View STIG - Network Policy Security Technical Implementation Guide V8R17

b

Network topology diagrams for the enclave must be maintained and up to date at all times.

Medium - V-8046 - SV-8532r2_rule

RMF Control

Severity

Medium

CCI

Version

NET0090

Vuln IDs

V-8046

Rule IDs

SV-8532r2_rule

To assist in the management, auditing, and security of the network infrastructure facility drawings and topology maps are a necessity. Topology maps are important because they show the overall layout of the network infrastructure and where devices are physically located. They also show the relationship and interconnectivity between devices and where possible intrusive attacks could take place. Having up to date network topology diagrams will also help show what the security, traffic, and physical impact of adding a new user(s) will be on the network.Information Assurance OfficerDCHW-1, ECSC-1

Checks: C-7427r5_chk

1. Validate the network diagram by correlating the information with all routers, multi-layer switches, and firewall configurations. 2. Validate all subnets have been documented accordingly. 3. Validate any connectivity documented on the diagram by physically examining the cable connections for the downstream and upstream links, as well as connections for major network components (Routers, Switches, Firewalls, IDS/IPS, etc).

Fix: F-7621r4_fix

Update the enclave's network topology diagram to represent the current state of the network and its connectivity.

b

All external connections must be validated and approved by the CAP and DAA, SNAP or CCAO requirements have been met, and MOA and MOU is established between enclaves, prior to connections.

Medium - V-8047 - SV-8533r2_rule

RMF Control

Severity

Medium

CCI

Version

NET0130

Vuln IDs

V-8047

Rule IDs

SV-8533r2_rule

Every site must have a security policy to address filtering of the traffic to and from those connections. This documentation along with diagrams of the network topology is required to be submitted to the Connection Approval Process (CAP) for approval to connect to the NIPRNet or SIPRNet. SIPRNet connections must also comply with the documentation required by the Classified Connection Approval Office (CCAO) to receive the SIPRNet Interim Approval to Connect (IATC) or final Approval to Connect (ATC). Also any additional requirements must be met as outlined in the Interim Authority to Operate (IATO) or Authority to Operate (ATO) forms signed by the Designated Approving Authority (DAA). Prior to establishing a connection with another activity, a Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA) must be established between the two sites prior to connecting with each other. This documentation along with diagrams of the network topology is required to be submitted to the CAP for approval to connect to the NIPRNet or SIPRNet. The policy must ensure that all connections to external networks should conform equally. The DREN and SREN are DoD's Research & Engineering Network. A DoD Network that is the official DoD long-haul network for computational scientific research, engineering, and testing in support of DoD's S&T and T&E communities. It has also been designated as a DoD IPv6 pilot network by the Assistant Secretary of Defense (Networks & Information Integration)/DoD Chief Information Officer ASD (NII)/DoD CIO. A DISN enclave should not have connectivity to the DREN unless approved by the DAA and meets the requirements defined for all external connections previously described. Information Assurance OfficerEBCR-1

Checks: C-7428r2_chk

Interview the IAM to verify that each external connection to the site’s internal network is secured such that it does not introduce any unacceptable risk to the network.

Fix: F-7622r2_fix

All external connections will be validated and approved prior to connection. Interview the IAM to verify that all connections have a mission requirement and that the DAA is aware of the requirement.

b

External connections to the network must be reviewed and the documentation updated semi-annually, at a minimum.

Medium - V-8048 - SV-8534r3_rule

RMF Control

Severity

Medium

CCI

Version

NET0135

Vuln IDs

V-8048

Rule IDs

SV-8534r3_rule

A network is only as secure as its weakest link. It is imperative that all external connections be reviewed and kept to a minimum needed for operations. All external connections should be treated as untrusted networks. Reviewing who or what the network is connected to empowers the security manager to make sound judgements and security recommendations. Minimizing backdoor circuits and connections reduces the risk for unauthorized access to network resources.Information Assurance OfficerEBCR-1, ECSC-1

Checks: C-7429r4_chk

Verify external connections to the organization are documented and reviewed on a semi-annual basis.

Fix: F-7623r3_fix

Implement a semi-annual review process to document and account for external connections to the organization.

a

The connection between the CSU/DSU and the local exchange carriers (LEC) data service jack (i.e., demarc) must be located in a secure environment.

Low - V-8049 - SV-8535r2_rule

RMF Control

Severity

Low

CCI

Version

NET0140

Vuln IDs

V-8049

Rule IDs

SV-8535r2_rule

DOD leased lines carry an aggregate of sensitive and non-sensitive data; therefore unauthorized access must be restricted. Inadequate cable protection can lead to damage and denial of service attacks against the site and the LAN infrastructure.Information Assurance OfficerECSC-1

Checks: C-7430r2_chk

Verify the physical network components are in a secure environment.

Fix: F-7624r2_fix

Move all critical communications to controlled access areas. Controlled access areas in this case means controlled restriction to authorize site personnel, i.e., dedicated communications rooms or locked cabinets. This is an area afforded entry control at a security level commensurate with the operational requirement. This protection will be sufficient to protect the network from unauthorized personnel. The keys to the locked cabinets and dedicated communications rooms will be controlled and only provided to authorized network/network security individuals.

a

Network management modems connected to all Channel Service Units (CSUs)/Data Service Units (DSUs) must be disconnected when not in use.

Low - V-8050 - SV-8536r2_rule

RMF Control

Severity

Low

CCI

Version

NET0141

Vuln IDs

V-8050

Rule IDs

SV-8536r2_rule

DOD leased lines carry an aggregate of sensitive and non-sensitive data; therefore: unauthorized access must be restricted. Inadequate cable protection can lead to damage and denial of service attacks against the site and the LAN infrastructure.Information Assurance OfficerECND-1, ECND-2, ECSC-1

Checks: C-7431r2_chk

Inspect and verify network management modems are disconnected from the CSU\DSU when not in use.

Fix: F-7625r3_fix

Disconnect network management modems connected to all Channel Service Units (CSUs)/Data Service Unite (DSUs) when not in use.

c

Written approval must obtained from the GIG Waiver Panel or the Office of the DoD Chief Information Officer (DoD CIO) prior to establishing an ISP connection.

High - V-8051 - SV-8537r2_rule

RMF Control

Severity

High

CCI

Version

NET0160

Vuln IDs

V-8051

Rule IDs

SV-8537r2_rule

Analysis of DoD reported incidents reveal current protective measures at the NIPRNet boundary points are insufficient. Documented ISPs and validated architectures for DMZs are necessary to protect internal network resources from cyber attacks originating from external Internet sources by protective environments. Direct ISP connections are prohibited unless written approval is obtained from the Global Information Grid (GIG) Waiver Panel or the Office of the DoD CIO who directs the GIG Panel.Information Assurance OfficerInformation Assurance ManagerEBCR-1, ECSC-1

Checks: C-7432r5_chk

ANY CONNECTION TO AN INTERNET SERVICE PROVIDER (ISP) MUST BE APPROVED BY THE GIG WAIVER PANEL BEFORE ANY EQUIPMENT IS PURCHASED OR A CONNECTION IS MADE TO THE ISP. Based on the use cases below, verify written approval has been obtained from the Global Information Grid (GIG) Waiver Panel or verify a renewal request has been appropriately submitted. There are three basic use cases for an ISP connection. An ISP connection for a stand-alone disconnected network and an ISP connection which is connected to the DISN. Use case (1): An ISP connection that originates from an approved DISN infrastructure source (includes IAP connections at the DECCs). A GIG Waiver is required for a CC/S/A to connect the unclassified DISN to an ISP. These connection requests must come to the Waiver Panel with a Component CIO endorsement of the requirement. These connections should not be provisioned and put into use until waived. Expired waivers pending renewal from the OSD GIG Waiver Panel may be downgraded to a Severity 3 category, if proof of a requested renewal can be verified. A DISN enclave that cannot prove GIG Waiver approval for the ISP connection is a Severity 1 category. Please note: If discovered during a CCRI or FSO assessment, the FSO team lead will immediately report the unapproved ISP connection to the USCYBERCOM and the Connection Approval Office. USCYBERCOM will direct the connection be immediately disconnected. Use Case (2): An ISP connection to a Stand Alone Enclave (physically and logically separated from any DISN connection) requires GIG Waiver approval prior to connection. The Stand Alone Enclave must have a DAA issued ATO and the connection must be logically and physically separated from the DISN. An unapproved ISP connection in this use case will be assigned a Severity 3 category. Use Case (3): An ISP connection to a non-DoD network (such as a contractor-owned infrastructure) co-located on the same premises as the DoD network. The non-DoD network is physically and logically separated from any DoD network. Furthermore, it is not connected to any DoD network. The non-DoD network infrastructure is not DoD funded nor is it operated or administered by DoD military or civilian personnel. In addition, the non-DoD network with the ISP connection is not storing, processing, or transmitting any DoD data. For such a network as defined herein, a GIG Waiver approval is not required for deploying a connection to an ISP. However, the DAA must perform and have on file a risk assessment endorsed by the facility or installation command.

Fix: F-7626r2_fix

Obtain written approval obtained from the Global Information Grid (GIG) Waiver Panel for ISP connections.

b

External network connections must not bypass the organizations perimeter security devices unless documented and approved by the DAA.

Medium - V-8052 - SV-8538r3_rule

RMF Control

Severity

Medium

CCI

Version

NET0170

Vuln IDs

V-8052

Rule IDs

SV-8538r3_rule

Without taking the proper safeguards, external networks connected to the organization will impose security risks unless properly routed through the perimeter security devices. Since external networks to the organization are considered to be untrusted, this could prove detrimental since there is no way to verify traffic inbound or outbound on this backdoor connection. An attacker could carry out attacks or steal data from the organization without any notification. An external connection is considered to be any link from the organization's perimeter to the NIPRNet, SIPRNet, Commercial ISP, or other untrusted network outside the organization's defined security policy. The DREN and SREN are DoD's Research & Engineering Network. A DoD Network that is the official DoD long-haul network for computational scientific research, engineering, and testing in support of DoD's S&T and T&E communities. It has also been designated as a DoD IPv6 pilot network by the Assistant Secretary of Defense (Networks & Information Integration)/DoD Chief Information Officer ASD (NII)/DoD CIO. A DISN enclave should not have connectivity to the DREN unless approved by the DAA and the requirements have been met for all external connections described in NET0130.Information Assurance OfficerEBCR-1, ECSC-1

Checks: C-7433r4_chk

Verify all external network connections to the organization are routed through the organization's perimeter security devices such as but not limited to the firewall and IDPS solution. All external networks connected to the organization should be documented and approved by the DAA. If any external network connections are found to bypass the perimeter security measures causing a backdoor connection and not documented and approved by the DAA, this is a finding.

Fix: F-7627r4_fix

Disconnect any external network connections not routed through the organization's perimeter security or validated and approved by the DAA.

b

All network infrastructure devices (i.e., IDS, routers, RAS, NAS, firewalls, etc.) must be located in a secure room with limited access.

Medium - V-8054 - SV-8540r2_rule

RMF Control

Severity

Medium

CCI

Version

NET0210

Vuln IDs

V-8054

Rule IDs

SV-8540r2_rule

If all communications devices are not installed within controlled access areas, risk of unauthorized access and equipment failure exists, which could result in denial of service or security compromise. It is not sufficient to limit access to only the outside world or non-site personnel. Not everyone within the site has the need-to-know or the need-for-access to communication devices. Information Assurance OfficerECSC-1

Checks: C-7435r4_chk

Inspect the site to validate physical network components are in a secure environment with limited access.

Fix: F-7629r3_fix

Move all critical communications into controlled access areas. Controlled access area in this case means controlled restriction to authorize site personnel, i.e., dedicated communications rooms or locked cabinets. This is an area afforded entry control at a security level commensurate with the operational requirement. This protection will be sufficient to protect the network from unauthorized personnel. The keys to the locked cabinets and dedicated communications rooms will be controlled and only provided to authorized network/network security individuals.

b

All passwords must be created and maintained in accordance with the rules outlined in DoDi 8500.2, IAIA-1, and IAIA-2.

Medium - V-8055 - SV-8541r2_rule

RMF Control

Severity

Medium

CCI

Version

NET0260

Vuln IDs

V-8055

Rule IDs

SV-8541r2_rule

Devices protected with weak password schemes provide the opportunity for anyone to crack the password, gaining access to the device and causing network, device, or information damage or denial of service.Information Assurance OfficerECSC-1

Checks: C-7436r2_chk

Interview the IAO/NSO and examine network devices to validate password schemes are in accordance with DoDi 8500.2 IA Controls, IAIA-1 and IAIA-2.

Fix: F-7630r2_fix

Implement password schemes to be in accordance with DoDi 8500.2 IA Controls, IAIA-1 and IAIA-2.

b

Locally configured passwords used on communications devices must be recorded then stored in a secure and controlled manner.

Medium - V-8056 - SV-8542r2_rule

RMF Control

Severity

Medium

CCI

Version

NET0270

Vuln IDs

V-8056

Rule IDs

SV-8542r2_rule

Passwords should be recorded and stored in a secure location for emergency use. This helps prevent time consuming password recovery techniques and denial of administrator access, in the event a password is forgotten or the individual with the access is incapacitated. Router configurations contain passwords in clear text. This must be encrypted for use in areas where this can be compromised.Information Assurance OfficerDCBP-1, ECSC-1

Checks: C-7437r3_chk

Validate local passwords for communication devices are recorded and stored in a secure and controlled manner.

Fix: F-7631r2_fix

Record the local passwords used on communications devices then store them in a secure and controlled manner.

b

A key management policy must be implemented to include key generation, distribution, storage, usage, lifetime duration, and destruction of all keys used for encryption.

Medium - V-8058 - SV-8544r2_rule

RMF Control

Severity

Medium

CCI

Version

NET0420

Vuln IDs

V-8058

Rule IDs

SV-8544r2_rule

If the MD5 keys used for routing protocols are guessed, the malicious user could create havoc within the network and between subscribing networks by advertising incorrect routes and redirecting traffic. Changing the keys frequently reduces the risk of them eventually being guessed.Information Assurance OfficerIAKM-1, IAKM-2, IAKM-3

Checks: C-7439r3_chk

Review the enclave's key management policy and validate if the following information has been identified; key generation, distribution, storage, usage, lifetime duration, and destruction of all keys used for encryption within the infrastructure.

Fix: F-7633r2_fix

Implement a key management policy that includes key generation, distribution, storage, usage, lifetime duration, and destruction of all keys used for encryption within the infrastructure.

b

The IAO/NSO will ensure modems are not connected to the console port.

Medium - V-8059 - SV-8545r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1628

Vuln IDs

V-8059

Rule IDs

SV-8545r1_rule

Access to network devices via a modem is potentially very risky. If an intruder were to gain access via a modem, the potential for denial of service attacks, interception of sensitive information, and other destructive actions is greatly increased. The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. Additional war dial attacks on the device could degrade the device and the production network.Information Assurance OfficerECSC-1

Checks: C-7440r1_chk

Physically inspect any Communications Servers, routers, firewalls, IDS, VPN concentrators, network appliances, Load balancers, etc to ensure modems are not connected or meet the standards defined in the Network STIG.

Fix: F-7634r1_fix

The router administrator will ensure that modems connected to the router are disconnected or secured modems providing encryption and authentication are installed.

a

The IAO/NSO will ensure a centralized syslog server is deployed and configured by the syslog administrator to store all syslog messages for a minimum of 30 days online and then stored offline for one year.

Low - V-8060 - SV-8546r1_rule

RMF Control

Severity

Low

CCI

Version

NET1025

Vuln IDs

V-8060

Rule IDs

SV-8546r1_rule

Logging is a critical part of router security. Maintaining an audit trail of system activity logs (syslog) can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network. Information Assurance OfficerECSC-1, ECTB-1

Checks: C-7441r1_chk

Examine the syslog server to verify that it is configured to store messages for at least 30 days. Have the administrator show you the syslog files stored offline for one year.

Fix: F-7635r1_fix

The router administrator will configure the syslog server to store messages for at least 30 days on-line. The router administrator will establish a syslog storage strategy for storing the logs off-line for minimum of 1 year.

a

The IAO will ensure all current and previous router and switch configurations are stored in a secured location. Storage can take place on a classified network, an OOB network, or offline. The configurations can only be accessed by the server or network administrator.

Low - V-8061 - SV-8547r1_rule

RMF Control

Severity

Low

CCI

Version

NET1040

Vuln IDs

V-8061

Rule IDs

SV-8547r1_rule

If the router or switch's non-volatile memory are lost without a recent configuration stored in an offline location, it may take time to recover that segment of the network. Users connected directly to the switch or router will be without service for a longer than acceptable time.Information Assurance OfficerCOBR-1, ECSC-1

Checks: C-7442r1_chk

IOS Procedure: Have the router administrator show you the stored configuration files. At a minimum, a copy of the current and previous router configurations must be saved. Storage can take place on a classified network, OOB network, or offline. Configurations can only be accessed by server or network admin. JUNOS Procedure: With Juniper, this is built in and would never be a finding. Previously committed configurations 0 – 4 are saved on flash and configurations 5 – 9 are saved on the router’s hard drive. Any one of these can be used for recovery via a rollback command.

Fix: F-7636r1_fix

The network administrator will store the current and previous router and switch configurations in a secure location. Storage can take place on a classified network, OOB network, or offline. Configurations can only be accessed by server or network admin.

c

The IAO will ensure that passwords contained within a router, switch, or firewall configuration file are not stored offline unencrypted.

High - V-8062 - SV-8548r1_rule

RMF Control

Severity

High

CCI

Version

NET1060

Vuln IDs

V-8062

Rule IDs

SV-8548r1_rule

Many attacks on DOD computer systems are launched from within the network by unsatisfied or disgruntled employees, therefore, it is imperative that all router passwords are encrypted so they cannot be intercepted by viewing the console. If the router network is compromised, then large parts of the network could be incapacitated with only a few commands.Information Assurance OfficerECSC-1

Checks: C-7443r1_chk

Review the stored router configuration files to ensure passwords are not stored in plain-text format.

Fix: F-7637r1_fix

The router administrator will ensure that any router passwords that are stored, are encrypted. Delete any un-encrypted passwords that are currently stored as part of a router configuration file. Incorporate the storage of encrypted passwords as part of the router SOP.

b

The IAO/NSO will authorize and maintain justification for all TFTP implementations.

Medium - V-8063 - SV-8549r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1070

Vuln IDs

V-8063

Rule IDs

SV-8549r1_rule

TFTP requies no password.Information Assurance OfficerDCBP-1, ECSC-1

Checks: C-7444r1_chk

Base Procedure Verify written authorization is with the IAO. Review and recommend the procedures defined below: IOS Procedure: Interview the router administrator to see how they transfer the router configuration files to and from the router. Verify that the running configuration for all Cisco routers have statements similar to the following: ip ftp username xxxxxxxxx ip ftp password 7 xxxxxxxxxxxxxxxxxx Following are some alternative approaches that are actually more secured than using FTP: 1. If the router is equipped with PCMCIA Flash Memory Cards, you can copy IOS images as well as configurations to these cards (i.e., slot0, slot1). 2. Copy and paste from a show run while in a SSH session or HyperTerminal (i.e., Capture Text) console connection. The file can then be saved onto a floppy disk and stored in a secured location. Defaults will not be included since most of the IOS defaults are not displayed on a show run command. 3. Secure Copy Protocol (SCP) Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the Cisco router. SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so the router can determine whether the user has the correct privilege level. SCP allows a user who has appropriate authorization to copy any file that exists in the Cisco IOS File System (IFS) to and from a router by using the copy command. An authorized administrator may also perform this action from a workstation. An example configuration would look as follows: ! AAA authentication and authorization must be configured for SCP to work. aaa new-model aaa authentication login default group tacacs+ aaa authorization exec default group tacacs+ ….. ! SSH must be configured. ip ssh time-out 120 ip ssh authentication-retries 3 ip scp server enable Junos Procedure: Configuration files can be copied to and from the router using the file copy command in operational mode or save command while in configuration mode. The destination address is specified on the command line—never preconfigured. Destinations can be the router’s flash (path/filename), hard drive (/var/filename), removable media (a:filename), FTP server (ftp://hostname/path/filename), TFTP server (tftp://hostname/path/filename), HTTP server (http://hostname/path/file), or an Secure Copy Protocol (SCP) client (scp://hostname/path/filename). Unless TFTP, FTP, or HTTP is specified in the command string, both the save and file copy commands will utilize Secure Copy Protocol, which uses the SSH authentication and encryption framework, to securely copy files to and from a remote host. Interview the router administrator to determine what method is used. If the site uses TFTP or HTTP with the save or file copy command, this is a finding.

