Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the firewall configuration to determine compliance. A single/dedicated administration interface must be present on the firewall controlling all operational firewall functions from a single location.
Configure the DMZ firewall system to provide a single administrative interface on the management network controlling all operational firewall functions from a single location.
Review the site's DNS configuration to verify all inbound DNS queries are being proxied to the NIPRNet authoritative DNS servers via the DoD DNS .mil proxy.
Configure DNS servers to utilize the DoD DNS .mil proxy for all inbound DNS queries.
Review the report data or report template, from the DMZ IA devices, sent to the applicable CNDS to ensure the following are incorporated into the report: Reporting device name, Date and Time Stamp of event, Source and Destination IP address, Port, Protocol, User ID (if available), alert code and/or description.
Configure the system’s alert application data to include, at a minimum: Reporting device name, Date and Time Stamp of event, Source and Destination IP address, Port, Protocol, User ID (if available), alert code and/or the description.
Review the following IA devices to ensure alerts are being managed and sent to the local SIM: routers, switches, firewalls (including Host-based FWs and IPS), Reverse Web Proxy (RWP), Web Application Firewall (WAP), Database Security Gateway (DBSG), HBSS, IDS (including Host-Based IDS), and host integrity system. The system will report all denied traffic flows and user transactions with source user, when possible, and the source IP address, at a minimum.
Configure each IA device within the DMZ to send all alerts, based on individual configurations, to the local (or appropriate CND) Security Information Manager. Alerts will include at a minimum, source user, when possible, and the source IP address.
System components are required to report IA health data via Simple Network Management Protocol (SNMP), or other communication means, to the Element Management System (EMS) as follows: - CPU, RAM, and Hard Disk utilization - Services and processes running - Interface status (up or down) and interface statistics - Statistics on packets allowed and denied - Authentication failure statistics
Configure all system components to report IA health data and send log data to the logging server.
Review a random sampling of device IP addresses and the firewalling capability (to include firewall, router, RWP, etc.) configuration to determine compliance. NAT is not permitted within the DoD DMZ unless forensic traceability is maintained so the source and destination IP address can be positively identified for all transactions and as long as log files or tables can trace the IP addresses.
NAT is not permitted within the DMZ unless forensic traceability, within the DoD IP space, is maintained so the source and destination IP address can be positively identified for all transactions.
Review the DMZ reverse web proxy configuration to ensure it is configured to analyze HTTP and FTP headers.
Configure the DMZ reverse web proxy to analyze HTTP and FTP headers.
Review the logging server (e.g., syslog server) and a random sampling of DMZ devices to determine if all events are logged in accordance with the CONOPS, to include administrative activities, and CND events. Review to determine if a log viewing tool is available and if all logs are sent to a remote system via syslog.
Configure DMZ devices to log all events, to include, the reason for all file scanning failures for data-at-rest and in transit. DMZ systems will provide a log viewing tool and send all logs to a remote system via syslog.
Review a random sampling of DMZ devices to ensure they are configured to encrypt all logs in transit utilizing a FIPS 140-2 validated encryption algorithm.
Configure DMZ systems to protect logs in transport using IPSec or TLS v1 in accordance with FIPS 140-2 requirements.
Review the configuration of any site to site communication channels to ensure SIM and log data is encrypted in transport utilizing a FIPS 140-2 validated encryption algorithm. 1) Review the DMZ architecture and determine if aggregated log/SIM data is transmitted to any other site. 2) If aggregated log/SIM data is transmitted to any other site, review communications capability and verify FIPS 140-2 encryption capability is used to encrypt the data for transmission.
Configure the transport mechanism of any site to site communications of aggregated DMZ SIM or log data to encrypt the transport. Data must be encrypted during transmission using validated FIPS 140-2 cryptography in order to minimize the risk of the data’s exposure if intercepted or misrouted.
Review the DMZ policy and procedures to ensure approved DoD CAC and DoD PKI are used for authentication. Review the SIM server configuration to ensure CAC/PKI is used for authentication.
Configure the SIM server to use DoD-approved CAC/PKI for authentication for all authorized users of the SIM service use.
Review the SIM software running configuration to determine if it is configured to detect and alert on abnormal network behavior. Abnormal network behavior would be identified as anything other than what is documented in the network’s standard traffic baseline.
Configure the SIM software to automatically detect and alert on abnormal network behavior.
Verify the firewall is configured to identify, alert on, and drop spoofed IP addresses as follows: 1) Incoming packet from the Internet with an internal network IP address as the source address (i.e., a source IP address from a network being protected by the firewall). 2) Outgoing packet from an internal network with an external IP address as the source address (i.e., a source IP address not from the internal protected network).
Configure the NIPRNet DMZ firewall to identify and alert on internal spoofed IP addresses and drop all packets identified with spoofed IP addresses.
Review the perimeter devices, such as the application gateway or firewall, to ensure all FTP sessions are proxied.
Configure the network devices to ensure the DMZ system(s) proxies all FTP sessions through an FTP proxy.
Review the switch VLAN configuration to ensure U/R/P data is logically separated via VLANs. Separation must be maintained from the server to the DMZ firewall. This check only applies if the CC/S/A/FA extension is logically, not physically, separating the services based on data type.
Configure VLANs so logical separation between different data types is maintained from the server to the firewall.