View STIG - NIPRNet DoD DMZ Devices STIG V2R2

a

The DoD DMZ firewall system must provide a single, dedicated administrative interface which resides on the management network, controlling all operational firewall functions from a single location.

Low - V-14990 - SV-15758r1_rule

RMF Control

Severity

Low

CCI

Version

DMZ-FW4

Vuln IDs

V-14990

Rule IDs

SV-15758r1_rule

If there are multiple interfaces to maintain and manage the firewall configuration, it provides additional attack vectors for adversaries to gain access to the firewall. Information Assurance ManagerEBBD-1, EBBD-2, EBBD-3

Checks: C-13417r1_chk

Review the firewall configuration to determine compliance. A single/dedicated administration interface must be present on the firewall controlling all operational firewall functions from a single location.

Fix: F-14520r1_fix

Configure the DMZ firewall system to provide a single administrative interface on the management network controlling all operational firewall functions from a single location.

b

DoD DMZ sites must configure DNS servers to utilize the DoD DNS .mil proxy for all inbound DNS queries.

Medium - V-15016 - SV-15784r1_rule

RMF Control

Severity

Medium

CCI

Version

DMZ-DNS5

Vuln IDs

V-15016

Rule IDs

SV-15784r1_rule

The DoD DNS .mil proxy provides additional protections from malicious DNS queries inbound from the Internet. The .mil proxy implementation provides a checkpoint for all queries to ensure the DoD DNS infrastructure is not compromised. Information Assurance ManagerECSC-1

Checks: C-13445r1_chk

Review the site's DNS configuration to verify all inbound DNS queries are being proxied to the NIPRNet authoritative DNS servers via the DoD DNS .mil proxy.

Fix: F-14546r1_fix

Configure DNS servers to utilize the DoD DNS .mil proxy for all inbound DNS queries.

a

Alert and log data must include, at a minimum: Reporting device name, Date and Time Stamp of event, Source and Destination IP address, Port, Protocol, User ID (if available), alert code and/or description.

Low - V-15022 - SV-15790r1_rule

RMF Control

Severity

Low

CCI

Version

DMZ-NET5.3

Vuln IDs

V-15022

Rule IDs

SV-15790r1_rule

In order for complete analysis and correlation of event data, the reports must be complete with enough information to make a determination of potential malicious attacks across the network.Information Assurance ManagerECAT-1

Checks: C-13451r1_chk

Review the report data or report template, from the DMZ IA devices, sent to the applicable CNDS to ensure the following are incorporated into the report: Reporting device name, Date and Time Stamp of event, Source and Destination IP address, Port, Protocol, User ID (if available), alert code and/or description.

Fix: F-14552r1_fix

Configure the system’s alert application data to include, at a minimum: Reporting device name, Date and Time Stamp of event, Source and Destination IP address, Port, Protocol, User ID (if available), alert code and/or the description.

a

Each security device within the DMZ must send all alerts, reports of denied traffic flows, and user transactions to the local (or appropriate CND) Security Information Manager.

Low - V-15023 - SV-15791r1_rule

RMF Control

Severity

Low

CCI

Version

DMZ-NET5.1

Vuln IDs

V-15023

Rule IDs

SV-15791r1_rule

As the SIM is the repository for alert and event data from all DoD DMZ systems it is a critical security component of the DoD DMZ architecture. The SIM provides the capability to process inbound event and/or alert data with business logic in near real time and to capture security relevant event data and logs used by security analysts to detect anomalies throughout the network and connected systems.Information Assurance ManagerECAT-1

Checks: C-13452r1_chk

Review the following IA devices to ensure alerts are being managed and sent to the local SIM: routers, switches, firewalls (including Host-based FWs and IPS), Reverse Web Proxy (RWP), Web Application Firewall (WAP), Database Security Gateway (DBSG), HBSS, IDS (including Host-Based IDS), and host integrity system. The system will report all denied traffic flows and user transactions with source user, when possible, and the source IP address, at a minimum.

Fix: F-14553r1_fix

Configure each IA device within the DMZ to send all alerts, based on individual configurations, to the local (or appropriate CND) Security Information Manager. Alerts will include at a minimum, source user, when possible, and the source IP address.

b

All system components must report IA health data and send log data to the logging server.