Fix: F-7638r1_fix

The router administrator will ensure that FTP is used to transfer router configuration files to and from the router if TFTP has not been authorized by the IAO.. Change the routers configuration to include FTP setup information as follows: Address or name of remote host [?] x.x.x.x; Source file name [?] path/filename; Destination filename [?] path/filename.

b

The IAO/NSO will ensure all changes and updates are documented in a manner suitable for review and audit.

Medium - V-8064 - SV-8550r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1110

Vuln IDs

V-8064

Rule IDs

SV-8550r1_rule

Change management is the formal review process that ensures that all changes made to a system receive formal review and approval. Change management reduces impacts from proposed changes that could possibly have interruptions to the services provided. Recording all changes in the network will be accomplished by a configuration management policy. The configuration management policy will capture the actual changes to software code and anything else affected by the change.Information Assurance OfficerDCCB-1, DCCB-2, ECSC-1

Checks: C-7445r1_chk

Interview IAO/NSO to verify a Change Management policy is in compliance. Changes and Updates should be suitable for the audit.

Fix: F-7639r1_fix

Implement a Change Management policy that ensures review of scheduled and documented changes. Record configuration changes and review periodically. Develop and use a form or tracking mechanism to aid in the audit trail of any router changes requested of the NSO.

b

Firewalls must have a protection profile by the NIAP Evaluation and Validation Program before being placed on the network.

Medium - V-8065 - SV-8551r2_rule

RMF Control

Severity

Medium

CCI

Version

NET0345

Vuln IDs

V-8065

Rule IDs

SV-8551r2_rule

The only assurance that the firewall meets or exceeds the minimum security requirements is the evaluation and validation by an accredited licensed/approved evaluation facility.Information Assurance OfficerDCAS-1, DCSR-1, DCSR-2, DCSR-3, ECSC-1

Checks: C-23550r2_chk

Examine NIAP website to verify there is a protection profile in place for the firewall being used on the network. http://www.niap-ccevs.org/in_evaluation/?tech_name=Firewall

Fix: F-7640r3_fix

If a protection profile is not found on the NIAP website indicating the product has not been evaluated and tested, then create a POA&M to purchase a firewall that has been evaluated and validated at one of the accredited NIAP locations. Implement the firewall and work with the CAO to ensure the CAO Remote Compliance Assessments can be performed.

b

When protecting the boundaries of a network, the firewall must be placed between the private network and the perimeter router and the DMZ.

Medium - V-8066 - SV-8552r2_rule

RMF Control

Severity

Medium

CCI

Version

NET0351

Vuln IDs

V-8066

Rule IDs

SV-8552r2_rule

The only way to mediate the flow of traffic between the inside network, the outside connection, and the DMZ is to place the firewall into the architecture in a manner that allows the firewall the ability to screen content for all three destinations.Information Assurance OfficerEBBD-1, EBBD-2, EBBD-3, ECSC-1

Checks: C-7447r2_chk

Review the network topology diagrams and visually inspect the firewall location to validate correct position on the network.

Fix: F-7641r2_fix

Move the firewall into the prescribed location to allow for enforcement of the Enclave Security Policy and allow for all traffic to be screened.

a

The firewall administrator must subscribe to the vendors vulnerability mailing list to be made aware of required upgrades and patches.

Low - V-8067 - SV-8553r2_rule

RMF Control

Severity

Low

CCI

Version

NET0384

Vuln IDs

V-8067

Rule IDs

SV-8553r2_rule

Not being on the vendors vulnerability list can lead to the firewall software not being updated when a new release or security patch is released by the vendor.Information Assurance OfficerECSC-1

Checks: C-7448r3_chk

Interview the firewall administrator and validate they have signed up for the vendor's vulnerability mailing list.

Fix: F-7642r3_fix

Have the firewall administrator subscribe to the vendor's vulnerability mailing list.

a

The IAO/NSO will ensure there is a review on a daily basis, of the firewall log data by the firewall administrator (FA), or other qualified personnel, to determine if attacks or inappropriate activity has occurred.

Low - V-8068 - SV-8554r1_rule

RMF Control

Severity

Low

CCI

Version

NET1280

Vuln IDs

V-8068

Rule IDs

SV-8554r1_rule

The firewall logs can be used for forensic analysis in support of incident as well as to aid with normal traffic analysis. Information Assurance OfficerECAT-1, ECAT-2, ECSC-1

Checks: C-7449r1_chk

Review site policy, then interview FW administrator and authorized personnel with FW access to determine compliance.

Fix: F-7643r1_fix

Insure that the NSO or FA reviews the firewall logs daily.

a

The organizations firewall configurations must be backed up weekly and whenever configuration changes occur.

Low - V-8070 - SV-8556r3_rule

RMF Control

Severity

Low

CCI

Version

NET1284

Vuln IDs

V-8070

Rule IDs

SV-8556r3_rule

Without a proper backup plan, a recovery of the device can take an extensive amount of time and resources to get the device back online. Information Assurance OfficerCODB-1, CODB-2, CODB-3, ECSC-1

Checks: C-7451r7_chk

Verify the organization's firewall configurations are backed up weekly and whenever configuration changes are made.

Fix: F-7645r7_fix

Back up the organization's firewall configurations weekly and whenever a configuration change is made.

a

The organization must back up audit logs weekly.

Low - V-8071 - SV-8557r2_rule

RMF Control

Severity

Low

CCI

Version

NET1286

Vuln IDs

V-8071

Rule IDs

SV-8557r2_rule

Audit logs can be used for forensic analysis in support of incident response and to aid with normal traffic analysis. A backup scheme to move audit logs offine for archiving is necessary in case of a potential outage where current logs are unavailable.Information Assurance OfficerECSC-1, ECTB-1

Checks: C-7452r3_chk

Review the organization's audit log backup scheme. Validate audit logs are backed up weekly.

Fix: F-7646r2_fix

Create a backup scheme to ensure audit logs are backed up weekly.

a

Data reviewed from the enclave IDS/IPS must be restricted to CNDSP and local authorized personnel only.

Low - V-8075 - SV-8561r2_rule

RMF Control

Severity

Low

CCI

Version

NET1328

Vuln IDs

V-8075

Rule IDs

SV-8561r2_rule

It is imperative traffic from the IDPS monitoring enclave traffic is only reviewed and monitored by trusted and authorized personnel with a need to know.Information Assurance OfficerDCCS-2, ECSC-1

Checks: C-7456r3_chk

Review the authorization letter(s) for authorized CNDSP and local personnel granted access to review data from the IDS/IPS.

Fix: F-7650r3_fix

Keep up to date authorization letters for only CNDSP and local admins authorized to review data from the IDS/IPS.

b

The IAO/NSO will establish policies outlining procedures to notify U.S. Cyber Command when suspicious activity is observed.

Medium - V-8076 - SV-8562r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1340

Vuln IDs

V-8076

Rule IDs

SV-8562r1_rule

A network intrusion system is a policy enforcement mechanism that the site must use to enforce the Enclave Security Policy. If a clear policy has not be established for reporting suspicious activity to the U.S. Cyber Command (USCYBERCOM), then the site, and possibly all of DoD, is at a greater risk for exposure.Information Assurance OfficerECSC-1, VIIR-1, VIIR-2

Checks: C-7457r1_chk

Have the IAO/NSO provide a copy of the policy outlining procedures to notify the U.S. Cyber Command (USCYBERCOM) of suspicious activity.

Fix: F-7651r1_fix

Develop an incident response policy and a procedure to carry out the policy.

b

The IAO/NSO will ensure that authorized reviewers of Network IDS data are identified in writing by the site’s IAM.

Medium - V-8077 - SV-8563r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1342

Vuln IDs

V-8077

Rule IDs

SV-8563r1_rule

To preserve the chain of custody for possible legal action, all reviewers of the NID data must be have an authorization letter from the site commander outlining the individuals need to know.Information Assurance OfficerECAN-1, ECSC-1

Checks: C-7458r1_chk

Have the IAO/NSO provide a copy of the letter identifying authorized reviewers.

Fix: F-7652r1_fix

Have the site commander sign a authorization letter for all individuals that are required to review the NID data. Ensure that only authorized personnel have access to the IDS data.

b

The organization must establish weekly data backup procedures for the network IDS/IPS data.The organization must establish weekly data backup procedures for the network IDS/IPS.

Medium - V-8078 - SV-8564r2_rule

RMF Control

Severity

Medium

CCI

Version

NET-IDPS-033

Vuln IDs

V-8078

Rule IDs

SV-8564r2_rule

IDS/IPS data needs to be backed up to ensure preservation in the case a loss of IDS/IPS data due to hardware failure or malicious activity.Information Assurance OfficerCODB-1, CODB-2, CODB-3, ECSC-1

Checks: C-7459r3_chk

Verify weekly backup procedures are in place for IDS/IPS data.

Fix: F-7653r2_fix

The organization must establish weekly backup procedures for the network IDS/IPS data.

a

The Network IDS administrator will subscribe to the vendor’s vulnerability mailing list. The Network IDS administrator will update the Network IDS when software is provided by Field Security Operations for the RealSecure distribution, and for all other Network IDS software distributions when a security-related update is provided by the vendor.

Low - V-8080 - SV-8566r1_rule

RMF Control

Severity

Low

CCI

Version

NET-IDPS-035

Vuln IDs

V-8080

Rule IDs

SV-8566r1_rule

Keeping the NID software updated with the latest engine and attack signatures will allow for the NID to detect all forms of known attacks. Not maintaining the NID properly could allow for attacks to go unnoticed.Information Assurance OfficerECSC-1

Checks: C-7461r1_chk

Have the SA display update notifications that have been received to determine compliance. Have the NID SA display the build number or patch level, then search the vendor’s vulnerability database for current release and patch level.

Fix: F-7655r1_fix

Have the NID administrator subscribe to the X-press notification or similar service offered by the vendor. Ensure the NID software is updated when software is available either by FSO or the vendor for security related distributions.

b

The organization must ensure all switches and associated cross-connect hardware are kept in a secure IDF or an enclosed cabinet that is kept locked.

Medium - V-8081 - SV-8567r2_rule

RMF Control

Severity

Medium

CCI

Version

NET-VLAN-001

Vuln IDs

V-8081

Rule IDs

SV-8567r2_rule

Since the IDF includes all hardware required to connect horizontal wiring to the backbone, it is imperative that all switches and associated cross-connect hardware are kept in a secured IDF or an enclosed cabinet that is kept locked. This will also prevent an attacker from gaining privilege mode access to the switch. Several switch products only require a reboot of the switch in order to reset or recover the password.Information Assurance OfficerECSC-1

Checks: C-7462r5_chk

Inspect switches and associated cross-connect hardware are kept in a secured IDF. If the hardware is located in an open area, verify all hardware is located in a secured and locked cabinet. If switches and associated cross-connect hardware are not kept in secured IDFs or locked cabinet, this is a finding.

Fix: F-7656r4_fix

Place switches and associated cross-connect hardware in a secured IDF. If the hardware is located in an open area, ensure the hardware is located in a secured and locked cabinet.

a

The IAO/NSO will establish and maintain a standard operating procedure managing SNMP community strings and usernames to include the following: - Community string and username expiration period - SNMP community string and username distribution including determination of membership

Low - V-8092 - SV-8578r1_rule

RMF Control

Severity

Low

CCI

Version

NET1670

Vuln IDs

V-8092

Rule IDs

SV-8578r1_rule

Without a SOP to manage the SNMP community strings, the chance that these strings will be used to gain access to network managed devices is increased. If an attacker gains access to network devices, denial of service, interception of sensitive information, or other destructive actions could take place. Information Assurance OfficerECSC-1, IAIA-1, IAIA-2

Checks: C-7473r1_chk

Interview the IAO/NSO to ensure a documented SOP is in place for the management of SNMP community strings and usernames.

Fix: F-7667r1_fix

The NSO will ensure that procedures are included in the documented SOP for the network to manage SNMP community strings. At a minimum, these procedures will include SNMP string expiration, SNMP string compromise, and SNMP string creation.

b

The IAO/NSO will ensure that the management workstation is located in a secure environment.

Medium - V-8093 - SV-8579r2_rule

RMF Control

Severity

Medium

CCI

Version

NET1730

Vuln IDs

V-8093

Rule IDs

SV-8579r2_rule

Many attacks on DOD computer systems are launched from within the network by unsatisfied or disgruntled employees, therefore, it is imperative that the NMS be located in a secure area that allows access to authorized personnel only. If unauthorized users gain access to the NMS, they could change device configurations, cause network disruptions, or create denial of service conditions. Information Assurance OfficerECSC-1, PEPF-1, PEPF-2

Checks: C-7474r2_chk

Inspect the location of the network management workstations.

Fix: F-7668r2_fix

The NOC will ensure that the NMS is located in a secure environment.

b

The IAO/NSO will ensure that only those accounts necessary for the operation of the system and for access logging are maintained.

Medium - V-8094 - SV-8580r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1740

Vuln IDs

V-8094

Rule IDs

SV-8580r1_rule

Without proper account maintenance, unauthorized users could gain access to the NMS. If unauthorized users gain access to the NMS through an invalid account they could change device configurations or cause denial of service conditions. Information Assurance OfficerECSC-1, IAAC-1

Checks: C-7475r1_chk

Review the configuration of the NMS with the IAO/NSO to verify that proper account administration is being enforced. Review the accounts and the personnel using them to verify that they require access.

Fix: F-7669r1_fix

The NSO will ensure that procedures are in place to enforce proper account administration. The NSO will ensure that any account that is no longer needed will be disabled or removed from the system.

a

DHCP audit and event logs must log hostnames and MAC addresses to be stored online for thirty days and offline for one year.

Low - V-8099 - SV-8585r2_rule

RMF Control

Severity

Low

CCI

Version

NET0198

Vuln IDs

V-8099

Rule IDs

SV-8585r2_rule

In order to identify and combat IP address spoofing, it is highly recommended that the DHCP server logs MAC addresses and hostnames on the DHCP server.Information Assurance OfficerDCBP-1, ECAR-1, ECAR-2, ECAR-3, ECSC-1

Checks: C-7480r2_chk

Verify the DHCP audit and event logs include hostnames and MAC addresses of all clients. Also, validate logs are kept online for thirty days and offline for one year.

Fix: F-7674r3_fix

Configure the DHCP audit and event logs to log hostname and MAC addresses. Store the logs for a minimum of thirty days online and then offline for one year.

a

DHCP servers used within SIPRNet infrastructure must be configured with a minimum lease duration time of thirty days.

Low - V-8100 - SV-8586r2_rule

RMF Control

Severity

Low

CCI

Version

NET0199

Vuln IDs

V-8100

Rule IDs

SV-8586r2_rule

In order to trace, audit, and investigate suspicious activity, DHCP servers within the SIPRNet infrastructure must have the minimum lease duration time configured to 30 or more days.Information Assurance OfficerECSC-1

Checks: C-7481r2_chk

Validate the lease duration is set to a minimum of thirty days for DHCP servers used on the SIPRNet.

Fix: F-7675r2_fix

Configure any DHCP server used on the SIPRNet with a minimum lease duration of thirty days.

b

An IDPS must be installed, operational and actively monitored in a physical location that monitors all unencrypted traffic entering and leaving the enclave.

Medium - V-8272 - SV-8758r2_rule

RMF Control

Severity

Medium

CCI

Version

NET-IDPS-021

Vuln IDs

V-8272

Rule IDs

SV-8758r2_rule

Per CJCSI 6510.01F, Enclosure A-5, Paragraph 8, “DOD ISs (e.g., enclaves, applications, outsourced IT-based process, and platform IT interconnections) shall be monitored to detect and react to incidents, intrusions, disruption of services, or other unauthorized activities (including insider threat) that threaten the security of DOD operations or IT resources, including internal misuse.” An Intrusion Prevention System (IPS) allows the sensor to monitor, alert, and actively attempt to drop/block malicious traffic. An Intrusion Detection System (IDS) uses a passive method; receiving a copy of the packets to analyze and alert authorized persons about any malicious activity. While an IDS or an IPS in a passive role cannot stop the attack itself, it can typically notify and dynamically assign ACLs or other rules to a firewall or router for filtering. The preferred method of installation is to have the IDPS configured for inline mode. Only when there is a valid technical reason, should the IDPS be placed into a passive or IDS mode. For a full uninhibited view of the traffic, the IDPS must sit behind the enclave’s firewall. This will allow the IDPS to monitor all traffic unencrypted, entering or leaving the enclave.Information Assurance OfficerEBBD-1, EBBD-2, EBBD-3, ECSC-1

Checks: C-3692r4_chk

Review the network topology to ensure the enclave has the IDPS up to date in the diagram. Also verify the equipment is operational by looking to see if it’s plugged in and the sensor is current with up to date patches and signatures. Review any type of report that was recently produced from information provided by the sensor showing any recent alerts, an escalation activity and any type of log or configuration changes. This will show the sensor is being actively monitored and alerts are being acted upon. If the enclave’s CNDSP requires continuous monitoring of the IDPS, the CNDSPs management team (e.g. sensor grid management team at DISA) will verify the operational status by providing information about the enclave’s IDPS such as a network diagram, MOA, current alert information, or other information to validate its operational status.

Fix: F-7899r5_fix

Install an IDPS inline or passively, behind the enclave firewall to monitor all unencrypted traffic, inbound and outbound.

b

The IAO/NSO will ensure that any unauthorized traffic is logged for further investigation.

Medium - V-8273 - SV-8759r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1344

Vuln IDs

V-8273

Rule IDs

SV-8759r1_rule

Audit logs are necessary to provide a trail of evidence in case the network is compromised. With this information, the network administrator can devise ways to block the attack and possibly identify and prosecute the attacker. Information supplied by an IDS can be used for forensic analysis in support of incident as well as to aid with normal traffic analysis.Information Assurance OfficerECAT-1, ECAT-2, ECSC-1

Checks: C-3695r1_chk

Have the IAO/NSO display the logging and auditing features of the NID.

Fix: F-4534r1_fix

Configure the IDS to log all unauthorized or suspicious traffic.

a

The IAM will ensure that the site retains administrative oversight and control privileges on the IPSEC/VPN device within their security enclave if access is granted to the local network.

Low - V-8274 - SV-8760r1_rule

RMF Control

Severity

Low

CCI

Version

NET-TUNL-027

Vuln IDs

V-8274

Rule IDs

SV-8760r1_rule

Without administrative oversight and control privileges on the VPN device, the site would have no way of verifying the security controls placed on the device.Information Assurance OfficerECSC-1

Checks: C-7570r1_chk

Interview the IAM to determine compliancy.

Fix: F-7900r1_fix

When an agreement to establish a VPN with an outside security enclave/domain, retain administrative oversight and control privileges in the IPSEC/VPN device that is within your security enclave.

c

All wireless/mobile systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) must be approved by the approval authority prior to installation and use for processing DoD information.

