4.6 SEC – Security

4.6.1 SEC.GEN – General security

ID Requirement
SEC.GEN.1 The RG Firewall MUST NOT reveal closed ports during a port scan.
SEC.GEN.2 Requirement moved to own subsection 4.6.2
SEC.GEN.3 Requirement moved to own subsection 4.6.2
SEC.GEN.4 Requirement deleted
SEC.GEN.5 The RG MUST NOT enable FTP by default. The RG MAY enable SFTP if it is required for NAS services.
SEC.GEN.6 The RG MUST NOT enable services not explicitly advertised as part of the users’ service.
SEC.GEN.7 The RG MUST run services or applications by applying the principle of least privilege).
SEC.GEN.8 The RG MUST NOT respond to protocols or API calls over a port assigned to another protocol/application.
SEC.GEN.9 Requirement deleted
SEC.GEN.10 The RG SHOULD whitelist known management servers.
SEC.GEN.11 The RG MUST NOT run services on the WAN interface by default unless explicitly required for the end user’s service. For example, Domain Name Service (DNS) will not be enabled on the WAN interface.

4.6.2 SEC.USERINTERFACE – User Interface security

ID Requirement
SEC.USERINTERFACE.1 The RG MUST use HTTPS over TLS 1.2 or later for access to its graphical user interface (GUI).
SEC.USERINTERFACE.2 The RG MUST reject attempts to connect to its user interface(s) using incorrect credentials.
SEC.USERINTERFACE.3 The RG MUST NOT ever use the same username or password for remote (WAN) access to its user interface(s) and local (LAN) access to its user interface(s).
SEC.USERINTERFACE.4 The RG MUST use password unique to the unit for default access to its user interface(s).
SEC.USERINTERFACE.5 The RG MUST prompt the user to change the default password upon first access.
SEC.USERINTERFACE.6 The RG MUST use exponential rate limiting of login attempts upon failed login attempts.
SEC.USERINTERFACE.7 The RG MUST time-out exposed remote (WAN) access to its user interface(s) after a default period of time.
SEC.USERINTERFACE.8 The RG MAY allow access to its command line interface(s) via SSH. SSH access, if supported, MUST NOT be enabled by default. The RG MUST NOT allow access to its command line interface(s) via any other protocol.
SEC.USERINTERFACE.9 Login to the RG’s user interface(s) SHOULD use a 2-pass challenge mechanism. If used, it MUST NOT be dependent on connections to WAN resources.

4.6.3 SEC.FIRMWARE – Firmware integrity and security

ID Requirement
SEC.FIRMWARE.1 RG’s firmware MUST support Digital Signature authentication.
SEC.FIRMWARE.2 RG’s firmware MUST support an encryption mechanism.