Medium - V-15024 - SV-15792r1_rule

RMF Control

Severity

Medium

CCI

Version

DMZ-NET6.1

Vuln IDs

V-15024

Rule IDs

SV-15792r1_rule

The IA health of devices responsible for protecting the network and data is critical to ensure the devices are capable of responding to, or alerting on, potential malicious behavior or attacks on DoD networks. Information Assurance ManagerECAT-1

Checks: C-13453r1_chk

System components are required to report IA health data via Simple Network Management Protocol (SNMP), or other communication means, to the Element Management System (EMS) as follows: - CPU, RAM, and Hard Disk utilization - Services and processes running - Interface status (up or down) and interface statistics - Statistics on packets allowed and denied - Authentication failure statistics

Fix: F-14554r1_fix

Configure all system components to report IA health data and send log data to the logging server.

b

Network Address Translation (NAT), while permitted, must maintain forensic traceability to DoD DMZ systems.

Medium - V-15025 - SV-15793r1_rule

RMF Control

Severity

Medium

CCI

Version

DMZ-1.3

Vuln IDs

V-15025

Rule IDs

SV-15793r1_rule

Network Address Translation (NAT) allows for the use of private IP space within an infrastructure. While this may provide additional IP space, it does not allow for forensic traceability in the event of an attack. If NAT were to be implemented, it must be configured to allow for traceability from the source to the destination and traffic flows in between. Information Assurance ManagerECSC-1

Checks: C-13454r1_chk

Review a random sampling of device IP addresses and the firewalling capability (to include firewall, router, RWP, etc.) configuration to determine compliance. NAT is not permitted within the DoD DMZ unless forensic traceability is maintained so the source and destination IP address can be positively identified for all transactions and as long as log files or tables can trace the IP addresses.

Fix: F-14555r1_fix

NAT is not permitted within the DMZ unless forensic traceability, within the DoD IP space, is maintained so the source and destination IP address can be positively identified for all transactions.

b

The DMZ reverse web proxy must be configured to analyze HTTP and FTP headers.

Medium - V-15050 - SV-15818r1_rule

RMF Control

Severity

Medium

CCI

Version

DMZ-RWP1.3

Vuln IDs

V-15050

Rule IDs

SV-15818r1_rule

An integral component within the DoD DMZ architecture is the utilization of a Reverse Web Proxy (RWP) for application traffic flows. The RWP brokers the HTTP/HTTPS connection so there is not a direct connection between the DoD host and the Internet. A direct connection to the Internet provides a direct avenue for attack against DoD hosting systems.Information Assurance ManagerECSC-1

Checks: C-13478r1_chk

Review the DMZ reverse web proxy configuration to ensure it is configured to analyze HTTP and FTP headers.

Fix: F-14579r1_fix

Configure the DMZ reverse web proxy to analyze HTTP and FTP headers.

b

DMZ systems must log all events, to include, the reason for all file scanning failures for data-at-rest and in transit, administrative activities, and CND events. DMZ systems must provide a log viewing tool and send all logs to a syslog server.

Medium - V-15071 - SV-15839r1_rule

RMF Control

Severity

Medium

CCI

Version

DMZ-LR1

Vuln IDs

V-15071

Rule IDs

SV-15839r1_rule

Logging is a critical security function and capturing the right amount and type of data provides the information for further analysis and potential action. Information Assurance ManagerECAR-2

Checks: C-13510r1_chk

Review the logging server (e.g., syslog server) and a random sampling of DMZ devices to determine if all events are logged in accordance with the CONOPS, to include administrative activities, and CND events. Review to determine if a log viewing tool is available and if all logs are sent to a remote system via syslog.

Fix: F-14601r1_fix

Configure DMZ devices to log all events, to include, the reason for all file scanning failures for data-at-rest and in transit. DMZ systems will provide a log viewing tool and send all logs to a remote system via syslog.

a

DMZ systems must protect logs in transit using IPSec or TLS v1 (encryption) in accordance with the PPSM Vulnerability Assessments and Category Assignments List, and FIPS 140-2 encryption requirements.

