Network Policy Security Technical Implementation Guide

U_Network_Policy_V8R17_Manual-XCCDF.xml

Network Policy Security Technical Implementation Guide
Details

Version / Release: V8R17

Published: 2014-04-04

Updated At: 2018-09-23 05:14:33

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.
    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-8532r2_rule NET0090 MEDIUM Network topology diagrams for the enclave must be maintained and up to date at all times. To assist in the management, auditing, and security of the network infrastructure facility drawings and topology maps are a necessity. Topology maps are important because they show the overall layout of the network infrastructure and where devices are physically located. They also show the relationship and interconnectivity between devices and where possible intrusive attacks could take place. Having up to date network topology diagrams will also help show what the security, traffic, and physical impact of adding a new user(s) will be on the network.Information Assurance OfficerDCHW-1, ECSC-1
    SV-8533r2_rule NET0130 MEDIUM All external connections must be validated and approved by the CAP and DAA, SNAP or CCAO requirements have been met, and MOA and MOU is established between enclaves, prior to connections. Every site must have a security policy to address filtering of the traffic to and from those connections. This documentation along with diagrams of the network topology is required to be submitted to the Connection Approval Process (CAP) for approval to connect to the NIPRNet or SIPRNet. SIPRNet connections must also comply with the documentation required by the Classified Connection Approval Office (CCAO) to receive the SIPRNet Interim Approval to Connect (IATC) or final Approval to Connect (ATC). Also any additional requirements must be met as outlined in the Interim Authority to Operate (IATO) or Authority to Operate (ATO) forms signed by the Designated Approving Authority (DAA). Prior to establishing a connection with another activity, a Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA) must be established between the two sites prior to connecting with each other. This documentation along with diagrams of the network topology is required to be submitted to the CAP for approval to connect to the NIPRNet or SIPRNet. The policy must ensure that all connections to external networks should conform equally. The DREN and SREN are DoD's Research & Engineering Network. A DoD Network that is the official DoD long-haul network for computational scientific research, engineering, and testing in support of DoD's S&T and T&E communities. It has also been designated as a DoD IPv6 pilot network by the Assistant Secretary of Defense (Networks & Information Integration)/DoD Chief Information Officer ASD (NII)/DoD CIO. A DISN enclave should not have connectivity to the DREN unless approved by the DAA and meets the requirements defined for all external connections previously described. Information Assurance OfficerEBCR-1
    SV-8534r3_rule NET0135 MEDIUM External connections to the network must be reviewed and the documentation updated semi-annually, at a minimum. A network is only as secure as its weakest link. It is imperative that all external connections be reviewed and kept to a minimum needed for operations. All external connections should be treated as untrusted networks. Reviewing who or what the network is connected to empowers the security manager to make sound judgements and security recommendations. Minimizing backdoor circuits and connections reduces the risk for unauthorized access to network resources.Information Assurance OfficerEBCR-1, ECSC-1
    SV-8535r2_rule NET0140 LOW The connection between the CSU/DSU and the local exchange carriers (LEC) data service jack (i.e., demarc) must be located in a secure environment. DOD leased lines carry an aggregate of sensitive and non-sensitive data; therefore unauthorized access must be restricted. Inadequate cable protection can lead to damage and denial of service attacks against the site and the LAN infrastructure.Information Assurance OfficerECSC-1
    SV-8536r2_rule NET0141 LOW Network management modems connected to all Channel Service Units (CSUs)/Data Service Units (DSUs) must be disconnected when not in use. DOD leased lines carry an aggregate of sensitive and non-sensitive data; therefore: unauthorized access must be restricted. Inadequate cable protection can lead to damage and denial of service attacks against the site and the LAN infrastructure.Information Assurance OfficerECND-1, ECND-2, ECSC-1
    SV-8537r2_rule NET0160 HIGH Written approval must obtained from the GIG Waiver Panel or the Office of the DoD Chief Information Officer (DoD CIO) prior to establishing an ISP connection. Analysis of DoD reported incidents reveal current protective measures at the NIPRNet boundary points are insufficient. Documented ISPs and validated architectures for DMZs are necessary to protect internal network resources from cyber attacks originating from external Internet sources by protective environments. Direct ISP connections are prohibited unless written approval is obtained from the Global Information Grid (GIG) Waiver Panel or the Office of the DoD CIO who directs the GIG Panel.Information Assurance OfficerInformation Assurance ManagerEBCR-1, ECSC-1
    SV-8538r3_rule NET0170 MEDIUM External network connections must not bypass the organizations perimeter security devices unless documented and approved by the DAA. Without taking the proper safeguards, external networks connected to the organization will impose security risks unless properly routed through the perimeter security devices. Since external networks to the organization are considered to be untrusted, this could prove detrimental since there is no way to verify traffic inbound or outbound on this backdoor connection. An attacker could carry out attacks or steal data from the organization without any notification. An external connection is considered to be any link from the organization's perimeter to the NIPRNet, SIPRNet, Commercial ISP, or other untrusted network outside the organization's defined security policy. The DREN and SREN are DoD's Research & Engineering Network. A DoD Network that is the official DoD long-haul network for computational scientific research, engineering, and testing in support of DoD's S&T and T&E communities. It has also been designated as a DoD IPv6 pilot network by the Assistant Secretary of Defense (Networks & Information Integration)/DoD Chief Information Officer ASD (NII)/DoD CIO. A DISN enclave should not have connectivity to the DREN unless approved by the DAA and the requirements have been met for all external connections described in NET0130.Information Assurance OfficerEBCR-1, ECSC-1
    SV-8540r2_rule NET0210 MEDIUM All network infrastructure devices (i.e., IDS, routers, RAS, NAS, firewalls, etc.) must be located in a secure room with limited access. If all communications devices are not installed within controlled access areas, risk of unauthorized access and equipment failure exists, which could result in denial of service or security compromise. It is not sufficient to limit access to only the outside world or non-site personnel. Not everyone within the site has the need-to-know or the need-for-access to communication devices. Information Assurance OfficerECSC-1
    SV-8541r2_rule NET0260 MEDIUM All passwords must be created and maintained in accordance with the rules outlined in DoDi 8500.2, IAIA-1, and IAIA-2. Devices protected with weak password schemes provide the opportunity for anyone to crack the password, gaining access to the device and causing network, device, or information damage or denial of service.Information Assurance OfficerECSC-1
    SV-8542r2_rule NET0270 MEDIUM Locally configured passwords used on communications devices must be recorded then stored in a secure and controlled manner. Passwords should be recorded and stored in a secure location for emergency use. This helps prevent time consuming password recovery techniques and denial of administrator access, in the event a password is forgotten or the individual with the access is incapacitated. Router configurations contain passwords in clear text. This must be encrypted for use in areas where this can be compromised.Information Assurance OfficerDCBP-1, ECSC-1
    SV-8544r2_rule NET0420 MEDIUM A key management policy must be implemented to include key generation, distribution, storage, usage, lifetime duration, and destruction of all keys used for encryption. If the MD5 keys used for routing protocols are guessed, the malicious user could create havoc within the network and between subscribing networks by advertising incorrect routes and redirecting traffic. Changing the keys frequently reduces the risk of them eventually being guessed.Information Assurance OfficerIAKM-1, IAKM-2, IAKM-3
    SV-8545r1_rule NET1628 MEDIUM The IAO/NSO will ensure modems are not connected to the console port. Access to network devices via a modem is potentially very risky. If an intruder were to gain access via a modem, the potential for denial of service attacks, interception of sensitive information, and other destructive actions is greatly increased. The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. Additional war dial attacks on the device could degrade the device and the production network.Information Assurance OfficerECSC-1
    SV-8546r1_rule NET1025 LOW The IAO/NSO will ensure a centralized syslog server is deployed and configured by the syslog administrator to store all syslog messages for a minimum of 30 days online and then stored offline for one year. Logging is a critical part of router security. Maintaining an audit trail of system activity logs (syslog) can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network. Information Assurance OfficerECSC-1, ECTB-1
    SV-8547r1_rule NET1040 LOW The IAO will ensure all current and previous router and switch configurations are stored in a secured location. Storage can take place on a classified network, an OOB network, or offline. The configurations can only be accessed by the server or network administrator. If the router or switch's non-volatile memory are lost without a recent configuration stored in an offline location, it may take time to recover that segment of the network. Users connected directly to the switch or router will be without service for a longer than acceptable time.Information Assurance OfficerCOBR-1, ECSC-1
    SV-8548r1_rule NET1060 HIGH The IAO will ensure that passwords contained within a router, switch, or firewall configuration file are not stored offline unencrypted. Many attacks on DOD computer systems are launched from within the network by unsatisfied or disgruntled employees, therefore, it is imperative that all router passwords are encrypted so they cannot be intercepted by viewing the console. If the router network is compromised, then large parts of the network could be incapacitated with only a few commands.Information Assurance OfficerECSC-1
    SV-8549r1_rule NET1070 MEDIUM The IAO/NSO will authorize and maintain justification for all TFTP implementations. TFTP requies no password.Information Assurance OfficerDCBP-1, ECSC-1
    SV-8550r1_rule NET1110 MEDIUM The IAO/NSO will ensure all changes and updates are documented in a manner suitable for review and audit. Change management is the formal review process that ensures that all changes made to a system receive formal review and approval. Change management reduces impacts from proposed changes that could possibly have interruptions to the services provided. Recording all changes in the network will be accomplished by a configuration management policy. The configuration management policy will capture the actual changes to software code and anything else affected by the change.Information Assurance OfficerDCCB-1, DCCB-2, ECSC-1
    SV-8551r2_rule NET0345 MEDIUM Firewalls must have a protection profile by the NIAP Evaluation and Validation Program before being placed on the network. The only assurance that the firewall meets or exceeds the minimum security requirements is the evaluation and validation by an accredited licensed/approved evaluation facility.Information Assurance OfficerDCAS-1, DCSR-1, DCSR-2, DCSR-3, ECSC-1
    SV-8552r2_rule NET0351 MEDIUM When protecting the boundaries of a network, the firewall must be placed between the private network and the perimeter router and the DMZ. The only way to mediate the flow of traffic between the inside network, the outside connection, and the DMZ is to place the firewall into the architecture in a manner that allows the firewall the ability to screen content for all three destinations.Information Assurance OfficerEBBD-1, EBBD-2, EBBD-3, ECSC-1
    SV-8553r2_rule NET0384 LOW The firewall administrator must subscribe to the vendors vulnerability mailing list to be made aware of required upgrades and patches. Not being on the vendors vulnerability list can lead to the firewall software not being updated when a new release or security patch is released by the vendor.Information Assurance OfficerECSC-1
    SV-8554r1_rule NET1280 LOW The IAO/NSO will ensure there is a review on a daily basis, of the firewall log data by the firewall administrator (FA), or other qualified personnel, to determine if attacks or inappropriate activity has occurred. The firewall logs can be used for forensic analysis in support of incident as well as to aid with normal traffic analysis. Information Assurance OfficerECAT-1, ECAT-2, ECSC-1
    SV-8556r3_rule NET1284 LOW The organizations firewall configurations must be backed up weekly and whenever configuration changes occur. Without a proper backup plan, a recovery of the device can take an extensive amount of time and resources to get the device back online. Information Assurance OfficerCODB-1, CODB-2, CODB-3, ECSC-1
    SV-8557r2_rule NET1286 LOW The organization must back up audit logs weekly. Audit logs can be used for forensic analysis in support of incident response and to aid with normal traffic analysis. A backup scheme to move audit logs offine for archiving is necessary in case of a potential outage where current logs are unavailable.Information Assurance OfficerECSC-1, ECTB-1
    SV-8561r2_rule NET1328 LOW Data reviewed from the enclave IDS/IPS must be restricted to CNDSP and local authorized personnel only. It is imperative traffic from the IDPS monitoring enclave traffic is only reviewed and monitored by trusted and authorized personnel with a need to know.Information Assurance OfficerDCCS-2, ECSC-1
    SV-8562r1_rule NET1340 MEDIUM The IAO/NSO will establish policies outlining procedures to notify U.S. Cyber Command when suspicious activity is observed. A network intrusion system is a policy enforcement mechanism that the site must use to enforce the Enclave Security Policy. If a clear policy has not be established for reporting suspicious activity to the U.S. Cyber Command (USCYBERCOM), then the site, and possibly all of DoD, is at a greater risk for exposure.Information Assurance OfficerECSC-1, VIIR-1, VIIR-2
    SV-8563r1_rule NET1342 MEDIUM The IAO/NSO will ensure that authorized reviewers of Network IDS data are identified in writing by the site’s IAM. To preserve the chain of custody for possible legal action, all reviewers of the NID data must be have an authorization letter from the site commander outlining the individuals need to know.Information Assurance OfficerECAN-1, ECSC-1
    SV-8564r2_rule NET-IDPS-033 MEDIUM The organization must establish weekly data backup procedures for the network IDS/IPS data.The organization must establish weekly data backup procedures for the network IDS/IPS. IDS/IPS data needs to be backed up to ensure preservation in the case a loss of IDS/IPS data due to hardware failure or malicious activity.Information Assurance OfficerCODB-1, CODB-2, CODB-3, ECSC-1
    SV-8566r1_rule NET-IDPS-035 LOW The Network IDS administrator will subscribe to the vendor’s vulnerability mailing list. The Network IDS administrator will update the Network IDS when software is provided by Field Security Operations for the RealSecure distribution, and for all other Network IDS software distributions when a security-related update is provided by the vendor. Keeping the NID software updated with the latest engine and attack signatures will allow for the NID to detect all forms of known attacks. Not maintaining the NID properly could allow for attacks to go unnoticed.Information Assurance OfficerECSC-1
    SV-8567r2_rule NET-VLAN-001 MEDIUM The organization must ensure all switches and associated cross-connect hardware are kept in a secure IDF or an enclosed cabinet that is kept locked. Since the IDF includes all hardware required to connect horizontal wiring to the backbone, it is imperative that all switches and associated cross-connect hardware are kept in a secured IDF or an enclosed cabinet that is kept locked. This will also prevent an attacker from gaining privilege mode access to the switch. Several switch products only require a reboot of the switch in order to reset or recover the password.Information Assurance OfficerECSC-1
    SV-8578r1_rule NET1670 LOW The IAO/NSO will establish and maintain a standard operating procedure managing SNMP community strings and usernames to include the following: - Community string and username expiration period - SNMP community string and username distribution including determination of membership Without a SOP to manage the SNMP community strings, the chance that these strings will be used to gain access to network managed devices is increased. If an attacker gains access to network devices, denial of service, interception of sensitive information, or other destructive actions could take place. Information Assurance OfficerECSC-1, IAIA-1, IAIA-2
    SV-8579r2_rule NET1730 MEDIUM The IAO/NSO will ensure that the management workstation is located in a secure environment. Many attacks on DOD computer systems are launched from within the network by unsatisfied or disgruntled employees, therefore, it is imperative that the NMS be located in a secure area that allows access to authorized personnel only. If unauthorized users gain access to the NMS, they could change device configurations, cause network disruptions, or create denial of service conditions. Information Assurance OfficerECSC-1, PEPF-1, PEPF-2
    SV-8580r1_rule NET1740 MEDIUM The IAO/NSO will ensure that only those accounts necessary for the operation of the system and for access logging are maintained. Without proper account maintenance, unauthorized users could gain access to the NMS. If unauthorized users gain access to the NMS through an invalid account they could change device configurations or cause denial of service conditions. Information Assurance OfficerECSC-1, IAAC-1
    SV-8585r2_rule NET0198 LOW DHCP audit and event logs must log hostnames and MAC addresses to be stored online for thirty days and offline for one year. In order to identify and combat IP address spoofing, it is highly recommended that the DHCP server logs MAC addresses and hostnames on the DHCP server.Information Assurance OfficerDCBP-1, ECAR-1, ECAR-2, ECAR-3, ECSC-1
    SV-8586r2_rule NET0199 LOW DHCP servers used within SIPRNet infrastructure must be configured with a minimum lease duration time of thirty days. In order to trace, audit, and investigate suspicious activity, DHCP servers within the SIPRNet infrastructure must have the minimum lease duration time configured to 30 or more days.Information Assurance OfficerECSC-1
    SV-8758r2_rule NET-IDPS-021 MEDIUM An IDPS must be installed, operational and actively monitored in a physical location that monitors all unencrypted traffic entering and leaving the enclave. Per CJCSI 6510.01F, Enclosure A-5, Paragraph 8, “DOD ISs (e.g., enclaves, applications, outsourced IT-based process, and platform IT interconnections) shall be monitored to detect and react to incidents, intrusions, disruption of services, or other unauthorized activities (including insider threat) that threaten the security of DOD operations or IT resources, including internal misuse.” An Intrusion Prevention System (IPS) allows the sensor to monitor, alert, and actively attempt to drop/block malicious traffic. An Intrusion Detection System (IDS) uses a passive method; receiving a copy of the packets to analyze and alert authorized persons about any malicious activity. While an IDS or an IPS in a passive role cannot stop the attack itself, it can typically notify and dynamically assign ACLs or other rules to a firewall or router for filtering. The preferred method of installation is to have the IDPS configured for inline mode. Only when there is a valid technical reason, should the IDPS be placed into a passive or IDS mode. For a full uninhibited view of the traffic, the IDPS must sit behind the enclave’s firewall. This will allow the IDPS to monitor all traffic unencrypted, entering or leaving the enclave.Information Assurance OfficerEBBD-1, EBBD-2, EBBD-3, ECSC-1
    SV-8759r1_rule NET1344 MEDIUM The IAO/NSO will ensure that any unauthorized traffic is logged for further investigation. Audit logs are necessary to provide a trail of evidence in case the network is compromised. With this information, the network administrator can devise ways to block the attack and possibly identify and prosecute the attacker. Information supplied by an IDS can be used for forensic analysis in support of incident as well as to aid with normal traffic analysis.Information Assurance OfficerECAT-1, ECAT-2, ECSC-1
    SV-8760r1_rule NET-TUNL-027 LOW The IAM will ensure that the site retains administrative oversight and control privileges on the IPSEC/VPN device within their security enclave if access is granted to the local network. Without administrative oversight and control privileges on the VPN device, the site would have no way of verifying the security controls placed on the device.Information Assurance OfficerECSC-1
    SV-8778r6_rule WIR0005 HIGH All wireless/mobile systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) must be approved by the approval authority prior to installation and use for processing DoD information. Unauthorized wireless systems expose DoD networks to attack. The DAA and appropriate commanders must be aware of all wireless systems used at the site. DAAs should ensure a risk assessment for each system including associated services and peripherals, is conducted before approving. Accept risks only when needed to meet mission requirements.Information Assurance OfficerDesignated Approving AuthorityInformation Assurance ManagerECWN-1
    SV-8779r6_rule WIR0015 LOW The site IAO must maintain a list of all DAA-approved wireless and non-wireless PED devices that store, process, or transmit DoD information. The site must maintain a list of all DAA-approved wireless and non-wireless CMDs. Close tracking of authorized wireless devices will facilitate the search for rogue devices. Sites must keep good inventory control over wireless and handheld devices used to store, process, and transmit DoD data since these devices can be easily lost or stolen leading to possible exposure of DoD data.System AdministratorInformation Assurance OfficerDCHW-1
    SV-8792r5_rule WIR0020 LOW Wireless devices connecting directly or indirectly to the network must be included in the site security plan. The DAA and site commander must be aware of all approved wireless devices used at the site or DoD data could be exposed to unauthorized people. Documentation of the enclave configuration must include all attached systems. If the current configuration cannot be determined, then it is difficult to apply security policies effectively. Security is particularly important for wireless technologies attached to the enclave network because these systems increase the potential for eavesdropping and other unauthorized access to network resources.Information Assurance OfficerDesignated Approving AuthorityEBCR-1
    SV-12294r3_rule NET0369 HIGH A deny by default security posture must be implemented for traffic entering and leaving the enclave. To prevent malicious or accidental leakage of traffic, organizations must implement a deny by default security posture. Perimeter routers, boundary controllers, or firewalls must deny all incoming and outgoing traffic not expressly permitted. Such rulesets prevent many malicious exploits or accidental leakage by regulating the ports, protocols, or services necessary to the enclave. Information Assurance OfficerEBBD-1, EBBD-2, EBBD-3, ECSC-1
    SV-12625r5_rule WIR0035 HIGH Wireless devices must not be allowed in a permanent, temporary, or mobile Sensitive Compartmented Information Facilities (SCIFs), unless approved by the SCIF Cognizant Security Authority (CSA) in accordance with Intelligence Community Directive 503 and Director Central Intelligence Directive (DCID) 6/9, the DAA, and the site Special Security Officer (SSO). Emanations from computing devices in the secured area may be transmitted or picked up inadvertently by wireless devices.Information Assurance OfficerInformation Assurance ManagerOtherECSC-1, ECWN-1
    SV-12654r1_rule NET1815 MEDIUM The IAM will ensure REL LAN environments are documented in the SSAA. The IAM will ensure REL LAN environments are documented in the SSAA.Information Assurance OfficerECSC-1