High - V-8283 - SV-8778r6_rule

RMF Control

Severity

High

CCI

Version

WIR0005

Vuln IDs

V-8283

Rule IDs

SV-8778r6_rule

Unauthorized wireless systems expose DoD networks to attack. The DAA and appropriate commanders must be aware of all wireless systems used at the site. DAAs should ensure a risk assessment for each system including associated services and peripherals, is conducted before approving. Accept risks only when needed to meet mission requirements.Information Assurance OfficerDesignated Approving AuthorityInformation Assurance ManagerECWN-1

Checks: C-3890r6_chk

Detailed Policy Requirements: For CMDs deployed under an Interim Security Configuration Guide (ISCG) or the DoD CIO’s 6 April 2011 memorandum, Use of Commercial Mobile Devices (CMD) in the Department of Defense (DoD), the approval authority is the Component CIO. The site must have an Interim Authority To Test (IATT) issued by the Component CIO. For all other wireless devices and systems the Designated Approval Authority (DAA) must approve the wireless device or system. Detailed Check Procedures: Work with the site POC to verify documentation. Performed with WIR0016 (equipment list). For CMD systems without a STIG, verify the site has an approved IATT. Mark as a finding if a valid IATT is not available or is not signed by the Component CIO. For all other wireless devices or systems, complete the following: 1. Request copies of written DAA approval documentation. Any of the following documents meets this requirement as proof of compliance: - The DIACAP IA Implementation Plan must show the wireless system as part of the network diagram or list the system/equipment as being part of the network. - DAA approval letter or other document. The document must list the system or equipment and date its use is approved. The DAA approval letter or SSP may be a general statement of approval rather than list each device. 2. Verify DAA approval for type of device used, such as wireless connection services, peripherals, and applications. Mark as a finding for any of the following reasons: - Wireless systems, devices, services, or accessories are in use but DAA approval letter(s) do not exist. - If, in the judgment of the reviewer, configuration differs significantly from that approved by the DAA approval letter. Note: The DAA approval for the wireless system does not need to be documented separately from other DAA approval documents for the site network, as long as the approval documents list the wireless system. For example, if a site network ATO lists the wireless system, the ATO meets the requirements of this check. For Secure Mobile Environment Portable Electronic Device (SME PED), the following applies: - An ATO or an IATO has been signed by the DAA prior to the connection of the unclassified Sensa server to the NIPRNet. - Classified Connection Approval Office (CCAO) approval has been obtained prior to the connection of the classified Sensa server to the SIPRNet. Note: The intent of this check is to ensure the DAA has approved the use of the wireless system being reviewed at the site. This approval can be documented in several ways. The most common is the SSP for the site includes the wireless system and the DAA has signed the SSP. If the command uses an enterprise wide SSP including the wireless system being reviewed and the SSP applies to site being reviewed, then the requirement has been met.

Fix: F-19194r3_fix

Obtain DAA approval (documented by memo or SSP) prior to wireless systems being installed and used. For CMD systems without a STIG, obtain an IATT prior to wireless systems being installed and used.

a

The site IAO must maintain a list of all DAA-approved wireless and non-wireless PED devices that store, process, or transmit DoD information.

Low - V-8284 - SV-8779r6_rule

RMF Control

Severity

Low

CCI

Version

WIR0015

Vuln IDs

V-8284

Rule IDs

SV-8779r6_rule

The site must maintain a list of all DAA-approved wireless and non-wireless CMDs. Close tracking of authorized wireless devices will facilitate the search for rogue devices. Sites must keep good inventory control over wireless and handheld devices used to store, process, and transmit DoD data since these devices can be easily lost or stolen leading to possible exposure of DoD data.System AdministratorInformation Assurance OfficerDCHW-1

Checks: C-7600r4_chk

Detailed Policy Requirements: This check applies to any wireless end user device (smartphone, tablet, Wi-Fi network interface card, etc.) and wireless network devices (access point, authentication server, etc.). The list of approved wireless devices will be stored in a secure location and will include the following at a minimum: - Access point Media Access Control (MAC) address (WLAN only), - Access point IP address (WLAN only), - Wireless client MAC address, - Network DHCP range (WLAN & WWAN only), - Type of encryption enabled, - Access point SSID (WLAN only), - Manufacturer, model number, and serial number of wireless equipment, - Equipment location, and - Assigned users with telephone numbers. For CMDs: - Manufacturer, model number, and serial number of wireless equipment. - Equipment location or who the device was issued to. - Assigned users with telephone numbers and email addresses. For SME PED: Local commands will keep track of devices by assigning a control number or using the serial number for accountability purposes. Check Procedures: Work with the site POC: 1. Request copies of site’s wireless equipment list. -Detailed SSAA/SSP or database may be used. 2. Verify all minimum data elements listed above are included in the equipment list. 3. Verify all wireless devices used at the site, including infrared mice/keyboards, are included. 4. Verify procedures are in place for ensuring the list is kept updated. 5. Note the date of last update and if the list has many inaccuracies. Mark as a finding if the equipment list does not exist, all data elements are not tracked, or the list is outdated. This check applies to: - Wireless networking devices, such as access points, bridges, and switches. - WLAN client devices, such as laptop computers and PDAs if used with WLAN NICs. - Wireless peripherals, such as Bluetooth, and Infrared mice and keyboards, communications devices, such as VoIP, cellular/satellite telephones, and Broadband NICs, and non-wireless CMDs that store, process, or transmit DoD information.

Fix: F-3728r2_fix

Maintain a list of all DAA-approved WLAN devices. The list must be updated periodically and will contain the data elements required by the STIG policy.

a

Wireless devices connecting directly or indirectly to the network must be included in the site security plan.

Low - V-8297 - SV-8792r5_rule

RMF Control

Severity

Low

CCI

Version

WIR0020

Vuln IDs

V-8297

Rule IDs

SV-8792r5_rule

The DAA and site commander must be aware of all approved wireless devices used at the site or DoD data could be exposed to unauthorized people. Documentation of the enclave configuration must include all attached systems. If the current configuration cannot be determined, then it is difficult to apply security policies effectively. Security is particularly important for wireless technologies attached to the enclave network because these systems increase the potential for eavesdropping and other unauthorized access to network resources.Information Assurance OfficerDesignated Approving AuthorityEBCR-1

Checks: C-7611r4_chk

Review the site security plan. 1. Wireless network devices, such as access points, laptops, CMDs, and wireless peripherals (keyboards, pointers, etc.) using a wireless network protocol, such as Bluetooth, 802.11, or proprietary protocols must be documented in the site security plan. 2. A general statement in the site security plan permitting the various types of wireless network devices used by the site is acceptable rather than a by-model listing, for example, “wireless devices of various models are permitted as long as they are configured in accordance with the Wireless STIG”. Mark as a finding if a DAA-approved site security plan does not exist or if it has not been updated.

Fix: F-3425r2_fix

Ensure devices connecting directly or indirectly (data synchronization) to the network are added to the site's site security plan. (For example, it may say wireless devices of various models are permitted but only when configured in accordance with the Wireless STIG or other such specified restriction.)

c

A deny by default security posture must be implemented for traffic entering and leaving the enclave.

High - V-11796 - SV-12294r3_rule

RMF Control

Severity

High

CCI

Version

NET0369

Vuln IDs

V-11796

Rule IDs

SV-12294r3_rule

To prevent malicious or accidental leakage of traffic, organizations must implement a deny by default security posture. Perimeter routers, boundary controllers, or firewalls must deny all incoming and outgoing traffic not expressly permitted. Such rulesets prevent many malicious exploits or accidental leakage by regulating the ports, protocols, or services necessary to the enclave. Information Assurance OfficerEBBD-1, EBBD-2, EBBD-3, ECSC-1

Checks: C-7782r7_chk

Determine if a deny by default security posture has been implemented for both inbound and outbound traffic on the perimeter router or firewall.

Fix: F-11043r5_fix

Implement a deny by default security posture on either the enclave perimeter router or firewall.

c

Wireless devices must not be allowed in a permanent, temporary, or mobile Sensitive Compartmented Information Facilities (SCIFs), unless approved by the SCIF Cognizant Security Authority (CSA) in accordance with Intelligence Community Directive 503 and Director Central Intelligence Directive (DCID) 6/9, the DAA, and the site Special Security Officer (SSO).

High - V-12072 - SV-12625r5_rule

RMF Control

Severity

High

CCI

Version

WIR0035

Vuln IDs

V-12072

Rule IDs

SV-12625r5_rule

Emanations from computing devices in the secured area may be transmitted or picked up inadvertently by wireless devices.Information Assurance OfficerInformation Assurance ManagerOtherECSC-1, ECWN-1

Checks: C-8089r4_chk

For SME PED: This requirement is not applicable. Work with the traditional reviewer or interview the IAO or SM. Determine if the site SCIF CSA has approved wireless CMDs in the site SCIFs. Determine if the DAA and site SSO have approved wireless CMDs in site SCIFs. Ask for approval documentation, if approval has been granted. All three entities must grant approval (SCIF CSA, DAA, and SSO). If wireless CMDs in site SCIFs have not been approved, determine if procedures are in place to prevent users from bringing CMDs into SCIFs and if users are trained on this requirement. Posted signs are considered evidence of compliance. If wireless devices have been approved for use in SCIFs: - Determine if site has written procedures that describe what type of CMDs and under what type of conditions (i.e., turned off, SCIF mode enabled, etc.) approval is granted. - Users must receive proper training on the handling of wireless devices in SCIFs. Mark this as a finding if: - Wireless devices are allowed in site SCIFs without required approvals. - Required procedures are not in place. - Required user training has not been documented.

Fix: F-11360r1_fix

Ensure users are trained on the need to comply with this requirement and/or site procedures document the policy. Alternately, this requirement can be included in the site User Agreement.

b

The IAM will ensure REL LAN environments are documented in the SSAA.

Medium - V-12101 - SV-12654r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1815

Vuln IDs

V-12101

Rule IDs

SV-12654r1_rule

The IAM will ensure REL LAN environments are documented in the SSAA.Information Assurance OfficerECSC-1

Checks: C-8118r1_chk

GRE tunnels found on a premise or edge SIPRNet router that have an endpoint within the REL IP address space must be documented in the SSAA.

Fix: F-11390r1_fix

Have the IAM document GRE tunnels defined on a premise or edge SIPRNet router that have an endpoint within the REL IP address space.

b

The IAM will ensure annual reviews are performed on REL LAN environments.

Medium - V-12102 - SV-12655r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1816

Vuln IDs

V-12102

Rule IDs

SV-12655r1_rule

If a REL LAN environment is present the IAM will ensure REL LAN reviews are performed annually.Information Assurance OfficerECSC-1

Checks: C-8119r1_chk

Have the IAM disclose documentaion that an annual REL LAN review has been performed annually.

Fix: F-11391r1_fix

The IAM will document REL LAN reviews being performed annually.

b

Wireless devices must not be operated in areas where classified information is electronically stored, processed, or transmitted unless required conditions are followed.

Medium - V-12106 - SV-12659r4_rule

RMF Control

Severity

Medium

CCI

Version

WIR0040

Vuln IDs

V-12106

Rule IDs

SV-12659r4_rule

The operation of electronic equipment and emanations must be controlled in and around areas where sensitive information is kept or processed. Sites should post signs and train users to this requirement to mitigate this vulnerability.System AdministratorInformation Assurance OfficerECWN-1

Checks: C-8122r4_chk

Detailed Policy Requirements: Note: This requirement does not apply to the SME PED. Note: This requirement does not apply to the SWLAN SecNet 11/54 equipment or other NSA approved classified WLAN systems. The IAO will ensure wireless devices are not operated in areas where classified information is electronically stored, processed, or transmitted unless: - Approved by the DAA in consultation with the Certified TEMPEST Technical Authority (CTTA). - The wireless equipment is separated from the classified data equipment at the minimum distance determined by the CTTA and appropriate countermeasures, as determined by the CTTA, are implemented. Check Procedures: Review documentation. Work with the traditional security reviewer to verify the following: 1. If classified information is not processed at this site, mark as not a finding. 2. If the site has a written procedure prohibiting the use of wireless devices in areas where classified data processing occurs, mark as not a finding. Ask for documentation showing the CTTA was consulted about operation and placement of wireless devices. Acceptable proof would be the signature or initials of the CTTA on the architecture diagram or other evidence of coordination. IAW DoD policy, the CTTA must have a written separation policy for each classified area. 3. Review written policies, training material, or user agreements to see if wireless usage in these areas is addressed. 4. Verify proper procedures for wireless device use in classified areas is addressed in training program. Mark as a finding if any of the following are found: - CTTA has not designated a separation distance in writing. - DAA has not coordinated with the CTTA. - Users are not trained or made aware (using signage or user agreement) of procedures for wireless device usage in and around classified processing areas.

Fix: F-3423r1_fix

- CTTA must designate a separation distance in writing. - DAA must coordinate with the CTTA. - Train users or get a signed user agreement on procedures for wireless device usage in and around classified processing areas.

a

All users of mobile devices or wireless devices must sign a user agreement before the mobile or wireless device is issued to the user and the user agreement used at the site must include required content.

Low - V-13982 - SV-14593r5_rule

RMF Control

Severity

Low

CCI

Version

WIR0030

Vuln IDs

V-13982

Rule IDs

SV-14593r5_rule

Lack of user training and understanding of responsibilities to safeguard wireless technology is a significant vulnerability to the enclave. Once policies are established, users must be trained to these requirements or the risk to the network remains. User agreements are particularly important for mobile and remote users since there is a high risk of loss, theft, or compromise. Thus, this signed agreement is a good best practice to help ensure the site is confirming the user is aware of the risks and proper procedures. Information Assurance OfficerInformation Assurance ManagerECWN-1, PRTN-1

Checks: C-11415r3_chk

Additional Policy Requirements: The user agreements must include DAA authorized tasks for the mobile device and relevant security requirements, including, but not limited to, the following: 1. DoD CIO Memorandum, “Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement,” 9 May 2008 directs the following content will be included in a site User Agreement: STANDARD MANDATORY NOTICE AND CONSENT PROVISION FOR ALL DOD INFORMATION SYSTEM USER AGREEMENTS By signing this document, you acknowledge and consent that when you access Department of Defense (DoD) information systems: - You are accessing a U.S. Government (USG) information system (IS) (which includes any device attached to this information system) that is provided for U.S. Government authorized use only. - You consent to the following conditions: o The U.S. Government routinely intercepts and monitors communications on this information system for purposes including, but not limited to, penetration testing, communications security (COMSEC) monitoring, network operations and defense, personal misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. o At any time, the U.S. Government may inspect and seize data stored on this information system. o Communications using, or data stored on, this information system are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any U.S. Government-authorized purpose. o This information system includes security measures (e.g., authentication and access controls) to protect U.S. Government interests--not for your personal benefit or privacy. o Notwithstanding the above, using an information system does not constitute consent to personnel misconduct, law enforcement, or counterintelligence investigative searching or monitoring of the content of privileged communications or data (including work product) that are related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Under these circumstances, such communications and work product are private and confidential, as further explained below: - Nothing in this User Agreement shall be interpreted to limit the user's consent to, or in any other way restrict or affect, any U.S. Government actions for purposes of network administration, operation, protection, or defense, or for communications security. This includes all communications and data on an information system, regardless of any applicable privilege or confidentiality. - The user consents to interception/capture and seizure of ALL communications and data for any authorized purpose (including personal misconduct, law enforcement, or counterintelligence investigation). However, consent to interception/capture or seizure of communications and data is not consent to the use of privileged communications or data for personnel misconduct, law enforcement, or counterintelligence investigation against any party and does not negate any applicable privilege or confidentiality that otherwise applies. - Whether any particular communication or data qualifies for the protection of a privilege, or is covered by a duty of confidentiality, is determined in accordance with established legal standards and DoD policy. Users are strongly encouraged to seek personal legal counsel on such matters prior to using an information system if the user intends to rely on the protections of a privilege or confidentiality. - Users should take reasonable steps to identify such communications or data that the user asserts are protected by any such privilege or confidentiality. However, the user's identification or assertion of a privilege or confidentiality is not sufficient to create such protection where none exists under established legal standards and DoD policy. - A user's failure to take reasonable steps to identify such communications or data as privileged or confidential does not waive the privilege or confidentiality if such protections otherwise exist under established legal standards and DoD policy. However, in such cases the U.S. Government is authorized to take reasonable actions to identify such communication or data as being subject to a privilege or confidentiality, and such actions do not negate any applicable privilege or confidentiality. - These conditions preserve the confidentiality of the communication or data, and the legal protections regarding the use and disclosure of privileged information, and thus such communications and data are private and confidential. Further, the U.S. Government shall take all reasonable measures to protect the content of captured/seized privileged communications and data to ensure they are appropriately protected. o In cases when the user has consented to content searching or monitoring of communications or data for personnel misconduct, law enforcement, or counterintelligence investigative searching, (i.e., for all communications and data other than privileged communications or data that are related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants), the U.S. Government may, solely at its discretion and in accordance with DoD policy, elect to apply a privilege or other restriction on the U.S. Government's otherwise-authorized use or disclosure of such information. o All of the above conditions apply regardless of whether the access or use of an information system includes the display of a Notice and Consent Banner ("banner"). When a banner is used, the banner functions to remind the user of the conditions that are set forth in this User Agreement, regardless of whether the banner describes these conditions in full detail or provides a summary of such conditions, and regardless of whether the banner expressly references this User Agreement. 2. For SME PED, see the SME PED User Agreement template included with the SME PED STIG for specific requirements. 3. DoD sites are required to add the following to all site User Agreements: - The agreement should contain the type of access required by the user (privileged, end-user, etc.). - The agreement should contain the responsibilities, liabilities, and security measures (e.g., malicious code detection training) involved in the use of the wireless remote access device. - Incident handling and reporting procedures will be identified along with a designated point of contact. - The remote user can be held responsible for damage caused to a Government system or data through negligence or a willful act. - The policy should contain general security requirements and practices, which are acknowledged and signed by the remote user. - If classified devices are used for remote access from an alternative work site, the remote user will adhere to DoD policy in regard to facility clearances, protection, storage, distributing, etc. - Government owned hardware and software is used for official duties only. The employee is the only individual authorized to use this equipment. - User agrees to complete required wireless device training annually. 4. For approved smartphone and tablet devices add to all User Agreements: - Only approved Bluetooth headsets/handsfree devices will be used. Check Procedures: 1. Inspect a copy of the site’s user agreement. 2. Verify the user agreement has the minimum elements described in the STIG policy. 3. Select 10 names of assigned site personnel and verify they have a signed user agreement on file for assigned wireless equipment (e.g., wireless laptop, smartphone, tablet, etc.). Mark as a finding if site user agreements do not exist or are not compliant with the minimum requirements. For SME PED: - Verify the Terminal Administrator (TA) has users reaffirm their User Agreement at least once every 12 months. Review the dates that site User Agreements were signed.

Fix: F-23396r1_fix

Implement User Agreement with required content. Have all users sign a User Agreement.

a

WLAN equipment obtained through acquisition programs must be JITC interoperability certified.

Low - V-14004 - SV-14615r3_rule

RMF Control

Severity

Low

CCI

Version

WIR0130

Vuln IDs

V-14004

Rule IDs

SV-14615r3_rule

Interoperability certification assures that warfighters can communicate effectively in joint, combined, coalition, and interagency environments. There is some degree of risk that systems without JITC certification will fail to interoperate. WLAN equipment is also required to be WPA2 certified (verified in another check procedure), which also provides significant interoperability assurance. The Wi-Fi Alliance WPA2 certification is not granted unless the product also has a radio subsystem compliant with the IEEE 802.11a, b, g, or n specifications. Products are tested with many other products to ensure interoperability. Information Assurance OfficerECWN-1

Checks: C-11469r1_chk

Detailed policy Requirements: All systems obtained through an acquisition program must be JTIC certified before they are fielded. Fielded systems must be recertified every four years or after any changes that may affect interoperability. Check Procedures: - Verify the WLAN system has been certified by the JITC as meeting end-to-end interoperability. - Mark as a finding if the WLAN was implemented as part of an acquisition program and does not have JITC certification.

Fix: F-13491r1_fix

Acquire JITC-certified WLAN equipment.

b

If the site has a non-DoD external connection (Approved Gateway), an external IPS/IDS must be located between the sites Approved Gateway (Service Delivery Router) and the premise router.

Medium - V-14634 - SV-15259r2_rule

RMF Control

Severity

Medium

CCI

Version

NET0168

Vuln IDs

V-14634

Rule IDs

SV-15259r2_rule

The incorrect placement of the external IPS/IDS may allow unauthorized access to go undetected and limit the ability of security personnel to stop malicious or unauthorized use of the network. In order to ensure that an attempted or existing attack goes unnoticed, the data from the sensors must be monitored continuously.Information Assurance OfficerEBBD-1, EBBD-2, EBBD-3

Checks: C-12650r2_chk

Inspect the network topology and physical connectivity to verify compliance.

Fix: F-14096r2_fix

Install and configure an external IPS/IDS between the site’s Approved Gateway (Service Delivery Router) and the premise router.

b

All hosted NIPRNet-only applications must be located in a local enclave DMZ.

