DMZ systems must support, or have the capability to utilize, an automated patch capability for all services.
As the DoD DMZ components are critical to the protection of the private DoD data assets within the NIPRNet, it is important to ensure all systems are up-to-date with security patches and fixes. As the DoD DMZ is an enterprise system, it is necessary to ensure this is an automated approach to ensure timely distribution and installation of all security related patches and fixes. Patches and fixes to a device are necessary in maintaining the security posture of the network. If one system has been compromised or exposed to vulnerability, the entire DoD DMZ is at risk.Information Assurance ManagerVIVM-1
DoD DMZs must provide Network Operations (NetOps) reporting to the appropriate CNDSPs.
Sending alert data to the appropriate personnel is critical to ascertain the extent the potential issue may be compromising DoD data or network availability. If the alert data is not sent as quickly as possible, it may be too late to take action upon the event to avoid compromise. Components within or supporting a NIPRNet DoD DMZ must provide NetOps alert and log data to the appropriate local CNDSP and Combatant Command, or Agency Network Operations Centers (NOC) in near real-time. Information Assurance ManagerECAT-1
The DoD DMZ must be designed so all Internet facing application and service data traffic traverses the existing DoD owned and controlled Internet Service Routers (ISR)/Internet Access Points (IAP) at the DoD to Internet boundary.
The DoD DMZ architecture security check-points are logically located at the Internet Access points for the DoD. The security architecture was designed to protect NIPRNet assets and DoD data by funneling all traffic inbound to the DoD network through the IAPs/ISRs. This effort would be completely undermined if the traffic flows and application data were to traverse anything other than the IAPs/ISRs. Information Assurance ManagerEBBD-1, EBBD-2, EBBD-3
Critical and maintenance level security patches must be tested and applied within the time period specified in the sites configuration management plan or any Information Assurance Vulnerability Management (IAVM) issuances by USCYBERCOM.
As the DoD DMZ components are critical to the protection of the private DoD data assets within the NIPRNet, it is important to ensure all systems are up to date with security patches and fixes. As the DoD DMZ is an enterprise system, it is necessary to ensure timely distribution and installation of all security related patches and fixes. Patches and fixes to a device are necessary in maintaining the security posture of the network. Information Assurance ManagerVIVM-1
Operating System (OS) separation must be maintained for different server types within the DoD DMZ.
Separation is required to protect Private servers from Restricted and Unrestricted servers. Separation is also required to protect Application and Database servers, if used, from Web servers. The intent of the DoD DMZ initiative is to protect Private servers from those that are Internet-facing, and to have situational awareness of all traffic coming in to the NIPRNet. Separation is also critical to protect Restricted servers from Unrestricted servers. Protecting Private assets from the Internet is the fundamental principle behind the DoD DMZ.Information Assurance ManagerECSC-1
The DMZ systems must include an automated backup schema to include full, incremental, and differential backups as appropriate to meet disaster recovery requirements as defined by the DMZ CONOPS.
Backup and recovery are integral to maintaining the availability requirements of the DMZ. If backups are not performed in accordance with the recovery requirements, the data may not be available in the event of loss or failure. Information Assurance ManagerCODB-2
System backups must be stored on appropriate media capable of guaranteeing file integrity for a minimum of 5 years.
If backups are not properly processed, protected, and stored on appropriate media, recovery of system failure or implementation of a contingency plan would not include the data necessary to fully recover in the time required to ensure continued mission support.Information Assurance ManagerECSC-1
DMZ backup and archive security procedures and processes must ensure unauthorized users cannot gain access.
Protection of backup and restoral assets is essential for the successful restoral of operations after a catastrophic failure or damage to the system or data files. Failure to follow proper procedures may result in the permanent loss of system data and/or the loss of system capability resulting in failure of the customer’s mission.Information Assurance ManagerECLP-1
The DMZ system must include an automated process of verifying correct backup media has been written to and restored from.
If backups are not properly processed and protected, recovery of system failure or implementation of a contingency plan would not include the data necessary to fully recover in the time required to ensure continued mission support.Information Assurance ManagerECSC-1
The DMZ system must include a process to correctly label storage media based on sensitivity level and content (unrestricted vs. restricted data).
If storage media used for backups is not properly labeled and protected, recovery of system failure or implementation of a contingency plan would not include the information necessary to fully recover in the time required to ensure continued mission support.Information Assurance ManagerECML-1
The DMZ system must have a documented Disaster Recovery Plan (DRP).
Failure to provide for restoration of mission and business essential functions will result in mission failure in the event of natural disaster, fire, or other catastrophic failure of the Information System.Information Assurance ManagerCODP-2
The DoD DMZ system must include documented procedures ensuring all critical systems, to include infrastructure devices such as routers and firewalls and their associated configurations, are backed up and stored appropriately.
Backup and recovery are integral to maintaining the availability requirements of the DMZ. If backups of critical systems and infrastructure devices are not performed in accordance with the disaster recovery requirements, the network or critical components may not be available in the event of loss or failure.Information Assurance ManagerCOSW-1
The DoD DMZ system must include documented procedures ensuring data backup is performed at the frequency specified in the CONOPS, and recovery media is stored off-site at a location.
Backup and recovery are integral to maintaining the availability requirements of the DMZ. If backups of DMZ systems and infrastructure devices are not performed daily and in accordance with the disaster recovery requirements, the network or critical components may not be available in the event of loss or failure. If backups are not properly processed and protected, recovery of system failure or implementation of a contingency plan would not include the data necessary to fully recover in the time required to ensure continued mission support.Information Assurance ManagerCODB-2
Procedures must be in place to restore the logging system/program if the program goes down, or must be shut down and restarted.
As the logging system is a repository, and provides analysis for, alert and event data from all DoD DMZ systems it is critical to ensure the system is restored to service quickly and securely in order to maintain the data flow of security events throughout the DMZ. Without the logging service available, security relevant event data will not be captured and analyzed.Information Assurance ManagerECSC-1
The Security Information Manager (SIM) must send and process inbound event and/or alert data in near real time with no manual intervention.
SIM technology provides the ability to perform real-time analysis of security alerts generated by network hardware and applications. If the process of sending event and log data to the SIM is slow, or is a manual process, security relevant data may not be received quickly enough for defensive action to be taken if a live attack on a DoD host or network happens.Information Assurance ManagerECAT-2
The Security Information Manager (SIM) must use an industry standard database.
For consistency, scalability, interoperability, security patching, and vendor support, it is important for the SIM to use industry standard applications. Information Assurance ManagerDCAS-1
The Security Information Manager (SIM) stored database backup must be encrypted using FIPS 140-2 validated cryptography. Unrestricted and restricted database backup may be stored on the same media, yet must be encrypted so the database storing unrestricted data cannot restore data residing in the restricted database.
Unrestricted data is public and has been approved for public release. Restricted data requires authentication and has not been approved for public release. It is important for these two data types to be separate and not accessible to any application that may breach this separation and inadvertently provide restricted data to the public.
Information Assurance ManagerECCR-2
The Security Information Manager (SIM) must maintain 30 days online, 1 year off-line worth of meta-data readily available to the analyst.
If data is not available for analytical review, security events may not be aggregated and correlated. Data must be readily available as security events may take place days/weeks apart that are seemingly unrelated; however, upon analysis, it could be determined the events are in fact related and the events can drive actions to be taken to avoid additional compromise. Information Assurance ManagerECRR-1
Reverse web proxy cryptographic components must be Federal Information Processing Standard (FIPS) 140-2 validated.
FIPS 140-2 validation ensures the integrity of the validated cryptographic algorithm. FIPS 140-2 is a requirement of the Federal Government and mandated by most DoD policies regarding the use of encryption within the DoD.Information Assurance ManagerECCT-1
Procedures must be in place to restore the Security Information Manager (SIM) service if the application/system fails or must be shut down.
As the SIM is the repository, and provides analysis for, alert and event data from all DoD DMZ systems it is critical to ensure the system is restored to service quickly and securely in order to maintain the data flow of security events throughout the DMZ. Without the SIM service available, security relevant event data will not be captured and analyzed. Information Assurance ManagerECND-1
Local console access, KVM, or terminal services must be provided or available for local out-of-band management within the DMZ in case of management network failure.
A local console access solution must be available for access to devices or systems in case of management network failure. If the management network fails due to a device within the infrastructure, and there is no other means of accessing the device, the availability of the DMZ system at large could be compromised. Information Assurance ManagerECSC-1
DMZ system components utilizing PKI must request PKI certificates from a DoD-approved Certificate Authority (CA).
To protect the integrity and authenticity of PKI certificates, it is critical that systems obtain their PKI certificates from an approved DoD Certificate Authority. Otherwise, there is no guarantee of proper access and authorization. Information Assurance ManagerIATS-2
DMZ system components utilizing DoD PKI must support DoD-approved PKI Certificate Revocation List (CRL) or DoD Online Certificate Status Protocol (OCSP) policy.
To protect the integrity and authenticity of PKI certificates, it is critical that systems support and use the DoD-approved CRLs and OCSPs. Otherwise, there is no guarantee of trusted validation of a PKI certificate. Information Assurance ManagerIATS-1
DoD DMZ servers (all components) must report denied traffic and application transactions to the local log aggregation/SIM capability in real time, generated automatically, not as a manual or batch process.
Denied transactions could be an indication of potential malicious activity on a system or network. Logging the denied traffic or transaction may provide analysts with information regarding attempts to gain unauthorized access. Information Assurance ManagerECAT-1
The DMZ architecture must be designed so appropriate network separation is maintained for devices performing IA functions for different DMZ services.
Separation is required to protect private services and data from restricted and unrestricted data. The intent of the DoD DMZ initiative is to protect private data and services from those that are Internet facing, and to have situational awareness of all traffic coming in to the NIPRNet. Separation is also critical to protect restricted data from what has been approved for public release. Separating the IA devices performing functions on behalf of the different data types, helps to ensure the integrity of the architecture and protect DoD private data. Information Assurance ManagerDCPA-1
Each CC/S/A/FA operating or maintaining a DoD DMZ must develop a Concept of Operations (CONOPS). The CONOPS will be built in accordance with requirements in the DoD DMZ STIGs and DoD DMZ Engineering Plan.
Configuration management is a key component to the security architecture of the DoD DMZ. The development, maintenance, and review of the CONOPS ensures the security requirements for the implementation are being maintained and updated as necessary to protect DoD assets and data. Information Assurance ManagerDCFA-1
Every device within the DoD DMZ must utilize a dedicated network interface for management functions.
Management interfaces provide immediate access to the privileged roles and configuration of devices and therefore need to be dedicated and separate from those supporting general user or production roles. Information Assurance ManagerECSC-1
Traffic traversing the management network must be encrypted using Federal Information Processing Standard (FIPS) 140-2 validated cryptography.
Management traffic consists of privileged user account information and device configuration data. Access to this sensitive information could lead to direct access to platform or system. Therefore, it requires encryption to ensure the confidentiality and integrity of the session. Information Assurance ManagerECNK-1
The DMZ architecture, and all associated boundary IA control devices, must deny all inbound and outbound services except those specifically implemented or permitted.
Allowing unknown traffic into the DMZ can make all devices susceptible within the DMZ to an attack. In addition, it is the DMZ owner's responsibility to protect the NIPRNet by filtering traffic and only allowing what is specifically authorized.
Information Assurance ManagerECSC-1
DoD DMZ systems must be IPv6 capable.
As the DoD transitions from IPv4 to IPv6 is it critical that the DoD DMZ IA devices are capable of supporting the IPv6 protocol. If the devices do not support IPv6, additional funding and time will be spent acquiring IPv6 capable systems. IPv6 traffic must be transitioned appropriately and if an IA device is not capable of supporting or detecting the protocol, malicious IPv6 traffic may infiltrate the DMZ. Information Assurance ManagerECSC-1
DoD DMZ IA devices using signatures for detection must be updated at least daily.
