable unused interfaces |
| R21
|
SNS-SMC |
Declare internal interfaces |
| R22
|
SNS |
Define static routes for internal networks |
| R23
|
SNS |
Complete IP anti-spoofing rules |
| R24
|
SNS |
Update from an internal mirror |
| R24-
|
SNS |
Update through a proxy |
| R25
|
SNS |
Choose controlled DNS servers |
| R25-
|
SNS |
Change default DNS servers |
| R26
|
SNS |
Restrict the use of dynamic objects |
| R26
|
SMC |
Restrict the use of dynamic objects |
| R27
|
SNS-SMC |
Synchronize system time |
| R28
|
SNS-SMC |
Configure the LDAP securely |
| R29
|
SNS-SMC |
Rename the production policy |
| R30
|
SNS |
Disable implicit rules |
| R31
|
SNS-SMC |
Adapt traffic inspection type to the role of the SNS firewall |
| R32
|
SNS-SMC |
Adapt inspection profiles to the SNS firewall’s use context |
| R33
|
SNS-SMC |
Use object groups |
| R34
|
SNS-SMC |
Use a controlled external PKI |
| R34-
|
SNS |
Use the SNS firewall’s PKI |
| R34-
|
SMC |
Use the SNS firewall’s PKI |
| R35
|
SNS-SMC |
Impose CRL verification |
| R36
|
SNS |
Adapt the automatic refreshment of CRLs |
| R37
|
SNS-SMC |
Configure the CRL retrieval URL and enable automatic retrieval |
| R37-
|
SNS-SMC |
Manually import CRLs |
| R38
|
SNS-SMC |
Use strong algorithms for IKE and IPsec |
| R39
|
SNS-SMC |
Use version 2 of the IKE protocol |
| R40
|
SNS-SMC |
Use mutual certificate-based authentication |
| R40-
|
SNS-SMC |
Use a robust pre-shared key |
| R41
|
SNS-SMC |
Configure IPsec VPN tunnels securely |
| R41+
|
SNS-SMC |
Do not use the default route |
| R42
|
SNS-SMC |
Confirm the source of incoming traffic |
| R43
|
SNS-SMC |
Declare the internal IPsec VPN interface |
| R44
|
SNS |
Configure mobile tunnels in config mode |
| R45
|
SNS |
Authenticate mobile devices and/or users with certificates |
| R46
|
SNS |
Use a dedicated intermediate certification authority |
| R47
|
SNS-SMC |
Enable Dead Peer Detection |
| R47-
|
SNS-SMC |
Use passive DPD mode |
| R48
|
SNS |
Configure Keepalive |
| R49
|
SNS-SMC |
Keep the DSCP field |
| R49+
|
SNS-SMC |
Control the DSCP field |
| R50
|
SNS-SMC |
Filter SNMP queries |
| R51
|
SNS |
Use SNMPv3 |
| R52
|
SNS |
Configure access to the SNMP agent |
| R53
|
SNS-SMC |
Set up automatic backup on a controlled server |
| R53-
|
SNS |
Set up automatic backup via SSH |
| R54
|
SNS |
Define a log policy |
| R55
|
SNS |
Secure log transfers with the TLS protocol |
| R56
|
SNS |
Determine the events to log |