Medium - V-14638 - SV-15263r3_rule

RMF Control

Severity

Medium

CCI

Version

NET0346

Vuln IDs

V-14638

Rule IDs

SV-15263r3_rule

Without the protection of Demilitarized Zone (DMZ) architecture, production networks will be prone to outside attacks as they are allowing externally accessible services to be accessed on the internal LAN. This can cause many undesired consequences such as access to the entire network, Denial of Service attacks, or theft of sensitive information.Information Assurance OfficerEBBD-1, EBBD-2, EBBD-3, ECSC-1

Checks: C-13708r9_chk

Review the architecture/network topology diagram and other resources available then verify all NIPRNet-only applications are located in a local enclave DMZ.

Fix: F-14743r6_fix

Implement and move NIPRNet-only applications to a local enclave DMZ.

a

Accreditation documentation must be maintained and up to date to reflect the installation or modification of the organizations firewall.

Low - V-14639 - SV-15264r3_rule

RMF Control

Severity

Low

CCI

Version

NET0347

Vuln IDs

V-14639

Rule IDs

SV-15264r3_rule

A firewall is the first policy enforcement mechanism that the organization uses to enforce the Enclave Security Policy. If the configuration cannot be maintained, the security for the organization is suspect and may allow for exploits to be utilized, gaining access to network resources. Procedures outlined in the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) Instruction (DoDI 8510.01p), lay out the process for the enclave security architecture as they are applied to specific requirements. Each SSP will include a description of the architectural implementation of the security requirements identified in the appropriate security guidance.Information Assurance OfficerDCPR-1

Checks: C-12654r5_chk

Review the organization's accreditation documentation to validate that it is maintained and current with the latest firewall policy.

Fix: F-14101r5_fix

Create or update organizational accreditation documentation to include the most current firewall policy.

b

All Internet facing applications must be logically implemented in a DoD DMZ Extension.

Medium - V-14640 - SV-15265r3_rule

RMF Control

Severity

Medium

CCI

Version

NET0348

Vuln IDs

V-14640

Rule IDs

SV-15265r3_rule

Without the protection of Demilitarized Zone (DMZ) architecture, production networks will be prone to outside attacks as they are allowing externally accessible services to be accessed on the internal LAN. This can cause many undesired consequences such as access to the entire network, Denial of Service attacks, or theft of sensitive information.Information Assurance OfficerEBPW-1, ECSC-1

Checks: C-13707r4_chk

Review the architecture diagram and other resources available then verify all Internet facing applications are logically located in a DoD DMZ Extension.

Fix: F-14742r4_fix

Implement and move internet facing applications logically to a DoD DMZ Extension.

b

When protecting the boundaries of a network, the firewall and IDS/IPS must use separate components or the physical integrated device has separate hardware components (i.e., CPU, memory, etc) for the firewall and IDS/IPS.

Medium - V-14641 - SV-15267r2_rule

RMF Control

Severity

Medium

CCI

Version

NET0355

Vuln IDs

V-14641

Rule IDs

SV-15267r2_rule

An integrated solution implemented within DoD should not waive from defense in depth practices. Many solutions available have leveraged processors and memory. Once this technology is compromised all security layers of defense are subject to DOS in a single attack. Integrated solutions within DoD require the firewall and the IDS/IPS solution to be on separate devices or CPUs that do not shared the same memory.Information Assurance OfficerEBPW-1, ECSC-1

Checks: C-3912r2_chk

Review the architecture and validate the firewall and IDS/IPS are separate components. If the solution is integrated, the IDS/IPS must have a separate CPU and do not shared the same memory.

Fix: F-3170r3_fix

Implement a design solution where both the firewall and IDS/IPS have their own CPU and memory source.

c

The organization must implement a deep packet inspection solution when protecting perimeter boundaries.

High - V-14642 - SV-15268r5_rule

RMF Control

Severity

High

CCI

Version

NET0365

Vuln IDs

V-14642

Rule IDs

SV-15268r5_rule

Deep packet inspection is an inspection engine that analyzes data at the application layer, typically layers 5 through 7 of the OSI model. Examples of deep packet inspection and application-level filtering include checking the type of attachments included in emails, such as executable or other files that could cause harm to the intended recipient; and blocking a particular website based on the type of content used, such a Java or ActiveX. Deep packet inspection is available on many types of network devices to provide protection for email, database, and web traffic.Information Assurance OfficerEBBD-1, EBBD-2, EBBD-3, ECSC-1

Checks: C-12658r7_chk

Determine which type of solution is used for deep packet inspection at the enclave boundary. Verify the solution is connected, configured, and running. Some acceptable solutions for meeting this requirement are a packet filter/stateful packet inspection firewall with any combination of application firewalls or dedicated application-proxy gateways, an application firewall, or an application-proxy gateway. If the organization does not have any implementation of deep packet inspection protecting their perimeter boundaries, this is a finding.

Fix: F-14102r8_fix

Implement a deep packet inspection solution at the enclave boundaries. Verify any devices used for deep packet inspection are connected, properly configured, and actively inspecting network traffic.

b

The IAO will properly register all network components in an asset management tracking system such as VMS.

Medium - V-14715 - SV-15441r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1621

Vuln IDs

V-14715

Rule IDs

SV-15441r1_rule

Vulnerability Management is the process of ensuring all network assets that are affected by an IAVM notice are addressed and corrected within a time period specified in the IAVM notice. VMS will notify Commands, Services, and Agencies of new and potential security vulnerabilities. VMS meets the DoD mandate to ensure information system vulnerability alert notifications are received and acted on by all system administrators. Keeping the inventory of assets current allows for tracking of network inventory and resources. Asset management supports a successful IAVM process. The ability to track assets improves the effective use of network assets, information assurance auditing efforts, as well as optimizing incident response times.Information Assurance OfficerVIVM-1

Checks: C-12906r1_chk

Procedure: Ensure that all IA management review items are tracked and reported.

Fix: F-14182r1_fix

Register all network assets in an asset management tracking system such as VMS.

b

The IAO/NSO will ensure an OOB management network is in place for MAC I systems or 24x7 personnel have immediate console access (direct connection method) for communication device management.

Medium - V-14716 - SV-15442r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1622

Vuln IDs

V-14716

Rule IDs

SV-15442r1_rule

From an architectural point of view, providing Out-Of-Band (OOB) management of network systems is the best first step in any management strategy. No production traffic resides on an out-of-band network. The biggest advantage to implementation of an OOB network is providing support and maintenance to the network that has become degraded or compromised. During an outage or degradation period the inband management link may not be available. The consequences of loss of availability of a MAC I system is unacceptable and could include the immediate and sustained loss of mission effectiveness. Mission Assurance Category I systems require the most stringent protection measures. Maintenance support for key IT assets must be available to respond 24 X 7 immediately upon failure.Information Assurance OfficerECSC-1

Checks: C-12907r1_chk

View each aux port and ensure the auxiliary port is disabled or if enabled determine if a secure modem is implemented to support the DCN network. Review the console port configuration and determine if an OOB network has been defined at this interface using a Terminal Server (illustrated in the STIG). If neither a DCN or Terminal Server OOB network has been built, verify the administration staff is 24x7 and personel have immediate access to the console port locally via an administrative laptop.

Fix: F-14183r1_fix

The network administrator will manage devices through out-of-band or direct connection. If the direct connection method is impractical, the DCN method is the next best alternative.

b

The IAO/NSO will ensure request forms are used to aid in recording the audit trail.

Medium - V-14718 - SV-15462r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1111

Vuln IDs

V-14718

Rule IDs

SV-15462r1_rule

Change management is the formal review process that ensures that all changes made to a system receive formal review and approval. Change management reduces impacts from proposed changes that could possibly have interruptions to the services provided. Recording all changes in the network will be accomplished by a configuration management policy. The configuration management policy will capture the actual changes to software code and anything else affected by the change.Information Assurance OfficerDCCB-1, DCCB-2, ECSC-1

Checks: C-12927r1_chk

Have the IAO/NSO provide copies of change request forms for visual inspection.

Fix: F-14185r1_fix

Implement a Change Management policy that ensures review of scheduled and documented changes. Record configuration changes and review periodically. Develop and use a form or tracking mechanism to aid in the audit trail of any router changes requested of the NSO.

b

The IAO/NSO will ensure current paper or electronic copies of configurations are maintained in a secure location.

Medium - V-14719 - SV-15463r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1113

Vuln IDs

V-14719

Rule IDs

SV-15463r1_rule

Change management is the formal review process that ensures that all changes made to a system receive formal review and approval. Change management reduces impacts from proposed changes that could possibly have interruptions to the services provided. Recording all changes in the network will be accomplished by a configuration management policy. The configuration management policy will capture the actual changes to software code and anything else affected by the change.Information Assurance OfficerDCCB-1, DCCB-2, ECSC-1

Checks: C-12928r1_chk

Have the IAO/NSO identify the secured storage area where Change Mgt documents are stored.

Fix: F-14186r1_fix

Implement a Change Management policy that ensures review of scheduled and documented changes. Record configuration changes and review periodically. Develop and use a form or tracking mechanism to aid in the audit trail of any router changes requested of the NSO.

b

To ensure the proper authorized network administrator is the only one who can access the device, the IAO/NSO will ensure device management is restricted by two-factor authentication (e.g., SecurID, DoD PKI, or alternate token logon).

Medium - V-14723 - SV-15473r1_rule

RMF Control

Severity

Medium

CCI

Version

NET0445

Vuln IDs

V-14723

Rule IDs

SV-15473r1_rule

Without secure management implemented with authenticated access controls, strong two-factor authentication, encryption of the management session and audit logs, unauthorized users may gain access to network managed devices compromised, large parts of the network could be incapacitated with only a few commands.Information Assurance OfficerECSC-1

Checks: C-12939r1_chk

First review the device configuration to ensure that an authentication server is being used. Then verify that a 2-factor authentication method has been implemented. In most cases a two-factor implementation is called by a Radius or TACACS Server.

Fix: F-14190r1_fix

The network administrator will ensure strong two-factor authentication is being incorporated in the access scheme.

a

The IAO will ensure a HIDS is implemented on the syslog servers.

Low - V-14726 - SV-15482r1_rule

RMF Control

Severity

Low

CCI

Version

NET1281

Vuln IDs

V-14726

Rule IDs

SV-15482r1_rule

A syslog server provides the network administrator the ability to configure all of the communication devices on a network to send log messages to a centralized host for review, correlation, reporting, and storage. This implementation provides for easier management of network events and is an effective facility for monitoring and the automatic generation of alert notification. The repository of messages facilitate troubleshooting functions when problems are encountered and can assist in performing root cause analysis. A malicious user or intruder could attempt to cover his tracks by polluting the syslog data or even force the server to crash. Disabling the syslog server would eliminate visibility of the network infrastructure that security analysts depend on. The first line of defense is to ensure that the syslog server will only accept syslog packets from known managed devices and administrative access from trusted management workstations. Because syslog messages are sent from managed devices to the syslog server in clear text an attacker on the network can easily sniff the messages. Furthermore, the syslog protocol uses UDP; thereby, making it relatively easy to spoof a managed device. A host intrusion detection system (HIDS) should also be implemented on the syslog server to provide access control for the syslog data as well as provide the necessary protection against unauthorized user and service access. Information Assurance OfficerECSC-1

Checks: C-12949r1_chk

Interview the IAO and syslog administrator to determine if the server is compliant. Have the administrator provide a demonstration of the HIDS capability to ensure that it is configured and in operation.

Fix: F-14193r1_fix

Ensure an HIDS is implemented on the syslog server to provide access control for the syslog data as well as provide the necessary protection against unauthorized user and service access.

a

The IAO/NSO will ensure the audit logs are protected from deletion.

Low - V-14727 - SV-15483r1_rule

RMF Control

Severity

Low

CCI

Version

NET1287

Vuln IDs

V-14727

Rule IDs

SV-15483r1_rule

The firewall logs can be used for forensic analysis in support of incident as well as to aid with normal traffic analysis. It can take numerous days to recover from a firewall outage when a proper backup scheme is not used.Information Assurance OfficerECSC-1, ECTB-1

Checks: C-12950r1_chk

Review site deletion rights of the audit log file.

Fix: F-14194r1_fix

Correct access privileges to protect the file.

b

The IAO will ensure IDPS components that have been evaluated and validated against NIAP existing profiles are placed in the network infrastructure.

Medium - V-14732 - SV-15488r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-IDPS-022

Vuln IDs

V-14732

Rule IDs

SV-15488r1_rule

The only assurance that the intrusion detection/protection system meets or exceeds the minimum security requirements is the evaluation and validation by an accredited licensed/approved evaluation facility.Information Assurance OfficerDCAS-1, DCSR-1, DCSR-2, DCSR-3, ECSC-1

Checks: C-12953r1_chk

Product must have been evaluated and validated in accordance with the provisions of the NIAP Common Criteria Evaluation and Validation Scheme. Ensure the product is on the list and has been evaluated and accredited at a NIAP licensed/approved evaluation facility.

Fix: F-14197r1_fix

Review the NIAP website for a IDPS that meets the security policies planned for the enclave. Create a POA&M to purchase a IDPS technology that has been evaluated and validated at one of the accredited NIAP locations. Implement the IDPS.

b

The IAO/NSO will ensure if Sticky MAC Port Security is implemented, the running and startup configuration files are identical.

Medium - V-14734 - SV-15490r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1432

Vuln IDs

V-14734

Rule IDs

SV-15490r1_rule

Port security with sticky MAC enables the switch to be set to one or more MAC addresses dynamically by learning the MAC address. As with static MAC port security, the number of MAC addresses that it will learn is limited to the maximum number allowed as determined by the default, which is one, or configured threshold. However, the MAC addresses learned are not pervasive across a switch reboot or reload. Hence, the running configuration must be copied to non-volatile storage (i.e., NVRAM).Information Assurance OfficerECSC-1

Checks: C-12956r1_chk

Verify that the running configurations are that same as the startup configuration for any switches configured with Sticky MAC Port Security. The following is an example of a Cisco Catalyst switch with Sticky MAC configured and has learned a MAC address. interface FastEthernet0/21 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky switchport port-security mac-address sticky xxxx.xxxx.xxxx switchport port-security violation shutdown

Fix: F-14200r1_fix

Ensure that the running configurations are that same as the startup configuration for any switches configured with Sticky MAC Port Security. The following is an example of a Cisco Catalyst switch with Sticky MAC configured and has learned a MAC address. interface FastEthernet0/21 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky switchport port-security mac-address sticky xxxx.xxxx.xxxx switchport port-security violation shutdown

b

The IAO will ensure that if Sticky MAC Port Security is implemented, a policy is in place that prohibits connection to the switchport unless it has been approved.

Medium - V-14735 - SV-15491r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1433

Vuln IDs

V-14735

Rule IDs

SV-15491r1_rule

Port security with sticky MAC enables the switch to be set to one or more MAC addresses dynamically by learning the MAC address. As with static MAC port security, the number of MAC addresses that it will learn is limited to the maximum number allowed as determined by the default, which is one, or configured threshold. A connection approval process for a Sticky MAC Port Security implementation ensures ports remain disabled until the connection by a host to the swithcport is approved. Information Assurance OfficerDCAS-1, DCSR-1, DCSR-2, DCSR-3, ECSC-1

Checks: C-12957r1_chk

Review the procedures in place and ensure a written process is in place.

Fix: F-14201r1_fix

Establish Sticky connection procedures with the Change Control Process currently in place.

b

The IAO/NSO will ensure VMPS must not be used to provide port authentication or dynamic VLAN assignment.

Medium - V-14736 - SV-15492r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1440

Vuln IDs

V-14736

Rule IDs

SV-15492r1_rule

VMPS allows a switch to dynamically assign VLANs to users based on the workstation’s MAC address or the user’s identity when used with the User Registration Tool. A switch is configured and designated as the VMPS server while the remainder of the switches on the segment acts as VMPS clients. The VMPS server opens a UDP socket to communicate and listen to client requests using VMPS Query Protocol (VQP). When the VMPS server receives a valid request from a client, it searches its database for a MAC address-to-VLAN mapping. If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this group. If the VLAN is allowed on the port, the VLAN name is returned to the client. If the VLAN is not allowed on the port, the host receives an “access denied” response when VMPS is not configured in secure mode or the port is shut down if in secure mode. VQP is a UDP-based protocol that does not support any form of authentication and the data is transmitted in clear text. This makes its use in security-sensitive environments inadvisable. An attacker who is able to spoof VQP could prevent network logins with a DoS attack to the VMPS server or even join an unauthorized VLAN. Furthermore, a VMPS database configuration file is nothing more than an ASCII text file that is stored on a TFTP server and downloaded to the VMPS server at startup or when VMPS server is first enabled on the switch. As noted in previous sections, a network component should not use TFTP to upload or download configuration files. For these reasons, VMPS must not be used to provide port authentication or dynamic VLAN assignment. Information Assurance OfficerDCAS-1, DCSR-1, DCSR-2, DCSR-3, ECSC-1

Checks: C-12958r1_chk

Interview the Switch Administrator and verify VMPS statements are not found in the switch configuration.

Fix: F-14202r1_fix

Use an approved port security implementation.

c

Encapsulated traffic received from another enclave or enterprise must not bypass the perimeter defense, which includes firewall and IDS/IPS devices, without being terminated and inspected before entering the enclaves private network.

High - V-14737 - SV-15493r4_rule

RMF Control

Severity

High

CCI

Version

NET-TUNL-026

Vuln IDs

V-14737

Rule IDs

SV-15493r4_rule

Allowing encapsulated traffic from other enclaves or enterprises to bypass the enclave's perimeter without being properly filtered and inspected leaves the enclave vulnerable to malicious traffic passed by the source network. Administrators must be aware of all tunnel (decapsulation) end-points so filtering and inspection of the inner layer is assured. Routers and firewalls are recommended as tunnel end-point nodes since they typically have better configuration options and also have better capabilities to filter the inner IP layer. Termination in the enclave's DMZ or other service network are also ideal locations for filtering and content inspection before passing into the private network.Information Assurance OfficerECSC-1

Checks: C-12959r5_chk

Review network device configurations and topology diagrams to validate encapsulated traffic received from other enclaves or enterprises terminate at the perimeter devices for filtering and content inspection. If the tunnel is terminated on a Gateway VPN, validate the traffic is inspected by a firewall before gaining access to production data. If the tunnel is being provided by the perimeter router with a direct connection to the tenant's perimeter router, then the perimeter router (of the enclave providing the transient service) must be configured (examples: policy based routing or VRF bound to this interface with only a default route pointing out) to insure all traffic received by this connecting interface is forwarded directly to the NIPR/SIPR interface regardless of destination. If this isn't being done then the connecting interface will have to be treated as an external interface with all the applicable checks. If the tunnel is being provisioned via an aggregation router at the NIPR/SIPR POP that connects downstream to the perimeter routers, then there would be no concern. Secured connections such as SSL or TLS which are used for remote access, secure web access, etc are also applicable to this rule. These types of connections like the other types above must terminate at the enclave perimeter, enclave DMZ, or an enclave service network for filtering and content inspection before passing into the enclave's private network. If the tunnels do not meet any of the criteria above and bypass the enclave's perimeter without filtering and inspection, it will be a finding. Note: This vulnerability is not applicable for any VPN connectivity between multiple sites of the same enclave, nor is it applicable for VPN remote access to the enclave. For theses deployments, the implementation must be compliant with all requirements specified within IPSec VPN STIG.

Fix: F-14203r3_fix

Move tunnel decapsulation to a secure end-point at the enclave's perimeter for filtering and inspection.

b

Tunneling of SIPRNet across long-haul infrastructure must be accepted by the Classified Data Service Manager (DISA/GS21) via request expressing the requirement with supporting rationale and must be IAW CJCSI 6211.02C, DISN policy.

Medium - V-14738 - SV-15494r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-TUNL-028

Vuln IDs

V-14738

Rule IDs

SV-15494r1_rule

If tunneling of SIPRNet is required, contact the Classified Data Service Manager (DISA/GS21) to express the requirements with supporting rationale. If the DISN solution proposed by the DISN Service Manager is accepted, and cryptography is employed (Type 1) for data protection, then DISN security criteria in accordance with reference CJCSI 6211.02C, Defense Information System Network (DISN): Policy, Responsibilities and Processes, 9 July 2008 will be presumed to have been satisfied. The CCAO requires documentation of a SIPR to NIPR tunneling solution.Information Assurance OfficerECSC-1

Checks: C-12960r1_chk

Review the network architecture and ensure SIPRNet traffic is not tunneled across long-haul NIPRNet infrastructure unless approved as described. This policiy is not applicable to Base Area Networks, however BAN tunnels must comply with CJCSI 6211.02C.