Low - V-15072 - SV-15840r1_rule

RMF Control

Severity

Low

CCI

Version

DMZ-LR2

Vuln IDs

V-15072

Rule IDs

SV-15840r1_rule

Log data consists of sensitive information and potential device configuration information. Access to sensitive information could lead to direct access to the platform or system. Therefore, it requires encryption to ensure the confidentiality and integrity of the data. Information Assurance ManagerECCT-1

Checks: C-13511r1_chk

Review a random sampling of DMZ devices to ensure they are configured to encrypt all logs in transit utilizing a FIPS 140-2 validated encryption algorithm.

Fix: F-14602r1_fix

Configure DMZ systems to protect logs in transport using IPSec or TLS v1 in accordance with FIPS 140-2 requirements.

b

Site to site communications of aggregated Security Information Manager (SIM) and or log data must be encrypted. Data must be encrypted during transmission using validated FIPS 140-2 cryptography in order to minimize the risk of the data’s exposure if intercepted or misrouted.

Medium - V-15076 - SV-15844r1_rule

RMF Control

Severity

Medium

CCI

Version

DMZ-SIM5.2

Vuln IDs

V-15076

Rule IDs

SV-15844r1_rule

As the SIM is the repository for alert and event data from all DoD DMZ systems it is a critical security component of the DoD DMZ architecture. The SIM data communication or log data between sites must be protected via encryption in order to minimize the risk of exposure or exfiltration of data. Information Assurance ManagerECCT-1

Checks: C-13515r1_chk

Review the configuration of any site to site communication channels to ensure SIM and log data is encrypted in transport utilizing a FIPS 140-2 validated encryption algorithm. 1) Review the DMZ architecture and determine if aggregated log/SIM data is transmitted to any other site. 2) If aggregated log/SIM data is transmitted to any other site, review communications capability and verify FIPS 140-2 encryption capability is used to encrypt the data for transmission.

Fix: F-14606r1_fix

Configure the transport mechanism of any site to site communications of aggregated DMZ SIM or log data to encrypt the transport. Data must be encrypted during transmission using validated FIPS 140-2 cryptography in order to minimize the risk of the data’s exposure if intercepted or misrouted.

b

Users of the DMZ SIM service must utilize DoD approved CAC/PKI for authentication.

Medium - V-15078 - SV-15846r1_rule

RMF Control

Severity

Medium

CCI

Version

DMZ-SIM8.1

Vuln IDs

V-15078

Rule IDs

SV-15846r1_rule

Authentication and authorization are key components to security within any architecture. Ensuring systems adhere to the current DoD policies regarding the use of CAC/PKI, aides to eliminate unauthorized access and disclosure of DoD data. Information Assurance ManagerIATS-2

Checks: C-13517r1_chk

Review the DMZ policy and procedures to ensure approved DoD CAC and DoD PKI are used for authentication. Review the SIM server configuration to ensure CAC/PKI is used for authentication.

Fix: F-14608r1_fix

Configure the SIM server to use DoD-approved CAC/PKI for authentication for all authorized users of the SIM service use.

a

The DMZ Security Information Manager (SIM) software must automatically detect and alert on abnormal network behavior.

Low - V-15080 - SV-15848r1_rule

RMF Control

Severity

Low

CCI

Version

DMZ-SIM12.2

Vuln IDs

V-15080

Rule IDs

SV-15848r1_rule

The SIM is the central repository for event data and must detect and alert on any abnormal behavior in order for analysts to react to events on the network. Abnormal behavior is anything out of the ordinary occurring on the network, or some anomaly that is not part of the network’s standard traffic baseline. A site will have determined what normal traffic patterns are for their particular implementation and anything outside of their normal traffic would be considered abnormal. Information Assurance ManagerECAT-2

Checks: C-13519r1_chk

Review the SIM software running configuration to determine if it is configured to detect and alert on abnormal network behavior. Abnormal network behavior would be identified as anything other than what is documented in the network’s standard traffic baseline.

Fix: F-14610r1_fix

Configure the SIM software to automatically detect and alert on abnormal network behavior.

c

The NIPRNet DMZ firewall must identify and alert on internal spoofed IP addresses and drop all packets identified with spoofed IP addresses.

