NIPRNet DoD DMZ Devices STIG

U_Internet-Niprnet_DMZ_ Devices_V2R1_STIG_Manual-xccdf.xml

Details

Version / Release: V2R1

Published: 2011-12-07

Updated At: 2018-09-23 02:55:52

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.
    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-15758r3_rule DMZ-FW4 LOW The DoD DMZ firewall system must provide a single, dedicated administrative interface which resides on the management network, controlling all operational firewall functions from a single location. If there are multiple interfaces to maintain and manage the firewall configuration, it provides additional attack vectors for adversaries to gain access to the firewall. Information Assurance ManagerEBBD-1, EBBD-2, EBBD-3
    SV-15784r3_rule DMZ-DNS5 MEDIUM DoD DMZ sites must configure DNS servers to utilize the DoD DNS .mil proxy for all inbound DNS queries. The DoD DNS .mil proxy provides additional protections from malicious DNS queries inbound from the Internet. The .mil proxy implementation provides a checkpoint for all queries to ensure the DoD DNS infrastructure is not compromised. Information Assurance ManagerECSC-1
    SV-15790r3_rule DMZ-NET5.3 LOW Alert and log data must include, at a minimum: Reporting device name, Date and Time Stamp of event, Source and Destination IP address, Port, Protocol, User ID (if available), alert code and/or description. In order for complete analysis and correlation of event data, the reports must be complete with enough information to make a determination of potential malicious attacks across the network.Information Assurance ManagerECAT-1
    SV-15791r3_rule DMZ-NET5.1 LOW Each security device within the DMZ must send all alerts, reports of denied traffic flows, and user transactions to the local (or appropriate CND) Security Information Manager. As the SIM is the repository for alert and event data from all DoD DMZ systems it is a critical security component of the DoD DMZ architecture. The SIM provides the capability to process inbound event and/or alert data with business logic in near real time and to capture security relevant event data and logs used by security analysts to detect anomalies throughout the network and connected systems.Information Assurance ManagerECAT-1
    SV-15792r3_rule DMZ-NET6.1 MEDIUM All system components must report IA health data and send log data to the logging server. The IA health of devices responsible for protecting the network and data is critical to ensure the devices are capable of responding to, or alerting on, potential malicious behavior or attacks on DoD networks. Information Assurance ManagerECAT-1
    SV-15793r3_rule DMZ-1.3 MEDIUM Network Address Translation (NAT), while permitted, must maintain forensic traceability to DoD DMZ systems. Network Address Translation (NAT) allows for the use of private IP space within an infrastructure. While this may provide additional IP space, it does not allow for forensic traceability in the event of an attack. If NAT were to be implemented, it must be configured to allow for traceability from the source to the destination and traffic flows in between. Information Assurance ManagerECSC-1
    SV-15818r3_rule DMZ-RWP1.3 MEDIUM The DMZ reverse web proxy must be configured to analyze HTTP and FTP headers. An integral component within the DoD DMZ architecture is the utilization of a Reverse Web Proxy (RWP) for application traffic flows. The RWP brokers the HTTP/HTTPS connection so there is not a direct connection between the DoD host and the Internet. A direct connection to the Internet provides a direct avenue for attack against DoD hosting systems.Information Assurance ManagerECSC-1
    SV-15839r3_rule DMZ-LR1 MEDIUM DMZ systems must log all events, to include, the reason for all file scanning failures for data-at-rest and in transit, administrative activities, and CND events. DMZ systems must provide a log viewing tool and send all logs to a syslog server. Logging is a critical security function and capturing the right amount and type of data provides the information for further analysis and potential action. Information Assurance ManagerECAR-2
    SV-15840r3_rule DMZ-LR2 LOW DMZ systems must protect logs in transit using IPSec or TLS v1 (encryption) in accordance with the PPSM Vulnerability Assessments and Category Assignments List, and FIPS 140-2 encryption requirements. Log data consists of sensitive information and potential device configuration information. Access to sensitive information could lead to direct access to the platform or system. Therefore, it requires encryption to ensure the confidentiality and integrity of the data. Information Assurance ManagerECCT-1
    SV-15844r3_rule DMZ-SIM5.2 MEDIUM Site to site communications of aggregated Security Information Manager (SIM) and or log data must be encrypted. Data must be encrypted during transmission using validated FIPS 140-2 cryptography in order to minimize the risk of the data’s exposure if intercepted or misrouted. As the SIM is the repository for alert and event data from all DoD DMZ systems it is a critical security component of the DoD DMZ architecture. The SIM data communication or log data between sites must be protected via encryption in order to minimize the risk of exposure or exfiltration of data. Information Assurance ManagerECCT-1
    SV-15846r3_rule DMZ-SIM8.1 MEDIUM Users of the DMZ SIM service must utilize DoD approved CAC/PKI for authentication. Authentication and authorization are key components to security within any architecture. Ensuring systems adhere to the current DoD policies regarding the use of CAC/PKI, aides to eliminate unauthorized access and disclosure of DoD data. Information Assurance ManagerIATS-2
    SV-15848r3_rule DMZ-SIM12.2 LOW The DMZ Security Information Manager (SIM) software must automatically detect and alert on abnormal network behavior. The SIM is the central repository for event data and must detect and alert on any abnormal behavior in order for analysts to react to events on the network. Abnormal behavior is anything out of the ordinary occurring on the network, or some anomaly that is not part of the network’s standard traffic baseline. A site will have determined what normal traffic patterns are for their particular implementation and anything outside of their normal traffic would be considered abnormal. Information Assurance ManagerECAT-2
    SV-15859r3_rule DMZ-FW4.4 HIGH The NIPRNet DMZ firewall must identify and alert on internal spoofed IP addresses and drop all packets identified with spoofed IP addresses. Inbound spoofing occurs when someone outside the network uses an internal IP address to gain access to systems or devices on the internal network. If the intruder is successful, they can intercept data, passwords, etc., and use the information to perform destructive acts on or to the network.Information Assurance ManagerEBBD-1, EBBD-2, EBBD-3
    SV-18424r2_rule DMZ-FTP1.1 MEDIUM The DoD DMZ must proxy all FTP sessions through an FTP proxy. An FTP proxy securely relays FTP connections and brokers the connection so FTP commands are not sent directly to the host. Information Assurance ManagerECSC-1
    SV-18432r2_rule DMZ–LNSR1 MEDIUM VLANs must be defined so separation between different data types is maintained for unrestricted and restricted data. The intent of the DoD DMZ is to isolate traffic between different data types. If separation is not maintained, private and restricted DoD data is at greater risk of compromise. This supplemental logical network separation requirement is an enhancement to the requirements in the Network Infrastructure STIG. This additional requirement is intended to mitigate Ethernet switch vulnerabilities not addressed within the Network Infrastructure STIG. This requirement is imposed where origin servers of different data types attach to the same layer 2 network. Information Assurance ManagerECSC-1
    SV-18434r2_rule DMZ–LNSR3 HIGH VLANs must be established to isolate unrestricted and restricted data. If logical versus physical separation is used to segregate traffic from origin servers of different data types, the only secure means to separate the data is via different VLANs. Otherwise restricted data could commingle with unrestricted (public) data. Private services will not be accessible from the Internet, and must be physically (not logically) isolated via a physically separate infrastructure. This supplemental logical network separation requirement is an enhancement to the requirements in the Network Infrastructure STIG. This additional requirement is intended to mitigate Ethernet switch vulnerabilities not addressed within the Network Infrastructure STIG. This requirement is imposed where origin servers of different data types attach to the same layer 2 network. Information Assurance ManagerECSC-1