Fix: F-14204r1_fix

Use the SIPRNet or follow policies for temporary tunneling.

b

If the tunneled SIPRNet solution over NIPRNet will be in place for more than 365 days, then the SIPRNet must be used or the IAO be in receipt of GIG Waiver Policy, DoDD 8100.1 .

Medium - V-14739 - SV-15495r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-TUNL-029

Vuln IDs

V-14739

Rule IDs

SV-15495r1_rule

If tunneling of SIPRNet is required, contact the Classified Data Service Manager (DISA/GS21) to express the requirements with supporting rationale. If the DISN solution proposed by the DISN Service Manager is accepted, and cryptography is employed (Type 1) for data protection, then DISN security criteria in accordance with reference CJCSI 6211.02C, Defense Information System Network (DISN): Policy, Responsibilities and Processes, 9 July 2008 will be presumed to have been satisfied. If the non-DISN solution is in place for more than 365 days the site must comply with the GIG Waiver Policy, reference DoDD 8100.1, Global Information Grid (GIG) Overarching Policy, September 19, 2002.Information Assurance OfficerECSC-1

Checks: C-12961r1_chk

Review the Tunneled SIPRNet waiver and determine expiration of the waiver.

Fix: F-14205r1_fix

Use the SIPRNet is the DoD policy for classified traffic. An additional waiver is required in order to keep the circuit up.

c

If SIPRNet traffic is being tunneled on a commercial ISP it must be approved by the OSD GIG Waiver Panel and the IAO be in receipt of GIG Waiver Policy, DoDD 8100.1 .

High - V-14740 - SV-15496r1_rule

RMF Control

Severity

High

CCI

Version

NET-TUNL-030

Vuln IDs

V-14740

Rule IDs

SV-15496r1_rule

If tunneling of SIPRNet is required, contact the Classified Data Service Manager (DISA/GS21) to express the requirements with supporting rationale. If the DISN solution proposed by the DISN Service Manager is accepted, and cryptography is employed (Type 1) for data protection, then DISN security criteria in accordance with reference CJCSI 6211.02C, Defense Information System Network (DISN): Policy, Responsibilities and Processes, 9 July 2008 will be presumed to have been satisfied. If the non-DISN solution is in place for more than 365 days the site must comply with the GIG Waiver Policy, reference DoDD 8100.1, Global Information Grid (GIG) Overarching Policy, September 19, 2002.Information Assurance OfficerECSC-1

Checks: C-12962r1_chk

Review the Tunnel SIPRNet waiver and determine if waiver documents approval of a ISP.

Fix: F-14206r1_fix

Shut the circuit down until approval is granted by the DSAWG.

c

Leasing of point-to-point circuits that extend classified backside connectivity to any non-DoD, foreign or contractor facility is prohibited unless the termination is government operated in the contractor or foreign government facility.

High - V-14741 - SV-15497r1_rule

RMF Control

Severity

High

CCI

Version

NET1826

Vuln IDs

V-14741

Rule IDs

SV-15497r1_rule

Leasing of point-to-point circuits that extend classified backside circuits to non-DoD, foreign or contractor facilities is prohibited unless the termination is government operated in the contractor or foreign government facility.Information Assurance OfficerECSC-1

Checks: C-12963r1_chk

Review the network and ensure classified circuits are secured in a DOD facility.

Fix: F-14207r1_fix

Terminate all classified networks found in non-DOD facilities that are not government operated.

b

The IAO/NSO will have all C2 and non-C2 exceptions of SIPRNet use documented in the enclave’s accreditation package and an Interim Authority to Connect/Authority to Connect (IATC/ATC) amending the connection approval received, prior to implementation.

Medium - V-14742 - SV-15498r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1827

Vuln IDs

V-14742

Rule IDs

SV-15498r1_rule

Any exception to use SIPRNet must be documented in an update to the enclave’s accreditation package and an Interim Authority to Connect/Authority to Connect (IATC/ATC) amending the connection approval received prior to implementation. Information Assurance OfficerECSC-1

Checks: C-12964r1_chk

Review accreditation package and an Interim Authority to Connect/Authority to Connect (IATC/ATC) amending the connection approval received.

Fix: F-14208r1_fix

Document all SIPRNet connections.

b

If the tunneled SIPRNet solution proposed by the DISN Service Manager is accepted, Type 1 cryptography will be employed for data protection.

Medium - V-14743 - SV-15499r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-TUNL-031

Vuln IDs

V-14743

Rule IDs

SV-15499r1_rule

The need for classified tunneling across NIPRNet or a commercial IP infrastructure is approved on a “case by case” basis. The use of a commercial IP service must be approved by the OSD GIG Waiver Panel. Requirements can be referenced in DoDD 8100.1, Global Information Grid (GIG) Overarching Policy, September 19, 2002.Information Assurance OfficerECSC-1

Checks: C-12965r1_chk

Review the approved commercial circuit and ensure type 1 encryption has been implemented.

Fix: F-14209r1_fix

Add approved type 1 encryption devices.

b

The IAM will ensure the controls over the type of data to be moved are described in classification guidance, Executive Orders, or other issuances pertaining to controls over categories of information.

Medium - V-14744 - SV-15500r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1830

Vuln IDs

V-14744

Rule IDs

SV-15500r1_rule

Controls over the type of data to be moved are described in classification guidance, Executive Orders, or other issuances pertaining to controls over categories of information. Information Assurance OfficerECSC-1

Checks: C-12966r1_chk

Interview the IAO and determine if in compliance.

Fix: F-14210r1_fix

The IAO will ensure orders support the level of data traffic on the link are documented.

b

The IAM will ensure the VPN tunnel demarcation is located in facilities authorized to process classified US government information, classified at the Secret Level (for SIPRNet).

Medium - V-14745 - SV-15501r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1832

Vuln IDs

V-14745

Rule IDs

SV-15501r1_rule

Tunnel terminus or demarcation point will be in facilities authorized to process classified US government information classified at the Secret level (for SIPRNet). Information Assurance OfficerECSC-1

Checks: C-12967r1_chk

Review the demarcation point and verify the area meets the security level required.

Fix: F-14211r1_fix

Facility demarcation point must meet approved security level.

a

The relevant U.S. Forces Command (USFORSCOM) or host nation must approve the use of wireless equipment prior to operation of such equipment outside the United States and Its Possessions (US&P).

Low - V-14844 - SV-15612r2_rule

RMF Control

Severity

Low

CCI

Version

WIR0100

Vuln IDs

V-14844

Rule IDs

SV-15612r2_rule

When using a wireless system outside of the US&P, host nation wireless spectrum regulations must be followed. Otherwise the system could interfere with or be disrupted by host nation communications systems.Information Assurance OfficerDesignated Approving AuthorityEBCR-1

Checks: C-13274r1_chk

1. Verify existence of approval documentation signed by U.S. Forces Command or host nation representatives. 2. In accordance with DoD policy, users of non-licensed devices that are intended for use outside of the US&P must submit appropriate forms (DD 1494) for host nation coordination/approval. This is not necessary when it is well known that the host nation makes wide use of the same WLAN protocols as the DoD (i.e., 802.11b, 802.11g, or 802.11n). However, this should be verified. Most noteworthy is that WLAN equipment in Japan uses 802.11j which operates in the 4.9 to 5.0 GHz band. WLAN equipment based on other standards interferes with such equipment in Japan. 3. Mark as a finding if approval documentation does not exist or is not available for verification.

Fix: F-14435r1_fix

The IAO will ensure required approvals are received before wireless equipment / system is activated.

b

The site must scan the radio frequency spectrum for unauthorized WLAN devices.

Medium - V-14887 - SV-15655r2_rule

RMF Control

Severity

Medium

CCI

Version

WIR0145-01

Vuln IDs

V-14887

Rule IDs

SV-15655r2_rule

Unauthorized WLAN devices threaten DoD networks in a variety of ways. If someone installs an access point on a DoD network, then people may use that access point to access network resources without any perimeter security controls, which significantly degrades the IA posture of that network. If someone installs an unauthorized access point in the site’s vicinity, even if not connected to a DoD network, then site users may unknowingly or inadvertently connect to it. Once this connection occurs, the user’s traffic may be diverted to spoofed web sites and other servers to capture the user’s authentication credentials and sensitive DoD data. Finally, if an unauthorized WLAN client is operating inside or near the site, it may improperly connect to the site’s WLAN infrastructure or other network devices that improperly have left open active Wi-Fi interfaces. WIDS can help counter all of these threats. System AdministratorInformation Assurance OfficerECWN-1

Checks: C-13413r1_chk

Detailed policy requirements: DoDD 8100.2 requires ALL DoD networks use a wireless IDS to scan for unauthorized wireless devices. The WIDS sensor and server must meet the following requirements: -For a continuous Wireless IDS (WIDS) scanning system: --System is server-based, whereby sensor scanning results are consolidated and evaluated by a WIDS server. --The WIDS will scan continuously 24 hours/day, 7 days/week to detect authorized and unauthorized activity. --The WIDS will include a location sensing protection scheme for authorized and unauthorized wireless devices that will provide information enabling designated site personnel to take appropriate actions. NOTE: While not recommended, WLAN access points that also provide WIDS scanning capability are acceptable as "continuous scanning" WIDS sensors. - For a periodic WIDS scanning system: --The DAA will determine how often WIDS scanning will be conducted based on the results of the wireless risk assessment. (DISA recommends at least every 90 days.) --Periodic scanning will be conducted by using handheld or laptop WIDS scanners during a walk-through assessment of the network environment. NOTE: The WIDS must cover all WLAN frequencies transmitted by the WLAN equipment. The WLAN frequency band can vary by country and the WIDS must cover all channels being used in a country the equipment is being used in. For example, the allowed WLAN channels are different in the U.S., Japan, and many European countries. Check procedures: Interview the site IAO. Determine if the scanning by a Wireless Intrusion Detection System (WIDS) is continuous or periodic. See Check V0018596 (NET-WIDS-001 / WIR0050). Verify the site’s WIDS scanning system meets the following requirements: -For Continuous WIDS scanning: --Verify the site has installed a continuous-scanning WIDS system (e.g., AirDefense, Airmagnet, etc.). --Verify the WIDS is set up to scan continuously 24 hours/day, 7 days/week to detect authorized and unauthorized activity. --Verify the WIDS includes a location sensing protection scheme for authorized and unauthorized wireless devices. --Mark as a finding if any of these requirements have not been met. -For Periodic WIDS scanning: --Verify the DAA has determined the frequency of the scans. Review the DAA approved wireless risk assessment. --Mark as a finding if any of these requirements have not been met.

Fix: F-34071r1_fix

Install and operate WIDS on a continuous or periodic basis in a manner consistent with policy requirements.

b

All wireless network devices, such as wireless Intrusion Detection System (IDS) and wireless routers, access points, gateways, and controllers must be located in a secure room with limited access or otherwise secured to prevent tampering or theft.

Medium - V-14894 - SV-15662r4_rule

RMF Control

Severity

Medium

CCI

Version

WIR0025

Vuln IDs

V-14894

Rule IDs

SV-15662r4_rule

DoD data and the network could be exposed to attack if wireless network devices are not physically protected. The Network Security Officer (NSO) will ensure all wireless network devices (i.e., IDS, routers, servers, Remote Access System (RAS), firewalls, WLAN access points, etc.), wireless management, and email servers are located in a secure room with limited access or otherwise secured to prevent tampering or theft.System AdministratorInformation Assurance OfficerECSC-1, ECWN-1

Checks: C-13403r3_chk

Detailed Policy Requirements: For WLAN Access Points: If the WLAN infrastructure network device (access point, bridge, WLAN switch/gateway/controller, etc.) is used in an unprotected public area, the following security controls are required. (The site Physical Security Officer should make a determination if a WLAN device installation location should be considered to be an unprotected public area.) One of the following security controls is required: - The WLAN device must be physically secured by placing it inside a securely mounted, pick-resistant, and lockable enclosure. - The encryption keys stored on the device must be encrypted on the device using an encryption module validated as meeting FIPS 140-2 Level 2, at a minimum. Check Procedures: The NSO will ensure all network devices (i.e., IDS, routers, servers, Remote Access System (RAS), firewalls, WLAN access points, etc.) are located in a secure room with limited access or otherwise secured to prevent tampering or theft. For WLAN Access Points: Determine if the WLAN network component of the WLAN system (e.g., access point or bridge) is installed in an unprotected public area where unauthorized personnel can get access to the device. The Physical Security Reviewer may be able to assist in this determination. If yes, the following requirements apply. Note: Access points installed above ceiling tiles in a controlled access area or installed 30 feet above the ground in a controlled access hanger can be considered to be installed in a protected non-public area. The site Physical Security Officer should make a determination if a WLAN device installation location should be considered to be in an unprotected public area. Determine if the WLAN device has been validated as meeting FIPS 140-2 Level 2, at a minimum, or physically secured by placing it inside a securely mounted, pick-resistant, and lockable enclosure. Mark as a finding if the requirements above are not met. For SME PED: During SRR walkthrough inspection, visually confirm the SME PED servers and network equipment (such as, HAIPE) are installed in secured areas.

Fix: F-11355r2_fix

Place all network devices (i.e., Intrusion Detection System (IDS), routers, Remote Access System (RAS), firewalls, etc.) in a secure room with limited access or otherwise secured to prevent tampering or theft. WIR0225 provides physical security requirements for classified WLAN systems.

c

When using IPv6 and IPv4 in a dual stack environment, the IPv6 security policy must mirror the IPv4 security policy.

High - V-15239 - SV-16017r2_rule

RMF Control

Severity

High

CCI

Version

NET-IPV6-050

Vuln IDs

V-15239

Rule IDs

SV-16017r2_rule

The similarities between IPv4- and IPv6-based threats lead to the conclusion that security measures developed and field proven for IPv4 should be used with IPv6. A first step in securing IPv6 deployments is to match IPv4 security policies. Once this is accomplished, begin implementing IPv6 specific security policies for IPv6 vulnerabilities: -Using static neighbors for key systems. -Stop traffic sourced from the internal addresses (ULA) from exiting the enclave. -Filter ICMP, but allow operational functions such as PMTU discovery. -Deny IPv6 fragments destined to network elements and drop fragments of packets where the upper layer cannot be determined. -Implement RFC2827 to prevent spoofing attacks. -Block any source address that is a multicast address. The IPv4 firewalls and filters should block the ports used by tunneling mechanisms not deployed in the network. -Implement application security at the host and the network with the help of firewalls until IDS/IPS functionality becomes available. -Authenticate BGP and IS-IS routing protocols. Use IPSec for OSPFv3 and RIPng. -If tunneling is used, static tunnels are preferred over dynamic because they are more secure.Information Assurance OfficerECSC-1

Checks: C-13636r3_chk

Review the IPv4 security policy and verify the IPv6 security policy mirrors the IPv4 policy. Once this has been accomplished, begin appending IPv6 specific security policies to mitigate specific IPv6 vulnerabilities.

Fix: F-14679r3_fix

Build the IPv6 security policy from IPv4, then begin adding IPv6 specific policies for the new threats inherited by IPv6.

c

The IAO/NSO will ensure AG does not have Tunnel Broker solutions implemented for IPv6 transition

High - V-15290 - SV-16070r1_rule

RMF Control

Severity

High

CCI

Version

NET-IPV6-053

Vuln IDs

V-15290

Rule IDs

SV-16070r1_rule

Tunnel brokers (TB) can be seen as virtual IPv6 ISPs, providing IPv6 connectivity to users already connected to the IPv4 Internet. In the emerging IPv6 Internet it is expected that many tunnel brokers will be available so that the user will just have to pick one. TB solutions do provide authentication via IPSec where ISATAP does not. At the time of this writing understanding the TB trust relationships being offered by ISP providers was of unknown, leading to a policy denying the use of TB at an AG boundary.Information Assurance OfficerECSC-1

Checks: C-13689r1_chk

Interview the IAO and router administrator to see if tunnel broker solutions have been implemented into the enclave. Below is an incomplete list of tunnel brokers. AARNet ACADEMIA Sinica Computing Centre ECS Southampton Hexago / Freenet6 SixXS UKERNA Wanadoo France Ameri.ca BT Exact CERNET Consulintel / Euro6IX Dolphins / AS8758 Earthlink R&D FCCN Hurricane Electric IIJ MANIS MyTBS NECTEC NGNet.It Nerim SCC SingNet Unix-Servers.de XS26 XS4All

Fix: F-14732r1_fix

Remove the tunnel broker from the enclave.

c

The IAO/NSO will ensure if TCP-UDP Relay is implemented in the enclave it will not cross the enclave boundary.

High - V-15291 - SV-16071r1_rule

RMF Control

Severity

High

CCI

Version

NET-IPV6-054

Vuln IDs

V-15291

Rule IDs

SV-16071r1_rule

Malicious party may try to use Transport Relay Translator (TRT) systems to circumventing ingress filtering, or to achieve some other improper use. TRT systems should implement access control to prevent such improper usage. A careless TRT implementation may be subject to buffer overflow attack, but this kind of issue is implementation dependent. Use of DNS proxies that modify the resource records RRs will make it impossible for the resolver to verify DNSsec signatures. Refer to RFC 3142 'IPv6-to-IPv4 Transport Relay Translator ' for additional details.Information Assurance OfficerECSC-1

Checks: C-13690r1_chk

If IPv6 has been implemented perform the following check. TRT systems use transport layer (TCP/UDP) relay technique to translate IPv6 traffic to IPv4 traffic. TCP/UDP Relay requires at least one TRT relay server to be operated per site. TRT require mapping between DNS names to temporary IPv4 addresses, thus it requires a specially configured DNS server to run.. Normally users do not want to translate DNS query/reply traffic using the TRT system. Instead, it makes more sense to run standard DNS server, or special DNS server that helps TRT system, somewhere in the site IPv6 network. Interview the DNS Administrator to determine if TRT server has been implemented in the enclave and if so inquire on special DNS configurations to support the TCP/UDP Relay. Most vendors do not support this transition mechanism.

Fix: F-14733r1_fix

Prevent TCP/UDP Relay from leaving the enclave.

c

The IAO/NSO will ensure Bump-in-the-Stack (BIS) does not cross the enclave boundary.

High - V-15292 - SV-16072r1_rule

RMF Control

Severity

High

CCI

Version

NET-IPV6-055

Vuln IDs

V-15292

Rule IDs

SV-16072r1_rule

The Bump in the Stack (BIS) [RFC2767] translation mechanism is similar to taking the NAT-PT approach with Stateless IP/ICMP Translator (SIIT) and moving it to the OS protocol stack within each host. Unlike SIIT however, it assumes an underlying IPv6 infrastructure. This algorithm translates, on a packet-by packet basis, the headers in the IP packet between IPv4 and IPv6, and translates the addresses in the headers between IPv4 and either IPv4-translated or IPv4-mapped IPv6 addresses. Whereas SIIT is a translation interface between IPv6 and IPv4 networks, BIS is a translation interface between IPv4 applications and the underlying IPv6 network (i.e. the network interface driver). The host stack design is based on that of a dual stack host, with the addition of 3 modules, a translator, an extension name resolver, and an address mapper. The assignment is automatically carried out using DNS protocol, users do not need to know whether target hosts are IPv6. This allows them to communicate with other IPv6 hosts using existing IPv4 applications; thus it seems as if they were dual stack hosts with applications for both IPv4 and IPv6. So they can expand the territory of dual stack hosts. The translator translates outgoing IPv4 headers into IPv6 headers and incoming IPv6 headers into IPv4 headers (if applicable). It uses the header translation algorithm defined in SIIT. The extension name resolver acts as the DNS-ALG in the NAT-PT mechanism. It snoops IPv4 DNS queries and creates another query asking to resolve both ‘A’ and ‘AAAA’ records, sending the returned ‘A’ record back to the requesting IPv4 application. If only ‘AAAA’ records are returned, the resolver requests the address mapper to assign an IPv4 address corresponding to the IPv6 address. The address mapper maintains a pool of IPv4 addresses and the associations between IPv4 and IPv6 addresses. The address mapper will also assign an address when the translator receives an IPv6 packet from the network for which there is no mapping entry for the source address. Hosts can not utilize the security above network layer when they communicate with IPv6 hosts using IPv4 applications via the mechanism. The reason is that when the protocol data with which IP addresses are embedded is encrypted, or when the protocol data is encrypted using IP addresses as keys, it is impossible for the mechanism to translate the IPv4 data into IPv6 and vice versa. Therefore it is highly desirable to upgrade to the applications modified into IPv6 for utilizing the security at communication with IPv6 hosts. Information Assurance OfficerECSC-1

Checks: C-13691r1_chk

Interview the DNS administrators to determine if BIS is being used.

Fix: F-14734r1_fix

Prevent BIS from leaving the enclave.

c

The IAO/NSO will ensure SOCKS-Based Gateway does not cross the enclave boundary.

High - V-15298 - SV-16081r1_rule

RMF Control

Severity

High

CCI

Version

NET-IPV6-056

Vuln IDs

V-15298

Rule IDs

SV-16081r1_rule

The SOCKS-based IPv6/IPv4 gateway mechanism is for communication between IPv4-only and IPv6-only hosts. It consists of additional functionality in both the end system (client) and the dual-stack gateway (router) to permit a communications environment that relays two terminated IPv4 and IPv6 connections at the application layer. This mechanism is based on the SOCKSv5 protocol, and inherits all the features of that protocol. Existing SOCKSv5 commands are unchanged, and the protocol maintains the end-to-end security between the client and the gateway, and the gateway and the destination. The mechanism uses a feature called DNS Name Resolving Delegation to determine IPv6 addresses, delegating the name resolving to the gateway, thus requiring no change to existing DNSs. Since the SOCKS-based IPv6/IPv4 gateway mechanism is based on SOCKSv5 protocol, the security feature of the mechanism matches that of SOCKSv5. The mechanism is based on relaying two "terminated" connections at the "application layer". The end-to-end security is maintained at each of the relayed connections (i.e., between Client C and Gateway G, and between Gateway G and Destination D). The mechanism does not provide total end-to-end security relay between the original source (Client C) and the final destination (Destination D). The security of such application layer traversal is highly dependent on the particular authentication and encapsulation methods provided in a particular implementation, and selected during negotiation between SOCKS client and SOCKS server. The SOCKS service is located on TCP port 1080. Port 1080 has not been reviewed by the PPS CAL at the time of this writing. RFC 1928 and RFC 3089 describe SocksV5 and SOCKS-based IPv6/IPv4 Gateway Mechanism respectively. Information Assurance OfficerECSC-1

Checks: C-13700r1_chk

The SOCKS-based gateway mechanism requests socksification of applications (install *Socks Lib*) to accomplish heterogeneous communications. It is not necessary to modify (change source codes and recompile them, etc.) the applications, because typical socksification is done by changing the linking order of dynamic link libraries (specifically, by linking the SOCKS dynamic link library before the dynamic link libraries for normal socket and DNS name resolving APIs). The mechanism does not request modification of the DNS system, because the DNS name resolving procedure at the Client C is delegated to the dual stack node Gateway G (review vulnerability discussion). Review the firewall can help determine if the Socks port is open. Interview the IAO, DNS administrator, and Firewall Administrator to determine if a SOCKS-based Gateway is present in the enclave if port 1080 is open.

Fix: F-14740r1_fix

Prevent the SOCKS-based Gateway traffic from leaving the enclave.

b

The IAO/NSO will ensure the enclave boundary does not have any other IPv6 Transition Mechanisms implemented when supporting NAT-PT.

Medium - V-15299 - SV-16082r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-IPV6-057

Vuln IDs

V-15299

Rule IDs

SV-16082r1_rule

Network Address Translation with Protocol Translation (NAT-PT), defined in [RFC2766], is a service that can be used to translate data sent between IP-heterogeneous nodes. NAT-PT translates a IPv4 datagram into a semantically equivalent IPv6 datagram or vice versa. For this service to work it has to be located in the connection point between the IPv4 network and the IPv6 network. The PT-part of the NAT-PT handles the interpretation and translation of the semantically equivalent IP header, either from IPv4 to IPv6 or from IPv6 to IPv4. Like NAT, NATPT also uses a pool of addresses which it dynamically assigns to the translated datagrams. The NAT-PT architecture is not one of the preferred DoD IPv6 transition paradigms due to the deprecation of NAT-PT within the DoD community. However, as described in the "DoD IPv6 Guidance for Information Assurance (IA) Milestone Objective 3 (MO3) Requirements, some services/agencies may chose to implement this transition mechanism within an enclave. The following sub-sections provide guidelines for the use of NAT-PT within a controlled enclave. In addition to the single point of failure, the reduced performance, coupled with limitations on the kinds of applications that work, decreases the overall value and utility of the network. NAT-PT also inhibits the ability to deploy security at the IP layer. Information Assurance OfficerECSC-1

Checks: C-13701r1_chk

Interview the IAO, Network Administrator and the DNS Administrator and determine if additional transition mechanisms are implemented in the enclave. Deny all Transition Mechanisms at the FW or Perimeter Router such as: GRE NAT-PT IP in IP IPSec AH/ESP TEREDO BIS RFC 2767 SOCKS64, RFC 3089

Fix: F-14741r1_fix

Disable all but one transition mechanism.

a

The IDS administrator will update the Network IDS when updates are provided by the vendor.

Low - V-15424 - SV-16251r1_rule

RMF Control

Severity

Low

CCI

Version

NET-IDPS-036

Vuln IDs

V-15424

Rule IDs

SV-16251r1_rule

Keeping the NID software updated with the latest software and signatures will allow for the NID to detect all forms of known attacks. Not maintaining the NID properly could allow for attacks to go unnoticed.Information Assurance OfficerECSC-1

Checks: C-14437r1_chk

Have the NID SA display the build number or patch level, then search the vendor’s vulnerability database for current release and patch level.

Fix: F-15094r1_fix

Upgrade to current signatures posted by the vendor.

b

The IAO/NSO will ensure only authorized personnel, with proper verifiable credentials, are allowed to request changes to routing tables or service parameters.

Medium - V-15430 - SV-16257r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1114

Vuln IDs

V-15430

Rule IDs

SV-16257r1_rule

Limiting the number of people that can request changes to router tables and service parameters limits the chance of errors and thus limits the chance of creating a denial-of-service vulnerability.Information Assurance OfficerECSC-1

Checks: C-14438r1_chk

Interview IAO and router administrator to verify compliance.

Fix: F-15095r1_fix

Have the IAO modify the Change Control Process.

b

Personnally owned or contractor owned CMDs must not be used to transmit, receive, store, or process DoD information or connect to DoD networks.

Medium - V-15782 - SV-16721r5_rule

RMF Control

Severity

Medium

CCI

Version

WIR0010-01

Vuln IDs

V-15782

Rule IDs

SV-16721r5_rule

The use of unauthorized personally-owned CMDs to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized people. The DoD CIO currently prohitibits the use of personally owned or contractor owned CMDs (Bring Your Own Device – BYOD).System AdministratorInformation Assurance OfficerDesignated Approving AuthorityECSC-1, ECWN-1

Checks: C-15968r6_chk

Interview the site IAM and IAO and determine if personally owned or contractor owned CMDs (Bring Your Own Device – BYOD) are used at the site to transmit, receive, store, or process DoD information or connect to DoD networks. Mark as a finding if personally owned or contractor owned CMDs (Bring Your Own Device – BYOD) are used to transmit, receive, store, or process DoD information or connect to DoD networks.

Fix: F-4558r2_fix

Prohibit use of personally owned or contractor owned CMDs (Bring Your Own Device – BYOD) at the site to transmit, receive, store, or process DoD information or connect to DoD networks.

b

A separate management subnet has not been implemented.

Medium - V-17772 - SV-18981r1_rule

RMF Control

Severity

Medium

CCI

Version

NET0998

Vuln IDs

V-17772

Rule IDs

SV-18981r1_rule

To deploy a management network for the purpose of controlling, monitoring, and restricting management traffic, a separate management subnet must be implemented. Define a large enough address block that will enable the management network to scale in proportion to the managed network. Information Assurance OfficerECSC-1

Checks: C-19035r1_chk

Review the management network topology and the IP address space deployed to determine if it has allowed for growth and scalability.

Fix: F-17671r1_fix

Define a large enough address block that will enable the management network to scale in proportion to the managed network.

b

Not all management network elements with an IP address from management address block.

Medium - V-17858 - SV-19142r1_rule

RMF Control

Severity

Medium

CCI

Version

NET0999

Vuln IDs

V-17858

Rule IDs

SV-19142r1_rule

The management network must have its own subnet in order to enforce control and access boundaries provided by Layer 3 network nodes such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic. Safeguards must be implemented to ensure that the management traffic does not leak past the managed network’s premise equipment.Information Assurance OfficerECSC-1

Checks: C-19365r1_chk

Review the management network topology and review all management network element configurations to ensure that they have been assigned an IP address from the management address block.

Fix: F-17799r1_fix

Configure all management network Elements with an IP address from management address block.

a

Two NTP servers have not been deployed in the management network.

Low - V-17860 - SV-19152r1_rule

RMF Control

Severity

Low

CCI

Version

NET0810

Vuln IDs

V-17860

Rule IDs

SV-19152r1_rule

NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of failure for the NTP infrastructure are eliminated. Knowing the correct time is not only crucial for proper network functioning but also for security. Compromising an NTP server opens the door to more sophisticated attacks that include NTP poisoning, replay attacks, and denial of service. Where possible, deploy multiple gateways with diverse paths to the NTP servers. An alternative design is to have one server connected to a reference clock and the other server reference an external stratum-1 server. With this scenario, the NTP clients should be configured to prefer the stratum-1 server over the stratum-2 server. The NTP servers should be configured to easily scale by creating a hierarchy of lower level (stratum-2 to stratum-15) servers to accommodate the workload. The width and depth of the hierarchy is dependent on the number of NTP clients as well as the amount of redundancy that is required. Information Assurance OfficerECSC-1

Checks: C-19370r1_chk

Review the network topology to determine that there are two NTP servers and what network they are connected to. Verify that they are both online according to the documented IP address. Where possible, deploy multiple gateways with diverse paths to the NTP servers. An alternative design is to have one server connected to a reference clock and the other server reference an external stratum-1 server. With this scenario, the NTP clients should be configured to prefer the stratum-1 server over the stratum-2 server. The NTP servers should be configured to easily scale by creating a hierarchy of lower level (stratum-2 to stratum-15) servers to accommodate the workload. The width and depth of the hierarchy is dependent on the number of NTP clients as well as the amount of redundancy that is required.

Fix: F-17801r1_fix

Deploy and implement at least two NTP servers in the management network.

b

The management station or server is not connected to the management VLAN.

Medium - V-17901 - SV-19307r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1002

Vuln IDs

V-17901

Rule IDs

SV-19307r1_rule

If the management systems reside within the same layer 2 switching domain as the managed network elements, then separate VLANs must be deployed to provide separation at that level. In this case, the management network still has its own subnet while at the same time it is defined as a unique VLAN. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-20220r1_chk

Review the management network topology as well as physically inspecting management stations and servers to ensure that they are connected to only access switchports that are members of the management VLAN.

Fix: F-18248r1_fix

If the management systems reside within the same layer 2 switching domain as the managed network elements, then separate VLANs must be deployed to provide separation at that level. In this case, the management network still has its own subnet while at the same time it is defined as a unique VLAN.

b

The IAO will ensure an IDPS sensor is monitoring DMZ segments housing all public servers.

Medium - V-18490 - SV-20025r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-IDPS-016

Vuln IDs

V-18490

Rule IDs

SV-20025r1_rule

The initial step in IDPS deployment is determining where sensors should be placed. Because attacks originate at the enclave perimeter and within the enclave boundary an IDPS implementation at the enclave perimeter only will not suffice. By placing IDPS technology throughout the Enterprise Regional enclaves and stand-alone enclaves, system administrators can track the spread of attacks and take corrective actions to prevent attacks reaching critical resources.Information Assurance OfficerEBBD-1

Checks: C-21124r1_chk

Review the DMZ architecture and verify public servers are being monitored by an IDPS system.

Fix: F-19077r1_fix

Place an IDPS sensor in the enclave to monitor public servers.

b

The IAO will ensure an IDPS sensor is monitoring Server Farms segments containing databases, private backend servers, and personnel data.

Medium - V-18492 - SV-20027r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-IDPS-018

Vuln IDs

V-18492

Rule IDs

SV-20027r1_rule

The initial step in IDPS deployment is determining where sensors should be placed. Because attacks originate at the enclave perimeter and within the enclave boundary an IDPS implementation at the enclave perimeter only will not suffice. By placing IDPS technology throughout the Enterprise Regional enclaves and stand-alone enclaves, system administrators can track the spread of attacks and take corrective actions to prevent attacks reaching critical resources. Information Assurance OfficerEBBD-2

Checks: C-21126r1_chk

Review the Server Farm architectural drawings and ensure a sensor is in place to protect the server farm.

Fix: F-19914r1_fix

Install an IDPS to monitor and protect the Server Farm or LAN segments containing servers inside the enclave.

b

The IAO will ensure an IDPS sensor is monitoring segments that house network security management servers (Network Management segments or OOB networks).

Medium - V-18493 - SV-20028r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-IDPS-019

Vuln IDs

V-18493

Rule IDs

SV-20028r1_rule

The initial step in IDPS deployment is determining where sensors should be placed. Because attacks originate at the enclave perimeter and within the enclave boundary an IDPS implementation at the enclave perimeter only will not suffice. By placing IDPS technology throughout the Enterprise Regional enclaves and stand-alone enclaves, system administrators can track the spread of attacks and take corrective actions to prevent attacks reaching critical resources.EBBD-2

Checks: C-21127r1_chk

Review the Network Management subnet or OOB network and determine if the IDPS sensor is protecting the management network.

Fix: F-19083r1_fix

Install an IDPS to monitor and protect the Management Network (management subnet or OOB network).

b

The IAO/NSO will ensure the Regional Enclave has developed a hierarchical structure that allows the local enclave (base, camp, post, station) sensor data to be exported to the regional enclave management network segment.

Medium - V-18495 - SV-20030r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-IDPS-023

Vuln IDs

V-18495

Rule IDs

SV-20030r1_rule

The enterprise Regional Enclave will develop a hierarchical monitoring structure that allows the captured local enclave (base, camp, post, and station) traffic to be exported to the regional enclave for trend analysis and reporting.Information Assurance OfficerDCDS-1, ECAT-1, ECAT-2

Checks: C-21130r1_chk

The CNDSP Tier 2 is required to provide DoD component wide situational awareness and attack sensing and warning (AS&W) through coordinated reporting and information flows. Interview the IAO. Determine how the Regional Enterprise Enclave collects IDS data from the Base, Camp, Post or Station sub-enclaves for reporting and trend analysis. The Regional Enterprise Enclave could be the Tier 2 for the remote enclaves. Every enclave is considered a Tier 3 and a procedure must be in place for this data to be collected by the Tier 2.

Fix: F-19085r1_fix

Create a POA&M to design a network to collect data from the sub-enclaves for reporting and trend analysis.

b

The IAO/NSO will ensure the sensor traffic in transit will be protected at all times via an OOB network or an authenticated tunnel between site locations.

Medium - V-18496 - SV-20031r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-IDPS-024

Vuln IDs

V-18496

Rule IDs

SV-20031r1_rule

User interface services must be physically or logically separated from data storage and management services. Data from IDS sensors must be protected by confidentiality controls; from being lost and altered.Information Assurance OfficerDCNR-1, DCPA-1

Checks: C-21131r1_chk

Interview the IAO and determine how the IDS sensor data is protected in transit. Determine the data path from management interfaces, how data is collected and moved in transit.

Fix: F-19086r1_fix

Design a communications path for OOB traffic or create an encrypted tunnel using a FIPS 140-2 validated encryption algorithm to protect data.

b

The SA will ensure IDPS communication traffic from the sensor to the management and database servers traverses a separate VLAN logically separating IDPS traffic from all other enclave traffic.

Medium - V-18497 - SV-20032r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-IDPS-025

Vuln IDs

V-18497

Rule IDs

SV-20032r1_rule

All IDPS data collected by agents in the enclave at required locations must also be protected by logical separation when in transit from the agent to the management or database servers located on the Network Management subnet.Information Assurance OfficerDCSP-1, ECTP-1

Checks: C-21132r1_chk

Interview the IAO and determine how the IDS sensor data is protected in transit. Determine the data path from management interfaces, how data is collected and moved in transit.

Fix: F-19087r1_fix

Design a communications path for OOB traffic or create a VLAN for IDPS traffic to protect the data.

a

The Network IDPS administrator will ensure that any products collecting baselines for anomaly-based detection have their baselines rebuilt periodically to support accurate detection. Readiness is required for INFOCON levels, additional information can be found in Strategic Command Directive (SD) 527-1.

Low - V-18504 - SV-20039r1_rule

RMF Control

Severity

Low

CCI

Version

NET-IDPS-027

Vuln IDs

V-18504

Rule IDs

SV-20039r1_rule

Administrators should ensure that any products collecting baselines for anomaly-based detection have their baselines rebuilt periodically as needed to support accurate detection. The IAM is required to have the enclave prepared for readiness by raising INFOCON levels prior to an activity to ensure the network is as ready as possible when the operation or exercise begins. Because system and network administrators implement many of the INFOCON measures over a period of time in a pre-determined operational rhythm, commanders should raise INFOCON levels early enough to ensure completion of at least one cycle before the operational activity begins. Recommendations for possible INFOCON changes should be written into Operation Plans (OPLAN) and Concept Plans (CONPLAN). Guidelines can be found in Strategic Command Directive (SD) 527-1.Information Assurance OfficerECSC-1

Checks: C-21198r1_chk

Interview the Network IDPS administrator and determine if Anomaly-based detection is deployed in the environment. If implemented, ensure that any products collecting baselines for anomaly-based detection have their baselines rebuilt periodically to support accurate detection

Fix: F-19095r1_fix

Establish procedures to update anomaly-based sensors.

b

The Network IDPS administrator located at a regional enterprise enclave will establish an automated update for enterprise sensor update deployments to Base, Camp, Post and Station local networks.

Medium - V-18505 - SV-20040r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-IDPS-028

Vuln IDs

V-18505

Rule IDs

SV-20040r1_rule

In a large scale IDPS deployment, it is common to have an automated update process implemented. This is accomplished by having the updates downloaded on a dedicated FTP server within the management network. The FTP server should be configured to allow read-only access to the files within the directory on which the signature packs are placed, and then only from the account that the sensors will use. The sensors can then be configured to automatically check the FTP server periodically to look for the new signature packs and to update themselves once they have been tested.Information Assurance OfficerECSC-1

Checks: C-21206r1_chk

Interview the Regional enclave SA and determine how remote Bases, Camps, Posts, or Stations receive their updates.

Fix: F-19096r1_fix

Create an enterprise solution to maintain IDPS sensors.

b

The Network IDPS administrator will ensure if a SFTP server is used to provide updates to the sensors, the server is configured to allow read-only access to the files within the directory on which the signature packs are placed.

Medium - V-18506 - SV-20041r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-IDPS-029

Vuln IDs

V-18506

Rule IDs

SV-20041r1_rule

In a large scale IDPS deployment, it is common to have an automated update process implemented. This is accomplished by having the updates downloaded on a dedicated SFTP server within the management network. The SFTP server should be configured to allow read-only access to the files within the directory on which the signature packs are placed, and then only from the account that the sensors will use. The sensors can then be configured to automatically check the SFTP server periodically to look for the new signature packs and to update themselves once they have been tested.Information Assurance OfficerECAN-1

Checks: C-21207r1_chk

If the signatures are located on a server, verify that the directories on which the signature packs are placed are protected by read-only access.

Fix: F-19097r1_fix

Modify the access restrictions to prevent the signatures from being updated.

b

The Network IDPS administrator will ensure if an automated scheduler is used to provide updates to the sensors, an account is defined that only the sensors will use.