High - V-15091 - SV-15859r1_rule

RMF Control

Severity

High

CCI

Version

DMZ-FW4.4

Vuln IDs

V-15091

Rule IDs

SV-15859r1_rule

Inbound spoofing occurs when someone outside the network uses an internal IP address to gain access to systems or devices on the internal network. If the intruder is successful, they can intercept data, passwords, etc., and use the information to perform destructive acts on or to the network.Information Assurance ManagerEBBD-1, EBBD-2, EBBD-3

Checks: C-13533r1_chk

Verify the firewall is configured to identify, alert on, and drop spoofed IP addresses as follows: 1) Incoming packet from the Internet with an internal network IP address as the source address (i.e., a source IP address from a network being protected by the firewall). 2) Outgoing packet from an internal network with an external IP address as the source address (i.e., a source IP address not from the internal protected network).

Fix: F-14621r1_fix

Configure the NIPRNet DMZ firewall to identify and alert on internal spoofed IP addresses and drop all packets identified with spoofed IP addresses.

b

The DoD DMZ must proxy all FTP sessions through an FTP proxy.

Medium - V-17370 - SV-18424r1_rule

RMF Control

Severity

Medium

CCI

Version

DMZ-FTP1.1

Vuln IDs

V-17370

Rule IDs

SV-18424r1_rule

An FTP proxy securely relays FTP connections and brokers the connection so FTP commands are not sent directly to the host. Information Assurance ManagerECSC-1

Checks: C-18079r1_chk

Review the perimeter devices, such as the application gateway or firewall, to ensure all FTP sessions are proxied.

Fix: F-17277r1_fix

Configure the network devices to ensure the DMZ system(s) proxies all FTP sessions through an FTP proxy.

b

If logical rather than physical separation is used, VLANs must be defined so separation between different data types is maintained for unrestricted, restricted, and private data.

Medium - V-17378 - SV-18432r2_rule

RMF Control

Severity

Medium

CCI

Version

DMZ-LNSR1

Vuln IDs

V-17378

Rule IDs

SV-18432r2_rule

The intent of the DoD DMZ is to isolate traffic between different data types. If separation is not maintained, private and restricted DoD data is at greater risk of compromise. This supplemental logical network separation requirement is an enhancement to the requirements in the Network Infrastructure STIG. This additional requirement is intended to mitigate Ethernet switch vulnerabilities not addressed within the Network Infrastructure STIG. This requirement is imposed where origin servers of different data types attach to the same layer 2 network. Information Assurance ManagerECSC-1

Checks: C-18087r2_chk

Review the switch VLAN configuration to ensure U/R/P data is logically separated via VLANs. Separation must be maintained from the server to the DMZ firewall. This check only applies if the CC/S/A/FA extension is logically, not physically, separating the services based on data type.

Fix: F-17284r2_fix

Configure VLANs so logical separation between different data types is maintained from the server to the firewall.

NIPRNet DoD DMZ Devices STIG

Compare

View

Checks: C-13417r1_chk

Fix: F-14520r1_fix

Generate Mitigation Statement:

Checks: C-13445r1_chk

Fix: F-14546r1_fix

Generate Mitigation Statement:

Checks: C-13451r1_chk

Fix: F-14552r1_fix

Generate Mitigation Statement:

Checks: C-13452r1_chk

Fix: F-14553r1_fix

Generate Mitigation Statement:

Checks: C-13453r1_chk

Fix: F-14554r1_fix

Generate Mitigation Statement:

Checks: C-13454r1_chk

Fix: F-14555r1_fix

Generate Mitigation Statement:

Checks: C-13478r1_chk

Fix: F-14579r1_fix

Generate Mitigation Statement:

Checks: C-13510r1_chk

Fix: F-14601r1_fix

Generate Mitigation Statement:

Checks: C-13511r1_chk

Fix: F-14602r1_fix

Generate Mitigation Statement:

Checks: C-13515r1_chk

Fix: F-14606r1_fix

Generate Mitigation Statement:

Checks: C-13517r1_chk

Fix: F-14608r1_fix

Generate Mitigation Statement:

Checks: C-13519r1_chk

Fix: F-14610r1_fix

Generate Mitigation Statement:

Checks: C-13533r1_chk

Fix: F-14621r1_fix

Generate Mitigation Statement:

Checks: C-18079r1_chk

Fix: F-17277r1_fix

Generate Mitigation Statement:

Checks: C-18087r2_chk

Fix: F-17284r2_fix

Generate Mitigation Statement: