Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

NIPRNet DoD DMZ Policy Requirements

  • Version/Release: V2R2
  • Published: 2014-06-27
  • Released: 2014-06-27
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

b
DMZ systems must support, or have the capability to utilize, an automated patch capability for all services.
Medium - V-14862 - SV-15630r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-NET3
Vuln IDs
  • V-14862
Rule IDs
  • SV-15630r1_rule
As the DoD DMZ components are critical to the protection of the private DoD data assets within the NIPRNet, it is important to ensure all systems are up-to-date with security patches and fixes. As the DoD DMZ is an enterprise system, it is necessary to ensure this is an automated approach to ensure timely distribution and installation of all security related patches and fixes. Patches and fixes to a device are necessary in maintaining the security posture of the network. If one system has been compromised or exposed to vulnerability, the entire DoD DMZ is at risk.Information Assurance ManagerVIVM-1
Checks: C-13299r1_chk

Work with the IAM to determine if there is an automated patch distribution system for security related patches for all services. Review each technology to determine if there is a fully functional automated patch distribution solution. This does not negate the need for patch testing prior to installation. Patches should not be automatically pushed to devices and servers or both, prior to testing in a non-production environment. Each asset and the DMZ system as a whole must support and utilize an automated patch capability.

Fix: F-14405r1_fix

Configure the DMZ systems to utilize an automated patch capability for all services within the DoD DMZ.

b
DoD DMZs must provide Network Operations (NetOps) reporting to the appropriate CNDSPs.
Medium - V-14864 - SV-15632r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-NET4.1
Vuln IDs
  • V-14864
Rule IDs
  • SV-15632r1_rule
Sending alert data to the appropriate personnel is critical to ascertain the extent the potential issue may be compromising DoD data or network availability. If the alert data is not sent as quickly as possible, it may be too late to take action upon the event to avoid compromise. Components within or supporting a NIPRNet DoD DMZ must provide NetOps alert and log data to the appropriate local CNDSP and Combatant Command, or Agency Network Operations Centers (NOC) in near real-time. Information Assurance ManagerECAT-1
Checks: C-13302r1_chk

Review the DMZ Concept of Operations (CONOPS) policy and procedures along with system device configuration and implementation documentation to ensure reporting requirements include providing NetOps alert and log data to the appropriate local CNDSP, and Combatant Command or Agency NOC, in near real-time without significant delay so the alert or log data does not become non-actionable. NOTE: Transmission in near real-time means the data is transmitted as it is generated or shortly thereafter. The data is not queued. NOTE: This finding can be reduced to a CAT III in the event the component is polled regularly and often so the alert or log data does not become non-actionable.

Fix: F-14407r1_fix

Provide NetOps alert and log data, for all components within or supporting a NIPRNet DoD DMZ, to the appropriate local CNDSP and COCOM, or Agency NOC in near real-time without significant delay such that the alert or log data does not become non-actionable.

c
The DoD DMZ must be designed so all Internet facing application and service data traffic traverses the existing DoD owned and controlled Internet Service Routers (ISR)/Internet Access Points (IAP) at the DoD to Internet boundary.
High - V-14873 - SV-15641r1_rule
RMF Control
Severity
High
CCI
Version
DMZ-8
Vuln IDs
  • V-14873
Rule IDs
  • SV-15641r1_rule
The DoD DMZ architecture security check-points are logically located at the Internet Access points for the DoD. The security architecture was designed to protect NIPRNet assets and DoD data by funneling all traffic inbound to the DoD network through the IAPs/ISRs. This effort would be completely undermined if the traffic flows and application data were to traverse anything other than the IAPs/ISRs. Information Assurance ManagerEBBD-1, EBBD-2, EBBD-3
Checks: C-13314r1_chk

Review the DMZ architecture to ensure all Internet facing service traffic traverses the IAPs and no other Internet connection. The intent is to avoid multiple entrance points and to ensure all traffic is visible to the sensor grid and the security devices located in the Special Purpose Extension.

Fix: F-14416r1_fix

Design the DoD DMZ so all Internet facing application and service traffic flows traverse the existing DoD ISR/IAPs at the Internet boundary. There will be no alternate connections. All data traffic must flow through DoD-controlled and maintained Internet boundaries.

b
Critical and maintenance level security patches must be tested and applied within the time period specified in the sites configuration management plan or any Information Assurance Vulnerability Management (IAVM) issuances by USCYBERCOM.
Medium - V-14899 - SV-15667r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-PAT2/3
Vuln IDs
  • V-14899
Rule IDs
  • SV-15667r1_rule
As the DoD DMZ components are critical to the protection of the private DoD data assets within the NIPRNet, it is important to ensure all systems are up to date with security patches and fixes. As the DoD DMZ is an enterprise system, it is necessary to ensure timely distribution and installation of all security related patches and fixes. Patches and fixes to a device are necessary in maintaining the security posture of the network. Information Assurance ManagerVIVM-1
Checks: C-13335r1_chk

Review the DMZ CONOPS to determine if policy and procedures are in place to test and apply critical and maintenance level security related patches to all devices in the DMZ within the time frame identified in the sites configuration management plan. Devices must be in compliance with all USCYBERCOM issued IAVM notices and any critical emerging threats and vulnerabilities. Ensure all appropriate mitigations are in place until all patches can be applied to systems.

Fix: F-14442r1_fix

Test and apply all critical and maintenance level security related patches within the time period as specified in the sites configuration management plan (as part of the CONOPS).

c
Operating System (OS) separation must be maintained for different server types within the DoD DMZ.
High - V-14910 - SV-15678r2_rule
RMF Control
Severity
High
CCI
Version
DMZ-LPSR10
Vuln IDs
  • V-14910
Rule IDs
  • SV-15678r2_rule
Separation is required to protect Private servers from Restricted and Unrestricted servers. Separation is also required to protect Application and Database servers, if used, from Web servers. The intent of the DoD DMZ initiative is to protect Private servers from those that are Internet-facing, and to have situational awareness of all traffic coming in to the NIPRNet. Separation is also critical to protect Restricted servers from Unrestricted servers. Protecting Private assets from the Internet is the fundamental principle behind the DoD DMZ.Information Assurance ManagerECSC-1
Checks: C-13346r4_chk

1. Unrestricted web servers and Restricted web servers can either be on separate physical servers from each other or they can be on separate virtualized servers using a type 1 hypervisor. Note: Logical separation via virtualization can be achieved; however, virtualization is only permissible when type 1 hypervisors are used. A type 1 hypervisor sits on bare metal server hardware and hosts guest operating systems. Virtualized systems follow the same rules of non-virtualized systems. Example: Unrestricted web server OSs and Restricted web server OSs can either be on separate physical servers or they can be on separate virtual servers using a type 1 hypervisor (logical separation). 2. Unrestricted web servers and Restricted web servers must be on separate logical or physical servers from Private web servers, Application servers, or Database servers. Note: Database servers, if used, housing Private data will not be located in the DoD DMZ Extension. 3. If Application and Database servers have been separated by service type into Unrestricted, Restricted, and Private servers (permitted but not required in Increment 1 Phase 1), they must be on separate logical or physical servers from each other by server type (App or DB) and by service type (U/R/P). Refer to the DoD DMZ Technology Overview and DoD DMZ FAQs for details and definitions of the three data types.

Fix: F-14453r3_fix

Configure the DMZ systems to maintain logical or physical OS separation by server type (App or DB) and by service type (U/R/P).

b
The DMZ systems must include an automated backup schema to include full, incremental, and differential backups as appropriate to meet disaster recovery requirements as defined by the DMZ CONOPS.
Medium - V-14911 - SV-15679r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-STO1
Vuln IDs
  • V-14911
Rule IDs
  • SV-15679r1_rule
Backup and recovery are integral to maintaining the availability requirements of the DMZ. If backups are not performed in accordance with the recovery requirements, the data may not be available in the event of loss or failure. Information Assurance ManagerCODB-2
Checks: C-13347r1_chk

Review the DMZ backup policy to ensure systems are backed-up via an automated process, in accordance with the defined backup and recovery process identified in the DoD DMZ CONOPS.

Fix: F-14454r1_fix

Employ an automated backup schema to include full/incremental/differential backups as appropriate to meet disaster recovery requirements as defined by the DoD DMZ CONOPS.

a
System backups must be stored on appropriate media capable of guaranteeing file integrity for a minimum of 5 years.
Low - V-14912 - SV-15680r1_rule
RMF Control
Severity
Low
CCI
Version
DMZ-STO3
Vuln IDs
  • V-14912
Rule IDs
  • SV-15680r1_rule
If backups are not properly processed, protected, and stored on appropriate media, recovery of system failure or implementation of a contingency plan would not include the data necessary to fully recover in the time required to ensure continued mission support.Information Assurance ManagerECSC-1
Checks: C-13348r1_chk

Review the DMZ backup policy to ensure storage medium is capable of 5 year retention and retrieval and a support device capable of reading the data must be maintained.

Fix: F-14455r1_fix

Utilize appropriate media capable of guaranteeing file integrity for a minimum of 5 years for all system backups, and maintain a support device capable of reading the data.

b
DMZ backup and archive security procedures and processes must ensure unauthorized users cannot gain access.
Medium - V-14913 - SV-15681r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-STO4
Vuln IDs
  • V-14913
Rule IDs
  • SV-15681r1_rule
Protection of backup and restoral assets is essential for the successful restoral of operations after a catastrophic failure or damage to the system or data files. Failure to follow proper procedures may result in the permanent loss of system data and/or the loss of system capability resulting in failure of the customer’s mission.Information Assurance ManagerECLP-1
Checks: C-13349r1_chk

Review the backup policy to ensure permissions and procedures are in place to validate personnel for approval to access or request access to backups and archives.

Fix: F-14456r1_fix

Only those personnel with granted appropriate levels of access can request or gain access to backups and archives.

a
The DMZ system must include an automated process of verifying correct backup media has been written to and restored from.
Low - V-14914 - SV-15682r1_rule
RMF Control
Severity
Low
CCI
Version
DMZ-STO6
Vuln IDs
  • V-14914
Rule IDs
  • SV-15682r1_rule
If backups are not properly processed and protected, recovery of system failure or implementation of a contingency plan would not include the data necessary to fully recover in the time required to ensure continued mission support.Information Assurance ManagerECSC-1
Checks: C-13350r1_chk

Review the backup process and procedures to ensure an automated means of backup media verification is present.

Fix: F-14457r1_fix

Verify correct backup media has been written to and restored from, via an automated process.

b
The DMZ system must include a process to correctly label storage media based on sensitivity level and content (unrestricted vs. restricted data).
Medium - V-14915 - SV-15683r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-STO7
Vuln IDs
  • V-14915
Rule IDs
  • SV-15683r1_rule
If storage media used for backups is not properly labeled and protected, recovery of system failure or implementation of a contingency plan would not include the information necessary to fully recover in the time required to ensure continued mission support.Information Assurance ManagerECML-1
Checks: C-13351r1_chk

Review a sampling of backup data to ensure sensitivity labeling is present to differentiate between data types. Review the CONOPS to ensure a process is documented for labeling of backup data.

Fix: F-14458r1_fix

Include processes in the CONOPs to correctly label removable storage media based on sensitivity level and content (unrestricted vs. restricted data).

b
The DMZ system must have a documented Disaster Recovery Plan (DRP).
Medium - V-14920 - SV-15688r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-STO12
Vuln IDs
  • V-14920
Rule IDs
  • SV-15688r1_rule
Failure to provide for restoration of mission and business essential functions will result in mission failure in the event of natural disaster, fire, or other catastrophic failure of the Information System.Information Assurance ManagerCODP-2
Checks: C-13356r1_chk

Review the Disaster Recovery Plan for the DoD DMZ to ensure it is in compliance with minimum restoration guidelines as established by the DMZ CONOPS. The DRP must include business recovery plans, system and facility contingency plans, and plan acceptance.

Fix: F-14463r1_fix

Develop a DRP providing for the resumption of mission, or business essential functions, within the specified period of time as defined by DMZ CONOPS. A DRP must include business recovery plans, system and facility contingency plans, and plan acceptance.

b
The DoD DMZ system must include documented procedures ensuring all critical systems, to include infrastructure devices such as routers and firewalls and their associated configurations, are backed up and stored appropriately.
Medium - V-14921 - SV-15689r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-STO13
Vuln IDs
  • V-14921
Rule IDs
  • SV-15689r1_rule
Backup and recovery are integral to maintaining the availability requirements of the DMZ. If backups of critical systems and infrastructure devices are not performed in accordance with the disaster recovery requirements, the network or critical components may not be available in the event of loss or failure.Information Assurance ManagerCOSW-1
Checks: C-13357r1_chk

Review the Disaster Recovery or Continuity of Operations Plan (COOP) to ensure process and procedures are in place for backing up and storing critical infrastructure device operating systems and configurations.

Fix: F-14464r1_fix

Develop documented procedures ensuring all critical systems, to include infrastructure devices such as routers and their associated configuration files, are backed up and copies of the operating system and other critical software are stored in a fire rated container or otherwise not collocated with the operational equipment or software.

b
The DoD DMZ system must include documented procedures ensuring data backup is performed at the frequency specified in the CONOPS, and recovery media is stored off-site at a location.
Medium - V-14922 - SV-15690r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-STO14
Vuln IDs
  • V-14922
Rule IDs
  • SV-15690r1_rule
Backup and recovery are integral to maintaining the availability requirements of the DMZ. If backups of DMZ systems and infrastructure devices are not performed daily and in accordance with the disaster recovery requirements, the network or critical components may not be available in the event of loss or failure. If backups are not properly processed and protected, recovery of system failure or implementation of a contingency plan would not include the data necessary to fully recover in the time required to ensure continued mission support.Information Assurance ManagerCODB-2
Checks: C-13358r1_chk

Review the Continuity of Operations Plan (COOP) to ensure processes and procedures are in place for back-up and storage of data in accordance with the frequency as defined in the DoD DMZ CONOPS.

Fix: F-14465r1_fix

Document procedures ensuring data backup is performed in accordance with the DMZ CONOPS, and recovery media is stored off-site at a location affording protection of the data in accordance the CONOPS and data availability requirements and confidentiality level.

a
Procedures must be in place to restore the logging system/program if the program goes down, or must be shut down and restarted.
Low - V-14930 - SV-15698r1_rule
RMF Control
Severity
Low
CCI
Version
DMZ-SYS9.3
Vuln IDs
  • V-14930
Rule IDs
  • SV-15698r1_rule
As the logging system is a repository, and provides analysis for, alert and event data from all DoD DMZ systems it is critical to ensure the system is restored to service quickly and securely in order to maintain the data flow of security events throughout the DMZ. Without the logging service available, security relevant event data will not be captured and analyzed.Information Assurance ManagerECSC-1
Checks: C-13367r1_chk

Review the logging server documentation to ensure procedures are in place to bring the system back on-line in case of shutdown or failure.

Fix: F-14474r1_fix

Document procedures to restore the log program efficiently if the program goes down, or must be shut down.

a
The Security Information Manager (SIM) must send and process inbound event and/or alert data in near real time with no manual intervention.
Low - V-14931 - SV-15699r1_rule
RMF Control
Severity
Low
CCI
Version
DMZ-SIM2.1
Vuln IDs
  • V-14931
Rule IDs
  • SV-15699r1_rule
SIM technology provides the ability to perform real-time analysis of security alerts generated by network hardware and applications. If the process of sending event and log data to the SIM is slow, or is a manual process, security relevant data may not be received quickly enough for defensive action to be taken if a live attack on a DoD host or network happens.Information Assurance ManagerECAT-2
Checks: C-13368r1_chk

Review the SIM documentation to ensure event or alert data is sent in near real time and is not using a manual process such as FTP. The devices must automatically send SIM data with no manual intervention. Near real time refers to the delay introduced, by automated data processing or network transmission, between the occurrence of an event and the use of the processed data.

Fix: F-14475r1_fix

Configure the SIM to send and process inbound event and/or alert data in near real time with no manual intervention required.

b
The Security Information Manager (SIM) must use an industry standard database.
Medium - V-14933 - SV-15701r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-SIM4.1
Vuln IDs
  • V-14933
Rule IDs
  • SV-15701r1_rule
For consistency, scalability, interoperability, security patching, and vendor support, it is important for the SIM to use industry standard applications. Information Assurance ManagerDCAS-1
Checks: C-13370r1_chk

Review the vendor documentation to ensure the SIM uses an industry standard database, not a “homegrown” database, which has been evaluated against a NIAP/NSA approved Protection Profile.

Fix: F-14477r1_fix

Employ a SIM using an industry standard database.

a
The Security Information Manager (SIM) stored database backup must be encrypted using FIPS 140-2 validated cryptography. Unrestricted and restricted database backup may be stored on the same media, yet must be encrypted so the database storing unrestricted data cannot restore data residing in the restricted database.
Low - V-14934 - SV-15702r1_rule
RMF Control
Severity
Low
CCI
Version
DMZ-SIM4.6
Vuln IDs
  • V-14934
Rule IDs
  • SV-15702r1_rule
Unrestricted data is public and has been approved for public release. Restricted data requires authentication and has not been approved for public release. It is important for these two data types to be separate and not accessible to any application that may breach this separation and inadvertently provide restricted data to the public. Information Assurance ManagerECCR-2
Checks: C-13371r1_chk

Review the SIM backup procedures to ensure encryption is utilized for restricted and unrestricted backup of SIM data. The backup procedures must ensure there is segmentation between restricted and unrestricted data types. File and database access restrictions will also be in place to reduce the potential of exposure of the restricted data.

Fix: F-14478r1_fix

Encrypt all data on the SIM stored database backup, using FIPS 140-2 validated cryptography, so the unrestricted database cannot restore the restricted database when utilizing the same media.

a
The Security Information Manager (SIM) must maintain 30 days online, 1 year off-line worth of meta-data readily available to the analyst.
Low - V-14937 - SV-15705r1_rule
RMF Control
Severity
Low
CCI
Version
DMZ-SIM13.5
Vuln IDs
  • V-14937
Rule IDs
  • SV-15705r1_rule
If data is not available for analytical review, security events may not be aggregated and correlated. Data must be readily available as security events may take place days/weeks apart that are seemingly unrelated; however, upon analysis, it could be determined the events are in fact related and the events can drive actions to be taken to avoid additional compromise. Information Assurance ManagerECRR-1
Checks: C-13374r1_chk

Review the back-up procedures and the on-line configuration to ensure the SIM data is stored for a minimum of 30 days online and 1 year off-line and readily available in accordance with the DoD DMZ CONOPS.

Fix: F-14481r1_fix

Configure the SIM to maintain 30 days worth of security event data online and 1 year offline, readily available to the analyst.

b
Reverse web proxy cryptographic components must be Federal Information Processing Standard (FIPS) 140-2 validated.
Medium - V-14942 - SV-15710r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-RWP7.12
Vuln IDs
  • V-14942
Rule IDs
  • SV-15710r1_rule
FIPS 140-2 validation ensures the integrity of the validated cryptographic algorithm. FIPS 140-2 is a requirement of the Federal Government and mandated by most DoD policies regarding the use of encryption within the DoD.Information Assurance ManagerECCT-1
Checks: C-13362r1_chk

Review the RWP vendor documentation and the National Institute of Standards and Technology (NIST) Validation website (http://csrc.nist.gov/cryptval/140-1/1401val.htm) to determine if the encryption components have been validated against FIPS 140-2.

Fix: F-14469r1_fix

Utilize only reverse web proxy cryptographic components that are FIPS 140-2 validated.

a
Procedures must be in place to restore the Security Information Manager (SIM) service if the application/system fails or must be shut down.
Low - V-14957 - SV-15725r1_rule
RMF Control
Severity
Low
CCI
Version
DMZ-SIM11.3
Vuln IDs
  • V-14957
Rule IDs
  • SV-15725r1_rule
As the SIM is the repository, and provides analysis for, alert and event data from all DoD DMZ systems it is critical to ensure the system is restored to service quickly and securely in order to maintain the data flow of security events throughout the DMZ. Without the SIM service available, security relevant event data will not be captured and analyzed. Information Assurance ManagerECND-1
Checks: C-13373r1_chk

Review the SIM server/system documentation to ensure procedures are in place to efficiently bring the system back on-line in case of shutdown or failure. The application security event logs must continue if the SIM goes down. The recovery process and times must be in accordance with the DoD DMZ CONOPS.

Fix: F-14480r1_fix

Document and implement the procedures to restore the SIM service if the program/system fails or must be shut down.

b
Local console access, KVM, or terminal services must be provided or available for local out-of-band management within the DMZ in case of management network failure.
Medium - V-14968 - SV-15736r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-OOBMGT3
Vuln IDs
  • V-14968
Rule IDs
  • SV-15736r1_rule
A local console access solution must be available for access to devices or systems in case of management network failure. If the management network fails due to a device within the infrastructure, and there is no other means of accessing the device, the availability of the DMZ system at large could be compromised. Information Assurance ManagerECSC-1
Checks: C-13391r1_chk

Review the management network architecture to determine if local console access, KVM, or terminal services are available for local management network, for failover purposes. Review the management architecture against the most current version and release of the Network Infrastructure STIGs.

Fix: F-14498r1_fix

Provide local management for devices within a DMZ via console and/or KVM or terminal server, in case of local management network failure.

b
DMZ system components utilizing PKI must request PKI certificates from a DoD-approved Certificate Authority (CA).
Medium - V-14970 - SV-15738r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-PKI1.1
Vuln IDs
  • V-14970
Rule IDs
  • SV-15738r1_rule
To protect the integrity and authenticity of PKI certificates, it is critical that systems obtain their PKI certificates from an approved DoD Certificate Authority. Otherwise, there is no guarantee of proper access and authorization. Information Assurance ManagerIATS-2
Checks: C-13393r1_chk

Review the DMZ CONOPS and associated policy to determine if systems within the DMZ are required to request certificates only from a DoD-approved CA. A list of DoD-approved CAs can be obtained from the following URL: http://iase.disa.mil/pki/eca/index.html. Self-signing certificates are not authorized.

Fix: F-14500r1_fix

Require DMZ system components to request PKI certificates from a DoD-approved CA. Self signed certificates are not authorized on DMZ components.

b
DMZ system components utilizing DoD PKI must support DoD-approved PKI Certificate Revocation List (CRL) or DoD Online Certificate Status Protocol (OCSP) policy.
Medium - V-14971 - SV-15739r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-PKI1.2
Vuln IDs
  • V-14971
Rule IDs
  • SV-15739r1_rule
To protect the integrity and authenticity of PKI certificates, it is critical that systems support and use the DoD-approved CRLs and OCSPs. Otherwise, there is no guarantee of trusted validation of a PKI certificate. Information Assurance ManagerIATS-1
Checks: C-13394r1_chk

Review the DMZ CONOPS and associated policy to determine if systems within the DMZ are required to support and utilize DoD approved PKI CRL policy. DoD OCSP must be supported by DMZ components and devices and is the first choice for CRL validation.

Fix: F-14501r1_fix

Configure DMZ system components to support and utilize DoD-approved PKI CRL or DoD OCSP policy.

b
DoD DMZ servers (all components) must report denied traffic and application transactions to the local log aggregation/SIM capability in real time, generated automatically, not as a manual or batch process.
Medium - V-15033 - SV-15801r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-NET5
Vuln IDs
  • V-15033
Rule IDs
  • SV-15801r1_rule
Denied transactions could be an indication of potential malicious activity on a system or network. Logging the denied traffic or transaction may provide analysts with information regarding attempts to gain unauthorized access. Information Assurance ManagerECAT-1
Checks: C-13462r1_chk

Review the DMZ reporting procedures to ensure denied traffic and application transactions, at any component within the DMZ, are reported to the local log aggregation/SIM capability in real time.

Fix: F-14563r1_fix

Configure the DMZ system to report denied traffic and application transactions to the appropriate local log aggregation/SIM capability in real time, generated automatically, not as a manual process or batch process.

b
The DMZ architecture must be designed so appropriate network separation is maintained for devices performing IA functions for different DMZ services.
Medium - V-15096 - SV-15864r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-LPSR6
Vuln IDs
  • V-15096
Rule IDs
  • SV-15864r1_rule
Separation is required to protect private services and data from restricted and unrestricted data. The intent of the DoD DMZ initiative is to protect private data and services from those that are Internet facing, and to have situational awareness of all traffic coming in to the NIPRNet. Separation is also critical to protect restricted data from what has been approved for public release. Separating the IA devices performing functions on behalf of the different data types, helps to ensure the integrity of the architecture and protect DoD private data. Information Assurance ManagerDCPA-1
Checks: C-13537r1_chk

Verify the devices providing IA for different DMZ services include, but are not limited to email security gateway, reverse web proxy, DNS proxy, and FTP proxy are implemented at a minimum on logical, separate VLANs, or on physically different network segments. The separation is for the IA controls on a per application basis (e.g., the RWP must be logically separated from the email security gateway (EMSG)). This does not imply a load balancer function cannot reside on a Web Application Firewall. Infrastructure devices such as firewalls and IDS/IPS are not required to be separate as their functionality is to monitor all traffic, not application specific traffic types.

Fix: F-14626r1_fix

Design the DMZ architecture so logical network separation is maintained between devices performing IA functions for different IA services such as, Simple Mail Transfer Protocol (SMTP) and Hypertext Transfer Protocol (HTTP). This requirement is for singular IA function devices, not infrastructure devices such as firewalls and IDS/IPS

b
Each CC/S/A/FA operating or maintaining a DoD DMZ must develop a Concept of Operations (CONOPS). The CONOPS will be built in accordance with requirements in the DoD DMZ STIGs and DoD DMZ Engineering Plan.
Medium - V-17354 - SV-18405r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-REQ
Vuln IDs
  • V-17354
Rule IDs
  • SV-18405r1_rule
Configuration management is a key component to the security architecture of the DoD DMZ. The development, maintenance, and review of the CONOPS ensures the security requirements for the implementation are being maintained and updated as necessary to protect DoD assets and data. Information Assurance ManagerDCFA-1
Checks: C-18060r1_chk

Review the DoD DMZ accreditation documentation to ensure all components comprising the DMZ and the network architecture are in compliance with the DoD NIPRNet DMZ Functional Requirements document and the DoD DMZ Engineering Plan (may be obtained from the Defense Knowledge Online (DKO) web portal). The CC/S/A/FA will develop a CONOPS in accordance with the DMZ Engineering Plan and should contain at a minimum, backup and recovery policies, configuration management plan, complete DMZ system and device details, architecture diagrams and traffic flows, operational policies, procedures, and responsibilities, and Network Operations (NetOps) tasks.

Fix: F-17258r1_fix

Develop a DoD DMZ CONOPS for any CC/S/A/FA DoD DMZ implementation. The CONOPS will be developed and maintained for each DoD DMZ instantiation which contains, at a minimum, backup and recovery policies, configuration management plan, system details, operational policies and procedures, architecture, and NetOps tasks.

c
Every device within the DoD DMZ must utilize a dedicated network interface for management functions.
High - V-17355 - SV-18406r2_rule
RMF Control
Severity
High
CCI
Version
DMZ-OOBMGT1.1.1
Vuln IDs
  • V-17355
Rule IDs
  • SV-18406r2_rule
Management interfaces provide immediate access to the privileged roles and configuration of devices and therefore need to be dedicated and separate from those supporting general user or production roles. Information Assurance ManagerECSC-1
Checks: C-18061r2_chk

Review the management interfaces on the infrastructure devices to ensure they have an interface dedicated to the management network. Ensure IP forwarding is not allowed (disabled) on the interface OR ensure it has an access list that only permits the management interface to communicate with the management network.

Fix: F-17259r2_fix

Configure each device within the DoD DMZ to utilize a dedicated interface for management functions only. There will be no other role associated with the management interface.

c
Traffic traversing the management network must be encrypted using Federal Information Processing Standard (FIPS) 140-2 validated cryptography.
High - V-17356 - SV-18407r1_rule
RMF Control
Severity
High
CCI
Version
DMZ-OOBMGT4
Vuln IDs
  • V-17356
Rule IDs
  • SV-18407r1_rule
Management traffic consists of privileged user account information and device configuration data. Access to this sensitive information could lead to direct access to platform or system. Therefore, it requires encryption to ensure the confidentiality and integrity of the session. Information Assurance ManagerECNK-1
Checks: C-18062r1_chk

Review the infrastructure devices to ensure all management traffic is encrypted using FIPS 140-2 validated cryptography. Ensure clear text traffic services such as telnet and FTP are not enabled for the management interfaces. If the device cannot support the use of encryption for certain types of management traffic to the management server, this must be documented and approved.

Fix: F-17260r1_fix

Encrypt management traffic within a DMZ using FIPS 140-2 validated cryptography, for example, Transport Layer Security (TLS) v1, Secure Shell (SSH), etc., which are configured in accordance with the Network Infrastructure STIGs.

b
The DMZ architecture, and all associated boundary IA control devices, must deny all inbound and outbound services except those specifically implemented or permitted.
Medium - V-17357 - SV-18408r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-SVC6
Vuln IDs
  • V-17357
Rule IDs
  • SV-18408r1_rule
Allowing unknown traffic into the DMZ can make all devices susceptible within the DMZ to an attack. In addition, it is the DMZ owner's responsibility to protect the NIPRNet by filtering traffic and only allowing what is specifically authorized. Information Assurance ManagerECSC-1
Checks: C-18063r1_chk

Review the ACLs on the boundary infrastructure devices such as routers and firewalls, or both, against the DMZ CONOPS and system documentation to ensure operational necessity of ports, protocols, and services is still accurate. The system documentation should have the operational statements to confirm current need for services permitted. The DMZ architecture will deny access to unnecessary or non-documented services.

Fix: F-17261r1_fix

Configure the DMZ architecture, and more specifically, the IA devices, to deny all inbound and outbound services except those specifically implemented or permitted based on documented operational necessity.

b
DoD DMZ systems must be IPv6 capable.
Medium - V-17359 - SV-18410r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-GS4.3
Vuln IDs
  • V-17359
Rule IDs
  • SV-18410r1_rule
As the DoD transitions from IPv4 to IPv6 is it critical that the DoD DMZ IA devices are capable of supporting the IPv6 protocol. If the devices do not support IPv6, additional funding and time will be spent acquiring IPv6 capable systems. IPv6 traffic must be transitioned appropriately and if an IA device is not capable of supporting or detecting the protocol, malicious IPv6 traffic may infiltrate the DMZ. Information Assurance ManagerECSC-1
Checks: C-18065r1_chk

Review a sampling of system documentation to ensure the devices within the DMZ infrastructure are IPv6 capable. Review against the most current version of the Network Infrastructure and Backbone Transport STIGs, as well as the DoD Milestone Objective 3 (MO3) guidance, for additional IPv6 requirements.

Fix: F-17263r1_fix

Employ only IPv6 capable DMZ components.

c
DoD DMZ IA devices using signatures for detection must be updated at least daily.
High - V-17360 - SV-18411r1_rule
RMF Control
Severity
High
CCI
Version
DMZ-GS6
Vuln IDs
  • V-17360
Rule IDs
  • SV-18411r1_rule
Detection signatures must be updated daily to ensure zero day attacks are caught prior to propagation throughout the DMZ. Information Assurance ManagerECSC-1
Checks: C-18066r1_chk

Review a sampling of DMZ IA systems to ensure if they use a signature detection capability, (for example, a content checking mechanism), they are configured to update signatures at least daily, from a trusted source as approved by the IAM.

Fix: F-17264r1_fix

Update signatures at least daily for IA system components using signatures for detection.

c
Network separation must be maintained for different server types within the DoD DMZ.
High - V-17362 - SV-18413r2_rule
RMF Control
Severity
High
CCI
Version
DMZ-LPSR5
Vuln IDs
  • V-17362
Rule IDs
  • SV-18413r2_rule
Separation is required to protect Private servers from Restricted and Unrestricted servers. Separation is also required to protect Application and Database servers, if used, from Web servers. The intent of the DoD DMZ initiative is to protect Private servers from those that are Internet-facing, and to have situational awareness of all traffic coming in to the NIPRNet. Separation is also critical to protect Restricted servers from Unrestricted servers. Protecting Private assets from the Internet is the fundamental principle behind the DoD DMZ. The traffic can aggregate at the firewall.Information Assurance ManagerDCPA-1
Checks: C-18068r3_chk

1. U/R: Unrestricted web servers and Restricted web servers must be on separate logical or physical networks from each other, from the server to the DMZ firewall. Verify Restricted and Unrestricted servers are installed on separate VLANs or separate physical switches. 2. U/R and P: Unrestricted web servers and Restricted web servers must be on separate logical or physical networks from Private web servers, Application servers, or Database servers, if used, from the server to the DMZ firewall. Verify U/R servers are on separate VLANs or use physically separate switches from Private servers. Database servers, if used, housing private data will not logically reside in the DoD DMZ. 3. If Application and Database servers have been separated by service type into Unrestricted, Restricted, and Private servers (permitted but not required in Increment 1 Phase 1), they must be on separate logical or physical networks from each other by server type (Application or Database) and by service type (U/R/P). If implemented, verify that App-U, App-R, App-P, DB-U, DB-R and DB-P are all on separate VLANs or physically separate switching infrastructure from the server to the DMZ firewall. Refer to the DoD DMZ Technology Overview and DoD DMZ Engineering Plan for details and definitions of the three data types.

Fix: F-17266r3_fix

Configure the DoD DMZ systems to maintain logical or physical network separation between Unrestricted, Restricted, and Private servers as well as Web, Application, and Database servers.

c
A resource/device must not be shared for termination of encrypted private traffic and unrestricted/ restricted applications or services.
High - V-17364 - SV-18415r2_rule
RMF Control
Severity
High
CCI
Version
DMZ-LPSR12
Vuln IDs
  • V-17364
Rule IDs
  • SV-18415r2_rule
Termination end points must not share resources for any private application. Private means services are NIPRNet only and not accessible to the Internet. Unrestricted or Restricted services are accessible from the Internet. Therefore, in order to maintain separation, the types of data must not share resources. The DMZ architecture and placement forces the separation for U/R from Private traffic. This requirement is for the termination device to not be shared between U/R traffic which will reside in the DMZ (Internet facing) and Private traffic which will not reside in the DMZ and will only be accessible via the NIPRNet. Although the encrypted traffic rides the same circuit to the point of presence, the traffic will need to be routed appropriately to the correct termination device dependent on the data type. This requires two different termination devices (e.g., Reverse Web Proxy (RWP)), one for Private and one for U/R.Information Assurance ManagerECSC-1
Checks: C-18070r2_chk

Verify any device (e.g., RWP) terminating encrypted traffic for a private application does not also provide any service to Restricted or Unrestricted applications and services. Verify upstream switch, routers, and firewalls, block the private termination device from Internet access.

Fix: F-17268r2_fix

Configure the devices terminating encrypted traffic for private applications/services, so they do not also provide any service for restricted or unrestricted applications. The private termination device must not be reachable from the Internet.

c
The DoD DMZ must be connected to the Internet and NIPRNet with a peering, or completely dedicated perimeter, in-line firewall that performs deep packet inspection
High - V-17866 - SV-19171r1_rule
RMF Control
Severity
High
CCI
Version
DMZ-13
Vuln IDs
  • V-17866
Rule IDs
  • SV-19171r1_rule
Basic security requires fire walling technologies to inspect and secure traffic between the DoD DMZ and the Internet or the NIPRNet. Information Assurance ManagerEBBD-1, EBBD-2, EBBD-3
Checks: C-13325r1_chk

Review the DMZ architecture to determine if a perimeter firewall, or separate firewall, configured in accordance with the Firewall STIGs, is in place and operational between the DMZ, Internet, and NIPRNet. This is a separate requirement from the General Business LAN firewall requirement in the Network Infrastructure STIGs. The Firewall STIG details the deep packet inspection requirement for firewalls.

Fix: F-14429r1_fix

Connect the DoD DMZ to the Internet and NIPRNet via peering, or completely dedicated perimeter, in-line firewall that performs deep packet inspection.

b
The DoD DMZ must have a dedicated management network for device management and security information traffic flows.
Medium - V-26837 - SV-34115r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-MGMT
Vuln IDs
  • V-26837
Rule IDs
  • SV-34115r1_rule
From an architectural point of view, providing a dedicated network for the management of network systems is the best first step in any management strategy. No production traffic resides on a management network. The biggest advantage to implementation of a management network is providing support and maintenance to the network that has become degraded or compromised. During an outage or degradation period the in-band management link may not be available. The consequences of loss of availability of a MAC I system is unacceptable and could include the immediate and sustained loss of mission effectiveness. Mission Assurance Category I systems require the most stringent protection measures. Maintenance support for key IT assets must be available to respond 24x7 immediately upon failure.Information Assurance ManagerECSC-1
Checks: C-34551r1_chk

Review the DoD DMZ architecture to ensure there is a separate, dedicated management network for all privileged level device access and all IA related traffic flows.

Fix: F-30128r1_fix

Engineer the management network so all security related traffic, privileged level access to devices, etc., will traverse a dedicated management network.

b
The DoD DMZ must contain an RWP for all http/https traffic flows.
Medium - V-26872 - SV-34152r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-RWP
Vuln IDs
  • V-26872
Rule IDs
  • SV-34152r1_rule
An integral component within the DoD DMZ architecture is the utilization of a RWP for application traffic flows. The RWP brokers the HTTP/HTTPS connection so there is not a direct connection between the DoD host and the Internet. A direct connection to the Internet provides a direct avenue for attack against DoD hosting systems.Information Assurance ManagerEBBD-1, EBBD-2
Checks: C-34556r1_chk

Review the DMZ architecture to ensure all http/https traffic flows through a reverse web proxy and all http/https connections are brokered by the RWP. The RWP will employ, at a minimum, logical separation between Unrestricted data and Restricted data with separate VLANs at the subnets.

Fix: F-30058r1_fix

Employ a RWP as part of the DMZ architecture and require all HTTP/HTTPS connections to be brokered by the RWP.

b
The DoD DMZ Reverse Web Proxy (RWP) must support the use of TLSv1 and SSLv3.
Medium - V-26874 - SV-34154r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-RWP1
Vuln IDs
  • V-26874
Rule IDs
  • SV-34154r1_rule
As DoD policy, to include the STIGs, requires the use of newer encryption standards such as SSLv3 and TLSv1, it is important to ensure all information assurance devices, such as the RWP, support the newer standards.Information Assurance ManagerECSC-1
Checks: C-34559r1_chk

Review the RWP vendor documentation to ensure the RWP supports the use of TLSv1 and SSLv3.

Fix: F-30060r1_fix

Ensure the reverse web proxy supports the use of TLSv1 and SSLv3.

b
The DoD DMZ must contain a Security Information Manager (SIM) providing real-time analysis of security alerts generated by DoD DMZ components, to include the supporting network infrastructure.
Medium - V-26880 - SV-34160r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-SIM
Vuln IDs
  • V-26880
Rule IDs
  • SV-34160r1_rule
As the SIM is the repository for alert and event data from all DoD DMZ systems, it is a critical security component of the DoD DMZ architecture. The SIM provides the capability to process inbound event and/or alert data with business logic in near real time and to capture security relevant event data and logs which is used by security analysts to detect anomalies throughout the network and connected systems.Information Assurance ManagerECSC-1
Checks: C-34564r1_chk

Review the DMZ architecture to ensure a SIM is located within the DMZ to capture and process security relevant event data.

Fix: F-30062r1_fix

Deploy a SIM within the DoD DMZ providing real-time analysis of security alerts generated by DoD DMZ network hardware and applications.

b
A syslog server must be deployed in the management network.
Medium - V-27203 - SV-34502r1_rule
RMF Control
Severity
Medium
CCI
Version
DMZ-SYSLOG
Vuln IDs
  • V-27203
Rule IDs
  • SV-34502r1_rule
Logging is a critical security function and sending log data to a central repository such as a syslog server provides the information for further analysis. Information Assurance ManagerECAT-1
Checks: C-34736r1_chk

Review the DMZ architecture to ensure a syslog server in deployed and operational within the management network to send log data from DMZ devices.

Fix: F-30134r1_fix

Deploy a syslog server within the DoD DMZ management network architecture.