Medium - V-18507 - SV-20042r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-IDPS-030

Vuln IDs

V-18507

Rule IDs

SV-20042r1_rule

In a large scale IDPS deployment, it is common to have an automated update process implemented. This is accomplished by having the updates downloaded on a dedicated secure file server within the management network. The file server should be configured to allow read-only access to the files within the directory on which the signature packs are placed, and then only from the account that the sensors will use. The sensors can then be configured to automatically check the secure file server periodically to look for the new signature packs and to update themselves.Information Assurance OfficerECAN-1

Checks: C-21208r1_chk

Review the Server accounts and determine if the accounts with read access to the signatures are isolated to the IDS sensors.

Fix: F-19098r1_fix

Secure the signatures from access to accounts for IDS updates.

a

The Network IDPS administrator will back up configuration settings before applying software or signature updates to ensure that existing settings are not inadvertently lost.

Low - V-18510 - SV-20045r1_rule

RMF Control

Severity

Low

CCI

Version

NET-IDPS-031

Vuln IDs

V-18510

Rule IDs

SV-20045r1_rule

There are two types of IDPS updates: software updates and signature updates. Software updates fix bugs in the IDPS software or add new functionality, while signature updates add new detection capabilities or refine existing detection capabilities (e.g., reducing false positives). For many IDPSs, signature updates cause program code to be altered or replaced, so they are really a specialized form of software update. For other IDPSs, signatures are not written in code, so a signature update is a change to the configuration data for the IDPS. Software updates can include any or all IDPS components, including sensors, agents, management servers, and consoles. Software updates for sensors and management servers, particularly appliance-based devices, are often applied by replacing an existing IDPS CD with a new one and rebooting the device. Many IDPSs run the software directly from the CD, so that no software installation is required. Other components, such as agents, require an administrator to install software or apply patches, either manually on each host or automatically through IDPS management software. Some vendors make software and signature updates available for download from their Web sites or other servers; often, the administrator interfaces for IDPSs have features for downloading and installing such updates. Administrators should verify the integrity of updates before applying them, because updates could have been inadvertently or intentionally altered or replaced. The recommended verification method depends on the update’s format, as follows: Files downloaded from a Web site or FTP site. Administrators should compare file checksums provided by the vendor with checksums that they compute for the downloaded files. Update downloaded automatically through the IDPS user interface. If an update is downloaded as a single file or a set of files, either checksums provided by the vendor should be compared to checksums generated by the administrator, or the IDPS user interface itself should perform some sort of integrity check. In some cases, updates might be downloaded and installed as one action, precluding checksum verification; the IDPS user interface should check each update’s integrity as part of this. Removable media (e.g., CD, DVD). Vendors may not provide a specific method for customers to verify the legitimacy of removable media apparently sent by the vendors. If media verification is a concern, administrators should contact their vendors to determine how the media can be verified, such as comparing vendor-provided checksums to checksums computed for files on the media, or verifying digital signatures on the media’s contents to ensure they are valid. Administrators should also consider scanning the media for malware, with the caveat that false positives might be triggered by IDPS signatures for malware on the media. Information Assurance OfficerECSC-1

Checks: C-21274r1_chk

Interview the SA to understand the maintenance procedures. Have SA display the backup files saved on the file server.

Fix: F-19104r1_fix

Establish backup procedures and define directories to store the configuration settings and operating system versions.

a

The Network IDPS administrator will compare and verify IDPS update’s file checksums provided by the vendor with checksums computed from downloaded files. If removable media (CD) is used for updates, its' content will be verified.

Low - V-18511 - SV-20046r1_rule

RMF Control

Severity

Low

CCI

Version

NET-IDPS-032

Vuln IDs

V-18511

Rule IDs

SV-20046r1_rule

There are two types of IDPS updates: software updates and signature updates. Software updates fix bugs in the IDPS software or add new functionality, while signature updates add new detection capabilities or refine existing detection capabilities (e.g., reducing false positives). For many IDPSs, signature updates cause program code to be altered or replaced, so they are really a specialized form of software update. For other IDPSs, signatures are not written in code, so a signature update is a change to the configuration data for the IDPS. Software updates can include any or all IDPS components, including sensors, agents, management servers, and consoles. Software updates for sensors and management servers, particularly appliance-based devices, are often applied by replacing an existing IDPS CD with a new one and rebooting the device. Many IDPSs run the software directly from the CD, so that no software installation is required. Other components, such as agents, require an administrator to install software or apply patches, either manually on each host or automatically through IDPS management software. Some vendors make software and signature updates available for download from their Web sites or other servers; often, the administrator interfaces for IDPSs have features for downloading and installing such updates. Administrators should verify the integrity of updates before applying them, because updates could have been inadvertently or intentionally altered or replaced. The recommended verification method depends on the update’s format, as follows: Files downloaded from a Web site or FTP site. Administrators should compare file checksums provided by the vendor with checksums that they compute for the downloaded files. Update downloaded automatically through the IDPS user interface. If an update is downloaded as a single file or a set of files, either checksums provided by the vendor should be compared to checksums generated by the administrator, or the IDPS user interface itself should perform some sort of integrity check. In some cases, updates might be downloaded and installed as one action, precluding checksum verification; the IDPS user interface should check each update’s integrity as part of this. Removable media (e.g., CD, DVD). Vendors may not provide a specific method for customers to verify the legitimacy of removable media apparently sent by the vendors. If media verification is a concern, administrators should contact their vendors to determine how the media can be verified, such as comparing vendor-provided checksums to checksums computed for files on the media, or verifying digital signatures on the media’s contents to ensure they are valid. Administrators should also consider scanning the media for malware, with the caveat that false positives might be triggered by IDPS signatures for malware on the media. Information Assurance OfficerECSC-1

Checks: C-21275r1_chk

Interview the SA and determine the process of validation. Have the SA compare the checksum of the latest signature update with the checksum from the file on the vendor site.

Fix: F-19105r1_fix

Establish change control procedures that include file validation and integrity.

b

The IAO will ensure the Server Farm is segmented by isolating business functions such as databases, applications, web, and email using VLAN provisioning.

Medium - V-18520 - SV-20059r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-VLAN-010

Vuln IDs

V-18520

Rule IDs

SV-20059r1_rule

VLANs can offer significant benefits in a multi-service network by providing a convenient way of isolating different equipment and traffic type. Network traffic with differing security policies within the server farm should be logically grouped using multiple VLANs. Each type of device or server such as payroll, research and development, voice over IP, wireless, etc would have mutually exclusive VLANs. This type of architecture forces layer 3 routing and thereby enables all the filtering capabilities of the layer 3 devices, in addition to strategic placed firewalls inside the enclave. Each server type should have its own VLAN.Information Assurance OfficerDCSP-1

Checks: C-21295r1_chk

Review the Server Farm network drawings that detail the servers located in the server farm. Compare the drawings to the VLAN interfaces on the switch or firewall. Current firewall technology has introduced VLAN support. The VLAN configuration may be on the physical or a logical firewall interface. By interviewing the SA or Server Farm lead, ensure web applications and servers are isolated from databases VLANs; ensure mail services are isolated similarly. Review the vulnerability discussion for further details.

Fix: F-19123r1_fix

Develop a VLAN provisioning architecture and implement the plan to isolate clients, and core business traffic and services.

b

The IAO will ensure the Server Farm that provides floor space to multiple clients isolate the client’s data by separate VLANs.

Medium - V-18521 - SV-20060r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-VLAN-013

Vuln IDs

V-18521

Rule IDs

SV-20060r1_rule

Data Centers that rent floor space, power and IT processing for multiple customers have additional security responsibilities to their customers. Protecting a client’s data from other clients is necessary. Segmentation is used to make it harder for a client that compromises a server to get access to the information exchanged in other parts of the data center. Information Assurance OfficerDCSP-1

Checks: C-21296r1_chk

Review the Server Farm network drawings that detail the servers located in the server farm. Compare the drawings to the VLAN interfaces on the switch or firewall. Current firewall technology has introduced VLAN support. The VLAN configuration may be on the physical or a logical firewall interface. By interviewing the SA or Server Farm lead, ensure databases containing personnel records are isolated. If the data center leases floor space, ensure clients are isolated from each other; etc.

Fix: F-19124r1_fix

Develop a VLAN provisioning architecture and implement the plan to isolate clients, and core business traffic and services.

b

The IAO will ensure applications with public access containing web, database and application functions that can not be separated will be isolated on a separate VLAN in the DMZ.

Medium - V-18528 - SV-20067r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-VLAN-016

Vuln IDs

V-18528

Rule IDs

SV-20067r1_rule

If an application cannot be tier separated, then the architecture will allow for logically moving the entire application and host onto a separate VLAN within the DMZ to ensure that potential compromise does not give open access to other Server Farm components. This will be accomplished by utilizing a Virtual Route Forwarding capability in the DMZ Internal router that will segregate traffic into a separate VLAN so that it can still maintain its current security/availability for production support. The physical location of the processing may not necessarily change.Information Assurance OfficerDCSP-1

Checks: C-21303r1_chk

Interview the SA and gather information from the firewall and layer 3 switch. Determine which servers, if any are providing web services in the server farm that do not have a front-end server by looking for web traffic using port 80 or 443. Verify web services do not go beyond the perimeter protection boundary.

Fix: F-19131r1_fix

Move non-tiered applications to a VLAN in the DMZ>

b

The IAO will ensure the Regional Enclave DMZ separates web traffic into an isolated VLAN.

Medium - V-18529 - SV-20068r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-VLAN-017

Vuln IDs

V-18529

Rule IDs

SV-20068r1_rule

A way to reduce the risk of attacks within the DMZ is creating separate broadcast domains forming security zones for each technology requiring DMZ services. By isolating the services within the DMZ reduces potential compromises to the broadcast domain and does not give open access to other servers within the DMZ. This can be accomplished by utilizing a Virtual Route Forwarding capability in the DMZ Internal router or establishing VLANs on the firewall itself that segregates traffic into separate VLANs. The Regional Enclave DMZ supporting the Bases, Camps, Posts, Stations and mobile locations such as ships and tactical units provides stronger security domains by extending the protections using layer 2 provisioning for web, IM, streaming media, FTP, email, DNS, and applications that can not use backend architectures.Information Assurance OfficerDCSP-1

Checks: C-21314r1_chk

Review the DMZ architectural drawings. Determine the VLAN provisioning that has been defined off the perimeter firewall. Identify web server and applications located in the DMZ and determine which VLANs they are associated.

Fix: F-19132r1_fix

Isolate the Web servers and applications to VLANs identified for web access.

b

The IAO will ensure the Regional Enclave DMZ separates FTP traffic into a VLAN.

Medium - V-18530 - SV-20069r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-VLAN-018

Vuln IDs

V-18530

Rule IDs

SV-20069r1_rule

A way to reduce the risk of attacks within the DMZ is creating separate broadcast domains forming security zones for each technology requiring DMZ services. By isolating the services within the DMZ reduces potential compromises to the broadcast domain and does not give open access to other servers within the DMZ. This can be accomplished by utilizing a Virtual Route Forwarding capability in the DMZ Internal router or establishing VLANs on the firewall itself that segregates traffic into separate VLANs. The Regional Enclave DMZ supporting the Bases, Camps, Posts, Stations and mobile locations such as ships and tactical units provides stronger security domains by extending the protections using layer 2 provisioning for web, IM, streaming media, FTP, email, DNS, and applications that can not use backend architectures. Information Assurance OfficerDCSP-1

Checks: C-21315r1_chk

Review the DMZ architectural drawings. Determine the VLAN provisioning that has been defined off the perimeter firewall. Identify ftp services located in the DMZ and determine which VLANs they are associated.

Fix: F-19133r1_fix

Isolate FTP services in the DMZ to a VLAN.

b

The IAO will ensure the Regional Enclave DMZ separates instant messaging traffic into a VLAN.

Medium - V-18532 - SV-20071r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-VLAN-020

Vuln IDs

V-18532

Rule IDs

SV-20071r1_rule

A way to reduce the risk of attacks within the DMZ is creating separate broadcast domains forming security zones for each technology requiring DMZ services. By isolating the services within the DMZ reduces potential compromises to the broadcast domain and does not give open access to other servers within the DMZ. This can be accomplished by utilizing a Virtual Route Forwarding capability in the DMZ Internal router or establishing VLANs on the firewall itself that segregates traffic into separate VLANs. The Regional Enclave DMZ supporting the Bases, Camps, Posts, Stations and mobile locations such as ships and tactical units provides stronger security domains by extending the protections using layer 2 provisioning for web, IM, streaming media, FTP, email, DNS, and applications that can not use backend architectures. Information Assurance OfficerDCSP-1

Checks: C-21317r1_chk

Review the DMZ architectural drawings. Determine the VLAN provisioning that has been defined off the perimeter firewall. Identify IM services located in the DMZ and determine which VLANs they are associated.

Fix: F-19135r1_fix

Isolate Instant Messaging services located in the DMZ to a VLAN.

b

The IAO will ensure the Regional Enclave DMZ separates streaming media (VoIP, Video) into a VLAN.

Medium - V-18533 - SV-20072r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-VLAN-021

Vuln IDs

V-18533

Rule IDs

SV-20072r1_rule

A way to reduce the risk of attacks within the DMZ is creating separate broadcast domains forming security zones for each technology requiring DMZ services. By isolating the services within the DMZ reduces potential compromises to the broadcast domain and does not give open access to other servers within the DMZ. This can be accomplished by utilizing a Virtual Route Forwarding capability in the DMZ Internal router or establishing VLANs on the firewall itself that segregates traffic into separate VLANs. The Regional Enclave DMZ supporting the Bases, Camps, Posts, Stations and mobile locations such as ships and tactical units provides stronger security domains by extending the protections using layer 2 provisioning for web, IM, streaming media, FTP, email, DNS, and applications that can not use backend architectures.Information Assurance OfficerDCSP-1

Checks: C-21318r1_chk

Review the DMZ architectural drawings. Determine the VLAN provisioning that has been defined off the perimeter firewall. Identify VoIP and VTC traffic located in the DMZ and determine which VLANs they are associated.

Fix: F-19136r1_fix

Isolate VoIP and VTC traffic in the DMZ with VLANs.

b

The IAO will ensure the Regional Enclave DMZ separates email and AD traffic into a VLANs according to device-type, e.g. email front-end relay server in a VLAN and Internet Security and Acceleration (ISA) server in a VLAN.

Medium - V-18534 - SV-20073r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-VLAN-022

Vuln IDs

V-18534

Rule IDs

SV-20073r1_rule

A way to reduce the risk of attacks within the DMZ is creating separate broadcast domains forming security zones for each technology requiring DMZ services. By isolating the services within the DMZ reduces potential compromises to the broadcast domain and does not give open access to other servers within the DMZ. This can be accomplished by utilizing a Virtual Route Forwarding capability in the DMZ Internal router or establishing VLANs on the firewall itself that segregates traffic into separate VLANs. The Regional Enclave DMZ supporting the Bases, Camps, Posts, Stations and mobile locations such as ships and tactical units provides stronger security domains by extending the protections using layer 2 provisioning for web, IM, streaming media, FTP, email, DNS, and applications that can not use backend architectures. Information Assurance OfficerDCSP-1

Checks: C-21319r1_chk

Review the DMZ architectural drawings. Determine the VLAN provisioning that has been defined off the perimeter firewall. Identify email servers located in the DMZ and determine which VLANs they are associated. Ensure ISA servers are in a separate VLAN from email servers.

Fix: F-19137r1_fix

Isolate email servers in the DMZ to a VLAN. Isolate ISA servers in the DMZ to a VLAN.

a

The IAO/NSO will ensure the network access control solution supports wired, wireless and remote access NARs (clients).

Low - V-18561 - SV-20105r1_rule

RMF Control

Severity

Low

CCI

Version

NET-NAC-007

Vuln IDs

V-18561

Rule IDs

SV-20105r1_rule

Without a secure network access solution implemented rogue and/or non-policy compliant devices can gain access to the network and its resources.Information Assurance OfficerECSC-1

Checks: C-21586r1_chk

Interview the IAO and determine if the NAC solution supports all wired, wireless, and remote access devices. Review the switch configurations that support each of these device types and determine if the AAA server is defined, the default is identified as the AAA server and dynamic vlan authorization is being given to the AAA server.

Fix: F-19179r1_fix

Develop a plan to ensure the network is secured by implementing a NAC solution.

a

The network access control solution will not use the DHCP mechanism to separate authenticated and non-authenticated network access requests due to known weaknesses that bypass the authentication process by rogue devices with self-configured IP addresses.

Low - V-18562 - SV-20106r1_rule

RMF Control

Severity

Low

CCI

Version

NET-NAC-008

Vuln IDs

V-18562

Rule IDs

SV-20106r1_rule

Layer 3 DHCP authentication is considered an insecure mechanism because of the relative ease by which it can be bypassed. A rogue device with a self-configured IP address on the secure network can effectively bypass the authentication process.Information Assurance OfficerECSC-1

Checks: C-21587r1_chk

Review the access control enforcement method deployed at the NAC appliance (policy decision point).

Fix: F-19180r1_fix

If the NAC appliance has implemented a DHCP layer 3 solution for authentication create a POA&M to migrate devices being supported by Layer 3 DHCP Authentication to a more secure solution such as described in NET-NAC-009.

b

The IAO/NSO will ensure wall jacks are secured with MAC address definitions on switch ports or Manual Authentication by the SA is used on all access ports not capable of authentication software being loaded on the client, example printers.

Medium - V-18567 - SV-20111r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-NAC-030

Vuln IDs

V-18567

Rule IDs

SV-20111r1_rule

In a Manual Authentication implementation an SA is prompt by an authentication server during the authentication process. Instead of an authentication server making an access control decision independently, the authentication server presents an SA with a dialog box to authorize access to an endpoint entity requesting network access. A device starts as a node on the untrusted sub-enclave. The authentication server, upon receiving authorization from an SA, sends an appropriate message to the PEP, which is either a switch or wireless access point. Once initial network access is granted, the device’s VLAN is switched to the trusted sub-enclave, and the authorization remains in effect until the device is removed from the network.Information Assurance OfficerDCSP-1

Checks: C-21654r1_chk

Identify if the non-managed device's port is defined using MAC filtering as described in NET-NAC-009. If the non-managed device is not secured using MAC filtering. Review if the policy assessment enclave contains a Manual authorization that prompts the SA to grant access during port activation.

Fix: F-19195r1_fix

Implement switch port security for non-managed devices or implement a manual authentication process for the non-managed devices such as printers and legacy systems.

b

The IAO/NSO will ensure the VPN concentrator is connected to the network access control gateway’s untrusted interface.

Medium - V-18573 - SV-20117r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-NAC-017

Vuln IDs

V-18573

Rule IDs

SV-20117r1_rule

Non-trusted resources are resources that are not authenticated in a NAC solution implementing only the authentication component of NAC. Non-trusted resources could become resources that have been authenticated but have not had a successful policy assessment when the automated policy assessment component has been implemented. The remote network access control solution for the roaming workstations requires a layer 3 gateway using 802.1x EAP architecture or a Layer 3 gateway inline solution. For remote NARs, an inline gateway NAC solution is typically the only viable option. In multi-vendor environments, after successful authentication to the VPN concentrator the traffic is forced through the NAC gateway than communicates with an agent on the roaming workstation that passes authentication and health credentials. The NAC gateway passes authentication requests to the authentication server in the same manner it would for a local workstation. The interface on the NAC gateway is considered the untrusted interface and is treated with the same level of trust as the local workstation that has not been authentication. Some vendors can pass authentication data directly from their VPN Concentrator to their NAC solution, so the supplicant doesn't need to reauthenticate. The NAC gateway provides the policy enforcement allowing or denying the traffic to the production enclave.Information Assurance OfficerECSC-1

Checks: C-21765r1_chk

Review the VPN concentrator and ensure it is connected to the NAC gateway.

Fix: F-19207r1_fix

Connect the VPN concentrator to the untrusted NAC interface.

b

The Network administrator will implement additional intrusion protection that detect both specific attacks on mail and traffic types (protocols) that should not be seen on the segments containing mail servers at the regional enclave mail perimeter.

Medium - V-18576 - SV-20120r1_rule

RMF Control

Severity

Medium

CCI

Version

NET1352

Vuln IDs

V-18576

Rule IDs

SV-20120r1_rule

Network segments containing mail servers should have an appliance or sensors installed that monitor, inspect and log all recognized mail traffic. Specific MIME types should be denied, message size violations identified and content inspection performed verifying header and body type matches. Signatures should be implemented to enforce policies on text, video, audio, images, and applications. Real-time monitoring of email traffic is critical to preventing hackers from utilizing email to gain access to internal systems. Detection of attacks and exploits in email, such as malformed MIME, requires continuous monitoring of all email. Anti spam technology is an essential element in mail security. The mail perimeter at the regional or standalone enclave must be capable of providing connection analysis identifying where a message is going and where it came from by use of blacklists, whitelists, and DNS interrogation to identify spam from hijacked e-mail servers. The mail perimeter at the regional or standalone enclave must be capable of dictionary analysis processes based on a combination of URL filtering, content filtering and Bayesian filtering (dictionaries which rate words by their probability of being in a spam message). The mail perimeter at the regional or standalone enclave must be capable of providing protocol analysis by recognizing abuse of or deviation from e-mail protocols. Protocol analysis is based on forgery detection, header analysis and domain spoofing detection. Information Assurance OfficerEBBD-1

Checks: C-21811r1_chk

Review the DMZ architectural drawings. Interview the SA responsible for supporting the IDPS or appliance that performs filtering of mail content inspection, spam filtering, and MIME policies. Have the SA display the whitelists and blacklists definitions, URL filtering and protocol analysis. Determine if these policies are kept current by use of vendor updates.

Fix: F-19210r1_fix

Have an appliance installed or updated that provides the mail perimeter security controls that protect the enclave.

b

The site will conduct continuous wireless IDS scanning. Note: This requirement applies to all DoD sites that operate DoD computer networks, including sites that have no authorized WLAN systems.

Medium - V-18596 - SV-20145r2_rule

RMF Control

Severity

Medium

CCI

Version

NET-WIDS-001

Vuln IDs

V-18596

Rule IDs

SV-20145r2_rule

DoD networks are at risk and DoD data could be compromised if wireless scanning is not conducted to identify unauthorized WLAN clients and access points connected to or attempting to connect to the network.Information Assurance OfficerECWN-1

Checks: C-22258r2_chk

Detailed Policy Requirements: DoD components will ensure that a Wireless Intrusion detection System (WIDS) is implemented that allows for monitoring of WLAN activity and the detection of WLAN-related policy violations on all unclassified and classified DoD wired and wireless LANs. The WIDS shall be capable of monitoring IEEE 802.11 transmissions within all DoD LAN environments and detect nearby unauthorized WLAN devices. WIDS shall not be required to monitor non-IEEE 802.11 transmissions. WIDS Implementation Criteria. The WIDS shall continuously scan for and detect authorized and unauthorized WLAN activities 24 hours a day, 7 days a week. Note: Exceptions to WIDS implementation criteria may be made by the DAA for DoD wired and wireless LAN operating environments. This exception allows the DAA to implement periodic scanning conducted by designated personnel using handheld scanners during walk-through assessments. Periodic scanning may be conducted as the alternative to the continuous scanning only in special circumstances, where it has been determined on a case-by-case basis that continuous scanning is either infeasible or unwarranted. The DAA exception must be documented. The "infeasible" criteria includes the following use case examples: - It's not my building - this scenario means that for contractual, or other similar reasons, the DoD component is not allowed to install a WIDS. - There's no power or space is limited - this scenarios means that for space weight and power (SWAP) reasons, the addition of continuous scanning capabilities cannot be accomplished because it would exceeds SWAP availability. Another reason power would affect your decision to waive continuous scanning requirements is if the entire LAN is only in operation periodically (e.g. the wired/wireless LAN is enabled on a vehicle that is only operating when the vehicle is being used for a specific operation). - The exception for "Minimal Impact WLAN Systems" that: Do not provide connectivity to WLAN-enabled PEDs (i.e., backhaul systems); have no available FIPS 140 validated 802.1X EAP-TLS supplicant; support a very small number of users for a specific mission (i.e., 10 or less users); are standalone networks; or are highly specialized WLAN systems that are isolated from the GIG (e.g., handheld personal digital assistants (PDAs) used as radio-frequency identification (RFID) readers, a network of WLAN-enabled Voice over Internet Protocol (VoIP) phones)] allows the DAA to waive any of the security requirements in the Instruction. This includes using non-standard/proprietary FIPS validated encryption, using an alternative FIPS validated EAP type, and not having a continuous WIDS. -The cost of the continuous WIDS capability is more expensive that the total cost of the LAN without a WIDS. The DAA must conduct a wireless threat risk assessment where it has been shown by analysis that the threat environment is extremely unlikely to non-existent to meet the "unwarranted" exception criteria. Check Procedures: Interview the site IAO. Determine if the scanning by a WIDS is being conducted and if it is continuous or periodic. If a continuous scanning WIDS is used, there is no finding. If periodic scanning is used, verify the exception to policy is documented and signed by the DAA. Verify the exception meets one of the required criteria. Mark as a finding if periodic scanning is being performed but requirements have not been met. Mark as a finding if no WIDS scanning is being performed at the site.

Fix: F-19231r1_fix

Perform required WIDS scanning

c

Computers with an embedded wireless system must have the radio removed before the computer is used to transfer, receive, store, or process classified information.

High - V-19813 - SV-21976r5_rule

RMF Control

Severity

High

CCI

Version

WIR0045

Vuln IDs

V-19813

Rule IDs

SV-21976r5_rule

With the increasing popularity of wireless networking, most laptops have wireless NICs installed on the laptop motherboard. Although the system administrator may disable these embedded NICs, the user may purposefully or accidentally enable the device. These devices may also inadvertently transmit ambient sound or electronic signals. Therefore, simply disabling the transmit capability is an inadequate solution for computers processing classified information. In addition, embedded wireless cards do not meet DoD security requirements for classified wireless usage.System AdministratorInformation Assurance OfficerECWN-1

Checks: C-24829r2_chk

Interview the IAO and inspect a sample of laptops/PCs (check about 10% if possible, with priority to laptops) used at the site for classified data processing. 1. Ask if there are laptops/PCs used to process classified information and have embedded wireless NICs. No embedded wireless NICs are allowed, including WLAN, Bluetooth, WMAN, cellular, etc. 2. The NIC should be physically removed. Using methods, such as tape or software disabling are not acceptable. Interview the IAO and determine if the site either bought laptops without wireless NICs (Wi-Fi, Bluetooth, WiMax, etc.) or physically removed the NICs from laptops. Verify the site has procedures in place to ensure laptops with wireless NICs are not used for classified data processing. Mark as a finding if site is using embedded wireless NICs. If this is a finding, recommend to the DAA this is a critical finding requiring immediate action.

Fix: F-20496r2_fix

Ensure computers with embedded wireless NICs that cannot be removed and are not used to transfer, receive, store, or process classified information.

b

The WLAN implementation of AES-CCMP must be FIPS 140-2 validated.

Medium - V-19894 - SV-22064r3_rule

RMF Control

Severity

Medium

CCI

Version

WIR0125-02

Vuln IDs

V-19894

Rule IDs

SV-22064r3_rule

Most known security breaches of cryptography result from improper implementation of the cryptography, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance that cryptography is implemented correctly, and is required for Federal Government uses of cryptography in non-classified applications.System AdministratorInformation Assurance OfficerECCT-1, ECSC-1, ECWN-1

Checks: C-25502r1_chk

Check Procedures: Review the WLAN system product documentation (specification sheet, administration manual, etc.), which should include the FIPS 140-2 certificate for the WLAN system. Verify the certificate specifically covers the implementation of AES-CCMP. If there are any concerns about the currency or veracity of the certificate in the product documentation, the reviewer should check the NIST Internet web site (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm) and find the certificate.

Fix: F-34065r1_fix

Procure WLAN equipment whose implementation of AES-CCMP has been FIPS 140-2 validated.

a

WIDS sensor scan results must be saved for at least one year.

Low - V-19896 - SV-22066r2_rule

RMF Control

Severity

Low

CCI

Version

WIR0145-02

Vuln IDs

V-19896

Rule IDs

SV-22066r2_rule

DoDD 8100.2 requires ALL DoD networks use a wireless IDS to scan for unauthorized wireless devices. If sites do not maintain scan logs, it cannot be determined if IDS findings are isolated and harmless events or a more sustained, methodical attack on the system.System AdministratorInformation Assurance OfficerECWN-1

Checks: C-25505r1_chk

Detailed policy requirements: The results of WIDS scans (logs and scan results) shall be maintained by the site for at least one year. Check procedures: Interview the site IAO. Verify the site has saved its scan results for at least one year, viewing one of the older logs to validate the practice. Mark as a finding if the site is not saving the logs/results or is saving them for less than one year.

Fix: F-34073r1_fix

IAO must ensure WIDS and operating procedures maintain WLAN scan results for at least one year.

b

The WLAN implementation of EAP-TLS must be FIPS 140-2 validated.

Medium - V-19900 - SV-22070r2_rule

RMF Control

Severity

Medium

CCI

Version

WIR0115-02

Vuln IDs

V-19900

Rule IDs

SV-22070r2_rule

Most known security breaches of cryptography result from improper implementation of the cryptography, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance that cryptography is implemented correctly, and is required for Federal Government uses of cryptography in non-classified applications.System AdministratorInformation Assurance OfficerECSC-1, ECWN-1

Checks: C-25550r1_chk

Review the WLAN system product documentation (specification sheet, administration manual, etc.), which should include the FIPS 140-2 certificate for the WLAN system. Verify the certificate specifically covers the implementation of TLS. If there are any concerns about the currency or veracity of the certificate in the product documentation, the reviewer should check the NIST Internet web site (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm) and find the certificate.

Fix: F-34115r1_fix

Procure WLAN equipment whose implementation of TLS has been FIPS 140-2 validated.

b

The IAO will ensure that the server farm is protected by a reverse proxy that only allows connections from authorized hosts requesting authorized services.

Medium - V-23731 - SV-28600r1_rule

RMF Control

Severity

Medium

CCI

Version

NET-SRVFRM-006

Vuln IDs

V-23731

Rule IDs

SV-28600r1_rule

A reverse proxy acts on behalf of a server. The reverse proxy accepts the connection from the client and forwards it to the server. It also receives the response from the server and forwards it to the client. A reverse proxy helps in protecting applications by inspecting the requests for malicious requests. On finding malicious content in the request, the reverse proxy may simply drop the request. The security of reverse proxy checks for malicious content using a database or databases which contain a set of allowed or disallowed content. Database AdministratorInformation Assurance OfficerEBBD-1

Checks: C-28846r1_chk

Verify the traffic flow from the DMZ to the server farm is proxied.

Fix: F-25870r1_fix

Deploy a reverse proxy for traffic from the DMZ to the server farm.

b

The organization must encrypt all network device configurations while stored offline.

Medium - V-23735 - SV-28616r2_rule

RMF Control

Severity

Medium

CCI

Version

NET1050

Vuln IDs

V-23735

Rule IDs

SV-28616r2_rule

If a network device's non-volatile memory is lost without a recent configuration stored in an offline location, it may take time to recover that segment of the network. Users connected directly to the switch or router will be without service for a longer than acceptable time. Encrypting the configuration stored offline protects the data at rest and provides additional security to prevent tampering and potentially cause a network outage if the configuration were to be put into service.System AdministratorInformation Assurance OfficerCOBR-1, ECCD-1

Checks: C-28855r3_chk

Determine if all network device configurations stored offline are encrypted.

Fix: F-25887r3_fix

Encrypt all network device configurations stored offline.

b

WLAN access points and supporting authentication servers used for Internet-only connections must reside in a dedicated subnet off of the perimeter firewall.

Medium - V-25319 - SV-31432r3_rule

RMF Control

Severity

Medium

CCI

Version

WIR0123

Vuln IDs

V-25319

Rule IDs

SV-31432r3_rule

If the access point or its supporting authentication server is placed in front of the perimeter firewall, then it has no firewall protection against an attack. If the access point or its supporting authentication server is placed behind the perimeter firewall (on the internal network), then any breach of these devices could lead to attacks on other DoD information systems.System AdministratorInformation Assurance OfficerECWN-1

Checks: C-31754r2_chk

Have the SA show how the access point and authentication server (if used) is physically connected to the firewall or supporting switch and how it is logically connected through firewall or switch configuration settings. Verify the equipment is connected to a subnet off of the perimeter firewall and the subnet only contains devices that support wireless connectivity to the Internet (WLAN Access Point, WLAN Authentication Server, etc.). The dedicated WLAN subnet required for Internet-only WLAN connections can be configured using logical separation. A separate physical infrastructure is not required. Mark as a finding if: - Any WLAN infrastructure device supporting Internet-only access is located somewhere other than a dedicated subnet off the perimeter firewall; - Any device not supporting the Internet-only WLAN resides in the subnet dedicated to the Internet-only WLAN.

Fix: F-28238r1_fix

Reconfigure physical and logical connections as needed so the Internet-only WLAN infrastructure resides in a dedicated subnet off the perimeter firewall.

b

The perimeter firewall must be configured as required for the dedicated Internet-only WLAN infrastructure subnet.

Medium - V-25322 - SV-31437r2_rule

RMF Control

Severity

Medium

CCI

Version

WIR0124

Vuln IDs

V-25322

Rule IDs

SV-31437r2_rule

If the perimeter firewall is not configured as required, users connecting to an access point may be able to compromise internal DoD information systems.System AdministratorInformation Assurance OfficerECWN-1

Checks: C-31757r1_chk

Verify the perimeter firewall is configured with the following policies for the dedicated Internet-only WLAN infrastructure subnet: - All traffic from the client device is routed to the external facing Internet gateway. - No client initiated connection requests can be routed to the internal enclave. - No connection requests from the enclave can be routed to the Wi-Fi client on the internet-only subnet. - No connection requests from outside the enclave (e.g., Internet) can be routed to the Wi-Fi client on the internet-only subnet.

Fix: F-28241r1_fix

Configure the perimeter firewall as required for the dedicated Internet-only WLAN infrastructure subnet.

b

The WLAN must be WPA2-Enterprise certified.

Medium - V-30255 - SV-39891r2_rule

RMF Control

Severity

Medium

CCI

Version

WIR0114

Vuln IDs

V-30255

Rule IDs

SV-39891r2_rule

The Wi-Fi Alliance WPA2-Enterprise certification means the WLAN equipment can support DoD requirements, most notably EAP-TLS and AES-CCMP. If the equipment has not been WPA-Enterprise certified, then the equipment may not have the required security functionality to protect DoD networks and information.Information Assurance OfficerECSC-1, ECWN-1

Checks: C-38911r1_chk

Check Procedures: Review the WLAN system product documentation (specification sheet, administration manual, etc.). Verify the system is WPA2-Enterprise certified. Mark as a finding if not WPA2-Enterprise certified. Note that WPA is the precursor certification to WPA2 and is not sufficient.

Fix: F-34048r1_fix

Procure WPA2-Enterprise certified WLAN equipment.

b

All global address ranges used on unclassified and classified networks must be properly registered with the DoD Network Information Center (NIC).

Medium - V-31632 - SV-41919r2_rule

RMF Control

Severity

Medium

CCI

Version

NET0180

Vuln IDs

V-31632

Rule IDs

SV-41919r2_rule

If network address space is not properly configured, managed, and controlled, the network could be accessed by unauthorized personnel resulting in security compromise of site information and resources. Allowing subscribers onto the network whose IP addresses are not registered with the .Mil NIC may allow unauthorized users access into the network. These unauthorized users could then monitor the network, steal passwords, and access classified information.Information Assurance OfficerNetwork Security OfficerECSC-1

Checks: C-40348r3_chk

Validate global addresses in use on unclassified or classified networks are registered through the DoD Network Information Center. For NIPRNet, go to the website https://www.nic.mil For SIPRNet, go to the website https://www.ssc.smil.mil Click on "Whois Search" and enter the IP range of the enclave into the keyword search section. Verify that the site is registered for the range. NOTE: The Department of the Navy must use https://www.nnic.mil when verifying registered IP addresses.

Fix: F-35552r3_fix

Submit any unregistered and/or unauthorized global IP addresses to the DoD Network Information Center(NIC) for registration.

b

IP Addresses used within an organizations SIPRNet enclave must be authorized .smil.mil or .sgov.gov addresses assigned by the DoD Network Information Center (NIC).

Medium - V-31637 - SV-41924r5_rule

RMF Control

Severity

Medium

CCI

Version

NET0185

Vuln IDs

V-31637

Rule IDs

SV-41924r5_rule

As per CNSSI No. 1016, the DoD has an enterprise level security-focused configuration management (SecCM) requirement to support end-to-end monitoring of SIPRNet, as a National Security System (NSS). The use of Network Address Translation (NAT) and private IP address space inhibits the view of specialized DISN enterprise tools in tracking client level enclave to enclave traffic, monitoring client use of enterprise level application services, and detecting anomalies and potential malicious attacks in SIPRnet client application traffic flows. Enclave nodes that communicate outside the organization’s enclave to other SIPRnet enclaves or enterprise services cannot use NATed private addresses via an enclave proxy without the permission of the SIPRnet DISN Authorizing Official, the DISA DAA.Information Assurance OfficerDCSP-1, ECSC-1

Checks: C-40352r11_chk

Review network diagrams, enterprise sensor reports, and network scans submitted to the Connection Approval Office. Determine that only global IP addresses assigned by the NIC are in use within the organization's SIPRNet enclave. Determine whether NAT and unauthorized IP address space is in use in the organization's SIPRNet enclave. Exceptions to this requirement are listed below: 1. Closed classified networks logically transiting SIPRNet for enclave-to-enclave VPN transport only. 2. Out-of-Band management networks, where the NATed nodes do not access SIPRnet base enterprise services. 3. Thin client deployments where the hosting thin client server serves as the SIPRnet access point for its thin clients and that the organization maintains detailed thin client service usage audit logs. 4. Valid operational mission need or implementation constraints. All exceptions must have approval by the SIPRNet DISN accreditation official, DISA DAA. If NAT and unauthorized IP address space is in use on the organization's SIPRNet infrastructure, this is a finding.

Fix: F-35556r4_fix

Remove the NAT configurations and private address space from the organization's SIPRNet enclave. Configure the SIPRNet enclave with SSC authorized .smil.mil or .sgov.gov addresses. If NAT or private address space is required, as per one of the stated exceptions or for valid mission requirements, then submit a detailed approval request to use of private addressing through the DSAWG Secretariat to the DISN accreditation official, DISA DAA. Exceptions to this requirement are listed below: 1. Closed classified networks logically transiting SIPRNet for enclave-to-enclave VPN transport only. 2. Out-of-Band management networks, where the NATed nodes do not access SIPRnet base enterprise services. 3. Thin client deployments where the hosting thin client server serves as the SIPRnet access point for its thin clients and that the organization maintains detailed thin client service usage audit logs. 4. Valid operational mission need or implementation constraints.

b

A policy must be implemented to keep Bogon/Martian rulesets up to date.

Medium - V-33831 - SV-44284r1_rule

RMF Control

Severity

Medium

CCI

Version

NET0928

Vuln IDs

V-33831

Rule IDs

SV-44284r1_rule

A bogon route or martian address is a type of packet that should never be routed inbound through the perimeter device. Bogon routes and martian addressesare commonly found as the source addresses of DDoS attacks. By not having a policy implemented to keep these addresses up to date, the enclave will run the risk of allowing illegitimate traffic into the enclave or even blocking legitimate traffic. Also, if there are rulesets with "any" as the source address then Bogons/Martians must be applied. Bogons and Martian addresses can be kept up to date routinely checking the IANA website or creating an account with Team Cymru to retrieve these lists in one of many ways. http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml http://www.team-cymru.org/Services/Bogons/System AdministratorInformation Assurance OfficerNetwork Security Officer

Checks: C-41894r4_chk

Review the Bogon/Martian maintenance policy to validate plans and procedures are in place to protect the enclave from illegitimate network traffic with up to date Bogon/Martian rulesets.

Fix: F-37761r2_fix

Implement a Bogon/Martian maintenance policy to protect the enclave from illegitimate network traffic.