Detection signatures must be updated daily to ensure zero day attacks are caught prior to propagation throughout the DMZ. Information Assurance ManagerECSC-1
Network separation must be maintained for different server types within the DoD DMZ.
Separation is required to protect Private servers from Restricted and Unrestricted servers. Separation is also required to protect Application and Database servers, if used, from Web servers. The intent of the DoD DMZ initiative is to protect Private servers from those that are Internet-facing, and to have situational awareness of all traffic coming in to the NIPRNet. Separation is also critical to protect Restricted servers from Unrestricted servers. Protecting Private assets from the Internet is the fundamental principle behind the DoD DMZ. The traffic can aggregate at the firewall.Information Assurance ManagerDCPA-1
A resource/device must not be shared for termination of encrypted private traffic and unrestricted/ restricted applications or services.
Termination end points must not share resources for any private application. Private means services are NIPRNet only and not accessible to the Internet. Unrestricted or Restricted services are accessible from the Internet. Therefore, in order to maintain separation, the types of data must not share resources. The DMZ architecture and placement forces the separation for U/R from Private traffic. This requirement is for the termination device to not be shared between U/R traffic which will reside in the DMZ (Internet facing) and Private traffic which will not reside in the DMZ and will only be accessible via the NIPRNet. Although the encrypted traffic rides the same circuit to the point of presence, the traffic will need to be routed appropriately to the correct termination device dependent on the data type. This requires two different termination devices (e.g., Reverse Web Proxy (RWP)), one for Private and one for U/R.Information Assurance ManagerECSC-1
The DoD DMZ must be connected to the Internet and NIPRNet with a peering, or completely dedicated perimeter, in-line firewall that performs deep packet inspection
Basic security requires fire walling technologies to inspect and secure traffic between the DoD DMZ and the Internet or the NIPRNet. Information Assurance ManagerEBBD-1, EBBD-2, EBBD-3
The DoD DMZ must have a dedicated management network for device management and security information traffic flows.
From an architectural point of view, providing a dedicated network for the management of network systems is the best first step in any management strategy. No production traffic resides on a management network. The biggest advantage to implementation of a management network is providing support and maintenance to the network that has become degraded or compromised. During an outage or degradation period the in-band management link may not be available. The consequences of loss of availability of a MAC I system is unacceptable and could include the immediate and sustained loss of mission effectiveness. Mission Assurance Category I systems require the most stringent protection measures. Maintenance support for key IT assets must be available to respond 24x7 immediately upon failure.Information Assurance ManagerECSC-1
The DoD DMZ must contain an RWP for all http/https traffic flows.
An integral component within the DoD DMZ architecture is the utilization of a RWP for application traffic flows. The RWP brokers the HTTP/HTTPS connection so there is not a direct connection between the DoD host and the Internet. A direct connection to the Internet provides a direct avenue for attack against DoD hosting systems.Information Assurance ManagerEBBD-1, EBBD-2
The DoD DMZ Reverse Web Proxy (RWP) must support the use of TLSv1 and SSLv3.
As DoD policy, to include the STIGs, requires the use of newer encryption standards such as SSLv3 and TLSv1, it is important to ensure all information assurance devices, such as the RWP, support the newer standards.Information Assurance ManagerECSC-1
The DoD DMZ must contain a Security Information Manager (SIM) providing real-time analysis of security alerts generated by DoD DMZ components, to include the supporting network infrastructure.
As the SIM is the repository for alert and event data from all DoD DMZ systems, it is a critical security component of the DoD DMZ architecture. The SIM provides the capability to process inbound event and/or alert data with business logic in near real time and to capture security relevant event data and logs which is used by security analysts to detect anomalies throughout the network and connected systems.Information Assurance ManagerECSC-1
A syslog server must be deployed in the management network.
Logging is a critical security function and sending log data to a central repository such as a syslog server provides the information for further analysis. Information Assurance ManagerECAT-1