    SV-12655r1_rule NET1816 MEDIUM The IAM will ensure annual reviews are performed on REL LAN environments. If a REL LAN environment is present the IAM will ensure REL LAN reviews are performed annually.Information Assurance OfficerECSC-1
    SV-12659r4_rule WIR0040 MEDIUM Wireless devices must not be operated in areas where classified information is electronically stored, processed, or transmitted unless required conditions are followed. The operation of electronic equipment and emanations must be controlled in and around areas where sensitive information is kept or processed. Sites should post signs and train users to this requirement to mitigate this vulnerability.System AdministratorInformation Assurance OfficerECWN-1
    SV-14593r5_rule WIR0030 LOW All users of mobile devices or wireless devices must sign a user agreement before the mobile or wireless device is issued to the user and the user agreement used at the site must include required content. Lack of user training and understanding of responsibilities to safeguard wireless technology is a significant vulnerability to the enclave. Once policies are established, users must be trained to these requirements or the risk to the network remains. User agreements are particularly important for mobile and remote users since there is a high risk of loss, theft, or compromise. Thus, this signed agreement is a good best practice to help ensure the site is confirming the user is aware of the risks and proper procedures. Information Assurance OfficerInformation Assurance ManagerECWN-1, PRTN-1
    SV-14615r3_rule WIR0130 LOW WLAN equipment obtained through acquisition programs must be JITC interoperability certified. Interoperability certification assures that warfighters can communicate effectively in joint, combined, coalition, and interagency environments. There is some degree of risk that systems without JITC certification will fail to interoperate. WLAN equipment is also required to be WPA2 certified (verified in another check procedure), which also provides significant interoperability assurance. The Wi-Fi Alliance WPA2 certification is not granted unless the product also has a radio subsystem compliant with the IEEE 802.11a, b, g, or n specifications. Products are tested with many other products to ensure interoperability. Information Assurance OfficerECWN-1
    SV-15259r2_rule NET0168 MEDIUM If the site has a non-DoD external connection (Approved Gateway), an external IPS/IDS must be located between the sites Approved Gateway (Service Delivery Router) and the premise router. The incorrect placement of the external IPS/IDS may allow unauthorized access to go undetected and limit the ability of security personnel to stop malicious or unauthorized use of the network. In order to ensure that an attempted or existing attack goes unnoticed, the data from the sensors must be monitored continuously.Information Assurance OfficerEBBD-1, EBBD-2, EBBD-3
    SV-15263r3_rule NET0346 MEDIUM All hosted NIPRNet-only applications must be located in a local enclave DMZ. Without the protection of Demilitarized Zone (DMZ) architecture, production networks will be prone to outside attacks as they are allowing externally accessible services to be accessed on the internal LAN. This can cause many undesired consequences such as access to the entire network, Denial of Service attacks, or theft of sensitive information.Information Assurance OfficerEBBD-1, EBBD-2, EBBD-3, ECSC-1
    SV-15264r3_rule NET0347 LOW Accreditation documentation must be maintained and up to date to reflect the installation or modification of the organizations firewall. A firewall is the first policy enforcement mechanism that the organization uses to enforce the Enclave Security Policy. If the configuration cannot be maintained, the security for the organization is suspect and may allow for exploits to be utilized, gaining access to network resources. Procedures outlined in the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) Instruction (DoDI 8510.01p), lay out the process for the enclave security architecture as they are applied to specific requirements. Each SSP will include a description of the architectural implementation of the security requirements identified in the appropriate security guidance.Information Assurance OfficerDCPR-1
    SV-15265r3_rule NET0348 MEDIUM All Internet facing applications must be logically implemented in a DoD DMZ Extension. Without the protection of Demilitarized Zone (DMZ) architecture, production networks will be prone to outside attacks as they are allowing externally accessible services to be accessed on the internal LAN. This can cause many undesired consequences such as access to the entire network, Denial of Service attacks, or theft of sensitive information.Information Assurance OfficerEBPW-1, ECSC-1
    SV-15267r2_rule NET0355 MEDIUM When protecting the boundaries of a network, the firewall and IDS/IPS must use separate components or the physical integrated device has separate hardware components (i.e., CPU, memory, etc) for the firewall and IDS/IPS. An integrated solution implemented within DoD should not waive from defense in depth practices. Many solutions available have leveraged processors and memory. Once this technology is compromised all security layers of defense are subject to DOS in a single attack. Integrated solutions within DoD require the firewall and the IDS/IPS solution to be on separate devices or CPUs that do not shared the same memory.Information Assurance OfficerEBPW-1, ECSC-1
    SV-15268r5_rule NET0365 HIGH The organization must implement a deep packet inspection solution when protecting perimeter boundaries. Deep packet inspection is an inspection engine that analyzes data at the application layer, typically layers 5 through 7 of the OSI model. Examples of deep packet inspection and application-level filtering include checking the type of attachments included in emails, such as executable or other files that could cause harm to the intended recipient; and blocking a particular website based on the type of content used, such a Java or ActiveX. Deep packet inspection is available on many types of network devices to provide protection for email, database, and web traffic.Information Assurance OfficerEBBD-1, EBBD-2, EBBD-3, ECSC-1
    SV-15441r1_rule NET1621 MEDIUM The IAO will properly register all network components in an asset management tracking system such as VMS. Vulnerability Management is the process of ensuring all network assets that are affected by an IAVM notice are addressed and corrected within a time period specified in the IAVM notice. VMS will notify Commands, Services, and Agencies of new and potential security vulnerabilities. VMS meets the DoD mandate to ensure information system vulnerability alert notifications are received and acted on by all system administrators. Keeping the inventory of assets current allows for tracking of network inventory and resources. Asset management supports a successful IAVM process. The ability to track assets improves the effective use of network assets, information assurance auditing efforts, as well as optimizing incident response times.Information Assurance OfficerVIVM-1
    SV-15442r1_rule NET1622 MEDIUM The IAO/NSO will ensure an OOB management network is in place for MAC I systems or 24x7 personnel have immediate console access (direct connection method) for communication device management. From an architectural point of view, providing Out-Of-Band (OOB) management of network systems is the best first step in any management strategy. No production traffic resides on an out-of-band network. The biggest advantage to implementation of an OOB network is providing support and maintenance to the network that has become degraded or compromised. During an outage or degradation period the inband management link may not be available. The consequences of loss of availability of a MAC I system is unacceptable and could include the immediate and sustained loss of mission effectiveness. Mission Assurance Category I systems require the most stringent protection measures. Maintenance support for key IT assets must be available to respond 24 X 7 immediately upon failure.Information Assurance OfficerECSC-1
    SV-15462r1_rule NET1111 MEDIUM The IAO/NSO will ensure request forms are used to aid in recording the audit trail. Change management is the formal review process that ensures that all changes made to a system receive formal review and approval. Change management reduces impacts from proposed changes that could possibly have interruptions to the services provided. Recording all changes in the network will be accomplished by a configuration management policy. The configuration management policy will capture the actual changes to software code and anything else affected by the change.Information Assurance OfficerDCCB-1, DCCB-2, ECSC-1
    SV-15463r1_rule NET1113 MEDIUM The IAO/NSO will ensure current paper or electronic copies of configurations are maintained in a secure location. Change management is the formal review process that ensures that all changes made to a system receive formal review and approval. Change management reduces impacts from proposed changes that could possibly have interruptions to the services provided. Recording all changes in the network will be accomplished by a configuration management policy. The configuration management policy will capture the actual changes to software code and anything else affected by the change.Information Assurance OfficerDCCB-1, DCCB-2, ECSC-1
    SV-15473r1_rule NET0445 MEDIUM To ensure the proper authorized network administrator is the only one who can access the device, the IAO/NSO will ensure device management is restricted by two-factor authentication (e.g., SecurID, DoD PKI, or alternate token logon). Without secure management implemented with authenticated access controls, strong two-factor authentication, encryption of the management session and audit logs, unauthorized users may gain access to network managed devices compromised, large parts of the network could be incapacitated with only a few commands.Information Assurance OfficerECSC-1
    SV-15482r1_rule NET1281 LOW The IAO will ensure a HIDS is implemented on the syslog servers. A syslog server provides the network administrator the ability to configure all of the communication devices on a network to send log messages to a centralized host for review, correlation, reporting, and storage. This implementation provides for easier management of network events and is an effective facility for monitoring and the automatic generation of alert notification. The repository of messages facilitate troubleshooting functions when problems are encountered and can assist in performing root cause analysis. A malicious user or intruder could attempt to cover his tracks by polluting the syslog data or even force the server to crash. Disabling the syslog server would eliminate visibility of the network infrastructure that security analysts depend on. The first line of defense is to ensure that the syslog server will only accept syslog packets from known managed devices and administrative access from trusted management workstations. Because syslog messages are sent from managed devices to the syslog server in clear text an attacker on the network can easily sniff the messages. Furthermore, the syslog protocol uses UDP; thereby, making it relatively easy to spoof a managed device. A host intrusion detection system (HIDS) should also be implemented on the syslog server to provide access control for the syslog data as well as provide the necessary protection against unauthorized user and service access. Information Assurance OfficerECSC-1
    SV-15483r1_rule NET1287 LOW The IAO/NSO will ensure the audit logs are protected from deletion. The firewall logs can be used for forensic analysis in support of incident as well as to aid with normal traffic analysis. It can take numerous days to recover from a firewall outage when a proper backup scheme is not used.Information Assurance OfficerECSC-1, ECTB-1
    SV-15488r1_rule NET-IDPS-022 MEDIUM The IAO will ensure IDPS components that have been evaluated and validated against NIAP existing profiles are placed in the network infrastructure. The only assurance that the intrusion detection/protection system meets or exceeds the minimum security requirements is the evaluation and validation by an accredited licensed/approved evaluation facility.Information Assurance OfficerDCAS-1, DCSR-1, DCSR-2, DCSR-3, ECSC-1
    SV-15490r1_rule NET1432 MEDIUM The IAO/NSO will ensure if Sticky MAC Port Security is implemented, the running and startup configuration files are identical. Port security with sticky MAC enables the switch to be set to one or more MAC addresses dynamically by learning the MAC address. As with static MAC port security, the number of MAC addresses that it will learn is limited to the maximum number allowed as determined by the default, which is one, or configured threshold. However, the MAC addresses learned are not pervasive across a switch reboot or reload. Hence, the running configuration must be copied to non-volatile storage (i.e., NVRAM).Information Assurance OfficerECSC-1
    SV-15491r1_rule NET1433 MEDIUM The IAO will ensure that if Sticky MAC Port Security is implemented, a policy is in place that prohibits connection to the switchport unless it has been approved. Port security with sticky MAC enables the switch to be set to one or more MAC addresses dynamically by learning the MAC address. As with static MAC port security, the number of MAC addresses that it will learn is limited to the maximum number allowed as determined by the default, which is one, or configured threshold. A connection approval process for a Sticky MAC Port Security implementation ensures ports remain disabled until the connection by a host to the swithcport is approved. Information Assurance OfficerDCAS-1, DCSR-1, DCSR-2, DCSR-3, ECSC-1
    SV-15492r1_rule NET1440 MEDIUM The IAO/NSO will ensure VMPS must not be used to provide port authentication or dynamic VLAN assignment. VMPS allows a switch to dynamically assign VLANs to users based on the workstation’s MAC address or the user’s identity when used with the User Registration Tool. A switch is configured and designated as the VMPS server while the remainder of the switches on the segment acts as VMPS clients. The VMPS server opens a UDP socket to communicate and listen to client requests using VMPS Query Protocol (VQP). When the VMPS server receives a valid request from a client, it searches its database for a MAC address-to-VLAN mapping. If the assigned VLAN is restricted to a group of ports, VMPS verifies the requesting port against this group. If the VLAN is allowed on the port, the VLAN name is returned to the client. If the VLAN is not allowed on the port, the host receives an “access denied” response when VMPS is not configured in secure mode or the port is shut down if in secure mode. VQP is a UDP-based protocol that does not support any form of authentication and the data is transmitted in clear text. This makes its use in security-sensitive environments inadvisable. An attacker who is able to spoof VQP could prevent network logins with a DoS attack to the VMPS server or even join an unauthorized VLAN. Furthermore, a VMPS database configuration file is nothing more than an ASCII text file that is stored on a TFTP server and downloaded to the VMPS server at startup or when VMPS server is first enabled on the switch. As noted in previous sections, a network component should not use TFTP to upload or download configuration files. For these reasons, VMPS must not be used to provide port authentication or dynamic VLAN assignment. Information Assurance OfficerDCAS-1, DCSR-1, DCSR-2, DCSR-3, ECSC-1
    SV-15493r4_rule NET-TUNL-026 HIGH Encapsulated traffic received from another enclave or enterprise must not bypass the perimeter defense, which includes firewall and IDS/IPS devices, without being terminated and inspected before entering the enclaves private network. Allowing encapsulated traffic from other enclaves or enterprises to bypass the enclave's perimeter without being properly filtered and inspected leaves the enclave vulnerable to malicious traffic passed by the source network. Administrators must be aware of all tunnel (decapsulation) end-points so filtering and inspection of the inner layer is assured. Routers and firewalls are recommended as tunnel end-point nodes since they typically have better configuration options and also have better capabilities to filter the inner IP layer. Termination in the enclave's DMZ or other service network are also ideal locations for filtering and content inspection before passing into the private network.Information Assurance OfficerECSC-1
    SV-15494r1_rule NET-TUNL-028 MEDIUM Tunneling of SIPRNet across long-haul infrastructure must be accepted by the Classified Data Service Manager (DISA/GS21) via request expressing the requirement with supporting rationale and must be IAW CJCSI 6211.02C, DISN policy. If tunneling of SIPRNet is required, contact the Classified Data Service Manager (DISA/GS21) to express the requirements with supporting rationale. If the DISN solution proposed by the DISN Service Manager is accepted, and cryptography is employed (Type 1) for data protection, then DISN security criteria in accordance with reference CJCSI 6211.02C, Defense Information System Network (DISN): Policy, Responsibilities and Processes, 9 July 2008 will be presumed to have been satisfied. The CCAO requires documentation of a SIPR to NIPR tunneling solution.Information Assurance OfficerECSC-1
    SV-15495r1_rule NET-TUNL-029 MEDIUM If the tunneled SIPRNet solution over NIPRNet will be in place for more than 365 days, then the SIPRNet must be used or the IAO be in receipt of GIG Waiver Policy, DoDD 8100.1 . If tunneling of SIPRNet is required, contact the Classified Data Service Manager (DISA/GS21) to express the requirements with supporting rationale. If the DISN solution proposed by the DISN Service Manager is accepted, and cryptography is employed (Type 1) for data protection, then DISN security criteria in accordance with reference CJCSI 6211.02C, Defense Information System Network (DISN): Policy, Responsibilities and Processes, 9 July 2008 will be presumed to have been satisfied. If the non-DISN solution is in place for more than 365 days the site must comply with the GIG Waiver Policy, reference DoDD 8100.1, Global Information Grid (GIG) Overarching Policy, September 19, 2002.Information Assurance OfficerECSC-1
    SV-15496r1_rule NET-TUNL-030 HIGH If SIPRNet traffic is being tunneled on a commercial ISP it must be approved by the OSD GIG Waiver Panel and the IAO be in receipt of GIG Waiver Policy, DoDD 8100.1 . If tunneling of SIPRNet is required, contact the Classified Data Service Manager (DISA/GS21) to express the requirements with supporting rationale. If the DISN solution proposed by the DISN Service Manager is accepted, and cryptography is employed (Type 1) for data protection, then DISN security criteria in accordance with reference CJCSI 6211.02C, Defense Information System Network (DISN): Policy, Responsibilities and Processes, 9 July 2008 will be presumed to have been satisfied. If the non-DISN solution is in place for more than 365 days the site must comply with the GIG Waiver Policy, reference DoDD 8100.1, Global Information Grid (GIG) Overarching Policy, September 19, 2002.Information Assurance OfficerECSC-1
    SV-15497r1_rule NET1826 HIGH Leasing of point-to-point circuits that extend classified backside connectivity to any non-DoD, foreign or contractor facility is prohibited unless the termination is government operated in the contractor or foreign government facility. Leasing of point-to-point circuits that extend classified backside circuits to non-DoD, foreign or contractor facilities is prohibited unless the termination is government operated in the contractor or foreign government facility.Information Assurance OfficerECSC-1
    SV-15498r1_rule NET1827 MEDIUM The IAO/NSO will have all C2 and non-C2 exceptions of SIPRNet use documented in the enclave’s accreditation package and an Interim Authority to Connect/Authority to Connect (IATC/ATC) amending the connection approval received, prior to implementation. Any exception to use SIPRNet must be documented in an update to the enclave’s accreditation package and an Interim Authority to Connect/Authority to Connect (IATC/ATC) amending the connection approval received prior to implementation. Information Assurance OfficerECSC-1
    SV-15499r1_rule NET-TUNL-031 MEDIUM If the tunneled SIPRNet solution proposed by the DISN Service Manager is accepted, Type 1 cryptography will be employed for data protection. The need for classified tunneling across NIPRNet or a commercial IP infrastructure is approved on a “case by case” basis. The use of a commercial IP service must be approved by the OSD GIG Waiver Panel. Requirements can be referenced in DoDD 8100.1, Global Information Grid (GIG) Overarching Policy, September 19, 2002.Information Assurance OfficerECSC-1
    SV-15500r1_rule NET1830 MEDIUM The IAM will ensure the controls over the type of data to be moved are described in classification guidance, Executive Orders, or other issuances pertaining to controls over categories of information. Controls over the type of data to be moved are described in classification guidance, Executive Orders, or other issuances pertaining to controls over categories of information. Information Assurance OfficerECSC-1
    SV-15501r1_rule NET1832 MEDIUM The IAM will ensure the VPN tunnel demarcation is located in facilities authorized to process classified US government information, classified at the Secret Level (for SIPRNet). Tunnel terminus or demarcation point will be in facilities authorized to process classified US government information classified at the Secret level (for SIPRNet). Information Assurance OfficerECSC-1
    SV-15612r2_rule WIR0100 LOW The relevant U.S. Forces Command (USFORSCOM) or host nation must approve the use of wireless equipment prior to operation of such equipment outside the United States and Its Possessions (US&P). When using a wireless system outside of the US&P, host nation wireless spectrum regulations must be followed. Otherwise the system could interfere with or be disrupted by host nation communications systems.Information Assurance OfficerDesignated Approving AuthorityEBCR-1
    SV-15655r2_rule WIR0145-01 MEDIUM The site must scan the radio frequency spectrum for unauthorized WLAN devices. Unauthorized WLAN devices threaten DoD networks in a variety of ways. If someone installs an access point on a DoD network, then people may use that access point to access network resources without any perimeter security controls, which significantly degrades the IA posture of that network. If someone installs an unauthorized access point in the site’s vicinity, even if not connected to a DoD network, then site users may unknowingly or inadvertently connect to it. Once this connection occurs, the user’s traffic may be diverted to spoofed web sites and other servers to capture the user’s authentication credentials and sensitive DoD data. Finally, if an unauthorized WLAN client is operating inside or near the site, it may improperly connect to the site’s WLAN infrastructure or other network devices that improperly have left open active Wi-Fi interfaces. WIDS can help counter all of these threats. System AdministratorInformation Assurance OfficerECWN-1
    SV-15662r4_rule WIR0025 MEDIUM All wireless network devices, such as wireless Intrusion Detection System (IDS) and wireless routers, access points, gateways, and controllers must be located in a secure room with limited access or otherwise secured to prevent tampering or theft. DoD data and the network could be exposed to attack if wireless network devices are not physically protected. The Network Security Officer (NSO) will ensure all wireless network devices (i.e., IDS, routers, servers, Remote Access System (RAS), firewalls, WLAN access points, etc.), wireless management, and email servers are located in a secure room with limited access or otherwise secured to prevent tampering or theft.System AdministratorInformation Assurance OfficerECSC-1, ECWN-1
    SV-16017r2_rule NET-IPV6-050 HIGH When using IPv6 and IPv4 in a dual stack environment, the IPv6 security policy must mirror the IPv4 security policy. The similarities between IPv4- and IPv6-based threats lead to the conclusion that security measures developed and field proven for IPv4 should be used with IPv6. A first step in securing IPv6 deployments is to match IPv4 security policies. Once this is accomplished, begin implementing IPv6 specific security policies for IPv6 vulnerabilities: -Using static neighbors for key systems. -Stop traffic sourced from the internal addresses (ULA) from exiting the enclave. -Filter ICMP, but allow operational functions such as PMTU discovery. -Deny IPv6 fragments destined to network elements and drop fragments of packets where the upper layer cannot be determined. -Implement RFC2827 to prevent spoofing attacks. -Block any source address that is a multicast address. The IPv4 firewalls and filters should block the ports used by tunneling mechanisms not deployed in the network. -Implement application security at the host and the network with the help of firewalls until IDS/IPS functionality becomes available. -Authenticate BGP and IS-IS routing protocols. Use IPSec for OSPFv3 and RIPng. -If tunneling is used, static tunnels are preferred over dynamic because they are more secure.Information Assurance OfficerECSC-1
    SV-16070r1_rule NET-IPV6-053 HIGH The IAO/NSO will ensure AG does not have Tunnel Broker solutions implemented for IPv6 transition Tunnel brokers (TB) can be seen as virtual IPv6 ISPs, providing IPv6 connectivity to users already connected to the IPv4 Internet. In the emerging IPv6 Internet it is expected that many tunnel brokers will be available so that the user will just have to pick one. TB solutions do provide authentication via IPSec where ISATAP does not. At the time of this writing understanding the TB trust relationships being offered by ISP providers was of unknown, leading to a policy denying the use of TB at an AG boundary.Information Assurance OfficerECSC-1
    SV-16071r1_rule NET-IPV6-054 HIGH The IAO/NSO will ensure if TCP-UDP Relay is implemented in the enclave it will not cross the enclave boundary. Malicious party may try to use Transport Relay Translator (TRT) systems to circumventing ingress filtering, or to achieve some other improper use. TRT systems should implement access control to prevent such improper usage. A careless TRT implementation may be subject to buffer overflow attack, but this kind of issue is implementation dependent. Use of DNS proxies that modify the resource records RRs will make it impossible for the resolver to verify DNSsec signatures. Refer to RFC 3142 'IPv6-to-IPv4 Transport Relay Translator ' for additional details.Information Assurance OfficerECSC-1
    SV-16072r1_rule NET-IPV6-055 HIGH The IAO/NSO will ensure Bump-in-the-Stack (BIS) does not cross the enclave boundary. The Bump in the Stack (BIS) [RFC2767] translation mechanism is similar to taking the NAT-PT approach with Stateless IP/ICMP Translator (SIIT) and moving it to the OS protocol stack within each host. Unlike SIIT however, it assumes an underlying IPv6 infrastructure. This algorithm translates, on a packet-by packet basis, the headers in the IP packet between IPv4 and IPv6, and translates the addresses in the headers between IPv4 and either IPv4-translated or IPv4-mapped IPv6 addresses. Whereas SIIT is a translation interface between IPv6 and IPv4 networks, BIS is a translation interface between IPv4 applications and the underlying IPv6 network (i.e. the network interface driver). The host stack design is based on that of a dual stack host, with the addition of 3 modules, a translator, an extension name resolver, and an address mapper. The assignment is automatically carried out using DNS protocol, users do not need to know whether target hosts are IPv6. This allows them to communicate with other IPv6 hosts using existing IPv4 applications; thus it seems as if they were dual stack hosts with applications for both IPv4 and IPv6. So they can expand the territory of dual stack hosts. The translator translates outgoing IPv4 headers into IPv6 headers and incoming IPv6 headers into IPv4 headers (if applicable). It uses the header translation algorithm defined in SIIT. The extension name resolver acts as the DNS-ALG in the NAT-PT mechanism. It snoops IPv4 DNS queries and creates another query asking to resolve both ‘A’ and ‘AAAA’ records, sending the returned ‘A’ record back to the requesting IPv4 application. If only ‘AAAA’ records are returned, the resolver requests the address mapper to assign an IPv4 address corresponding to the IPv6 address. The address mapper maintains a pool of IPv4 addresses and the associations between IPv4 and IPv6 addresses. The address mapper will also assign an address when the translator receives an IPv6 packet from the network for which there is no mapping entry for the source address. Hosts can not utilize the security above network layer when they communicate with IPv6 hosts using IPv4 applications via the mechanism. The reason is that when the protocol data with which IP addresses are embedded is encrypted, or when the protocol data is encrypted using IP addresses as keys, it is impossible for the mechanism to translate the IPv4 data into IPv6 and vice versa. Therefore it is highly desirable to upgrade to the applications modified into IPv6 for utilizing the security at communication with IPv6 hosts. Information Assurance OfficerECSC-1
    SV-16081r1_rule NET-IPV6-056 HIGH The IAO/NSO will ensure SOCKS-Based Gateway does not cross the enclave boundary. The SOCKS-based IPv6/IPv4 gateway mechanism is for communication between IPv4-only and IPv6-only hosts. It consists of additional functionality in both the end system (client) and the dual-stack gateway (router) to permit a communications environment that relays two terminated IPv4 and IPv6 connections at the application layer. This mechanism is based on the SOCKSv5 protocol, and inherits all the features of that protocol. Existing SOCKSv5 commands are unchanged, and the protocol maintains the end-to-end security between the client and the gateway, and the gateway and the destination. The mechanism uses a feature called DNS Name Resolving Delegation to determine IPv6 addresses, delegating the name resolving to the gateway, thus requiring no change to existing DNSs. Since the SOCKS-based IPv6/IPv4 gateway mechanism is based on SOCKSv5 protocol, the security feature of the mechanism matches that of SOCKSv5. The mechanism is based on relaying two "terminated" connections at the "application layer". The end-to-end security is maintained at each of the relayed connections (i.e., between Client C and Gateway G, and between Gateway G and Destination D). The mechanism does not provide total end-to-end security relay between the original source (Client C) and the final destination (Destination D). The security of such application layer traversal is highly dependent on the particular authentication and encapsulation methods provided in a particular implementation, and selected during negotiation between SOCKS client and SOCKS server. The SOCKS service is located on TCP port 1080. Port 1080 has not been reviewed by the PPS CAL at the time of this writing. RFC 1928 and RFC 3089 describe SocksV5 and SOCKS-based IPv6/IPv4 Gateway Mechanism respectively. Information Assurance OfficerECSC-1
    SV-16082r1_rule NET-IPV6-057 MEDIUM The IAO/NSO will ensure the enclave boundary does not have any other IPv6 Transition Mechanisms implemented when supporting NAT-PT. Network Address Translation with Protocol Translation (NAT-PT), defined in [RFC2766], is a service that can be used to translate data sent between IP-heterogeneous nodes. NAT-PT translates a IPv4 datagram into a semantically equivalent IPv6 datagram or vice versa. For this service to work it has to be located in the connection point between the IPv4 network and the IPv6 network. The PT-part of the NAT-PT handles the interpretation and translation of the semantically equivalent IP header, either from IPv4 to IPv6 or from IPv6 to IPv4. Like NAT, NATPT also uses a pool of addresses which it dynamically assigns to the translated datagrams. The NAT-PT architecture is not one of the preferred DoD IPv6 transition paradigms due to the deprecation of NAT-PT within the DoD community. However, as described in the "DoD IPv6 Guidance for Information Assurance (IA) Milestone Objective 3 (MO3) Requirements, some services/agencies may chose to implement this transition mechanism within an enclave. The following sub-sections provide guidelines for the use of NAT-PT within a controlled enclave. In addition to the single point of failure, the reduced performance, coupled with limitations on the kinds of applications that work, decreases the overall value and utility of the network. NAT-PT also inhibits the ability to deploy security at the IP layer. Information Assurance OfficerECSC-1
    SV-16251r1_rule NET-IDPS-036 LOW The IDS administrator will update the Network IDS when updates are provided by the vendor. Keeping the NID software updated with the latest software and signatures will allow for the NID to detect all forms of known attacks. Not maintaining the NID properly could allow for attacks to go unnoticed.Information Assurance OfficerECSC-1
    SV-16257r1_rule NET1114 MEDIUM The IAO/NSO will ensure only authorized personnel, with proper verifiable credentials, are allowed to request changes to routing tables or service parameters. Limiting the number of people that can request changes to router tables and service parameters limits the chance of errors and thus limits the chance of creating a denial-of-service vulnerability.Information Assurance OfficerECSC-1
    SV-16721r5_rule WIR0010-01 MEDIUM Personnally owned or contractor owned CMDs must not be used to transmit, receive, store, or process DoD information or connect to DoD networks. The use of unauthorized personally-owned CMDs to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized people. The DoD CIO currently prohitibits the use of personally owned or contractor owned CMDs (Bring Your Own Device – BYOD).System AdministratorInformation Assurance OfficerDesignated Approving AuthorityECSC-1, ECWN-1
    SV-18981r1_rule NET0998 MEDIUM A separate management subnet has not been implemented. To deploy a management network for the purpose of controlling, monitoring, and restricting management traffic, a separate management subnet must be implemented. Define a large enough address block that will enable the management network to scale in proportion to the managed network. Information Assurance OfficerECSC-1
    SV-19142r1_rule NET0999 MEDIUM Not all management network elements with an IP address from management address block. The management network must have its own subnet in order to enforce control and access boundaries provided by Layer 3 network nodes such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic. Safeguards must be implemented to ensure that the management traffic does not leak past the managed network’s premise equipment.Information Assurance OfficerECSC-1
    SV-19152r1_rule NET0810 LOW Two NTP servers have not been deployed in the management network. NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of failure for the NTP infrastructure are eliminated. Knowing the correct time is not only crucial for proper network functioning but also for security. Compromising an NTP server opens the door to more sophisticated attacks that include NTP poisoning, replay attacks, and denial of service. Where possible, deploy multiple gateways with diverse paths to the NTP servers. An alternative design is to have one server connected to a reference clock and the other server reference an external stratum-1 server. With this scenario, the NTP clients should be configured to prefer the stratum-1 server over the stratum-2 server. The NTP servers should be configured to easily scale by creating a hierarchy of lower level (stratum-2 to stratum-15) servers to accommodate the workload. The width and depth of the hierarchy is dependent on the number of NTP clients as well as the amount of redundancy that is required. Information Assurance OfficerECSC-1
    SV-19307r1_rule NET1002 MEDIUM The management station or server is not connected to the management VLAN. If the management systems reside within the same layer 2 switching domain as the managed network elements, then separate VLANs must be deployed to provide separation at that level. In this case, the management network still has its own subnet while at the same time it is defined as a unique VLAN. System AdministratorInformation Assurance OfficerECSC-1
    SV-20025r1_rule NET-IDPS-016 MEDIUM The IAO will ensure an IDPS sensor is monitoring DMZ segments housing all public servers. The initial step in IDPS deployment is determining where sensors should be placed. Because attacks originate at the enclave perimeter and within the enclave boundary an IDPS implementation at the enclave perimeter only will not suffice. By placing IDPS technology throughout the Enterprise Regional enclaves and stand-alone enclaves, system administrators can track the spread of attacks and take corrective actions to prevent attacks reaching critical resources.Information Assurance OfficerEBBD-1
    SV-20027r1_rule NET-IDPS-018 MEDIUM The IAO will ensure an IDPS sensor is monitoring Server Farms segments containing databases, private backend servers, and personnel data. The initial step in IDPS deployment is determining where sensors should be placed. Because attacks originate at the enclave perimeter and within the enclave boundary an IDPS implementation at the enclave perimeter only will not suffice. By placing IDPS technology throughout the Enterprise Regional enclaves and stand-alone enclaves, system administrators can track the spread of attacks and take corrective actions to prevent attacks reaching critical resources. Information Assurance OfficerEBBD-2
    SV-20028r1_rule NET-IDPS-019 MEDIUM The IAO will ensure an IDPS sensor is monitoring segments that house network security management servers (Network Management segments or OOB networks). The initial step in IDPS deployment is determining where sensors should be placed. Because attacks originate at the enclave perimeter and within the enclave boundary an IDPS implementation at the enclave perimeter only will not suffice. By placing IDPS technology throughout the Enterprise Regional enclaves and stand-alone enclaves, system administrators can track the spread of attacks and take corrective actions to prevent attacks reaching critical resources.EBBD-2
    SV-20030r1_rule NET-IDPS-023 MEDIUM The IAO/NSO will ensure the Regional Enclave has developed a hierarchical structure that allows the local enclave (base, camp, post, station) sensor data to be exported to the regional enclave management network segment. The enterprise Regional Enclave will develop a hierarchical monitoring structure that allows the captured local enclave (base, camp, post, and station) traffic to be exported to the regional enclave for trend analysis and reporting.Information Assurance OfficerDCDS-1, ECAT-1, ECAT-2
    SV-20031r1_rule NET-IDPS-024 MEDIUM The IAO/NSO will ensure the sensor traffic in transit will be protected at all times via an OOB network or an authenticated tunnel between site locations. User interface services must be physically or logically separated from data storage and management services. Data from IDS sensors must be protected by confidentiality controls; from being lost and altered.Information Assurance OfficerDCNR-1, DCPA-1
    SV-20032r1_rule NET-IDPS-025 MEDIUM The SA will ensure IDPS communication traffic from the sensor to the management and database servers traverses a separate VLAN logically separating IDPS traffic from all other enclave traffic. All IDPS data collected by agents in the enclave at required locations must also be protected by logical separation when in transit from the agent to the management or database servers located on the Network Management subnet.Information Assurance OfficerDCSP-1, ECTP-1
    SV-20039r1_rule NET-IDPS-027 LOW The Network IDPS administrator will ensure that any products collecting baselines for anomaly-based detection have their baselines rebuilt periodically to support accurate detection. Readiness is required for INFOCON levels, additional information can be found in Strategic Command Directive (SD) 527-1. Administrators should ensure that any products collecting baselines for anomaly-based detection have their baselines rebuilt periodically as needed to support accurate detection. The IAM is required to have the enclave prepared for readiness by raising INFOCON levels prior to an activity to ensure the network is as ready as possible when the operation or exercise begins. Because system and network administrators implement many of the INFOCON measures over a period of time in a pre-determined operational rhythm, commanders should raise INFOCON levels early enough to ensure completion of at least one cycle before the operational activity begins. Recommendations for possible INFOCON changes should be written into Operation Plans (OPLAN) and Concept Plans (CONPLAN). Guidelines can be found in Strategic Command Directive (SD) 527-1.Information Assurance OfficerECSC-1
    SV-20040r1_rule NET-IDPS-028 MEDIUM The Network IDPS administrator located at a regional enterprise enclave will establish an automated update for enterprise sensor update deployments to Base, Camp, Post and Station local networks. In a large scale IDPS deployment, it is common to have an automated update process implemented. This is accomplished by having the updates downloaded on a dedicated FTP server within the management network. The FTP server should be configured to allow read-only access to the files within the directory on which the signature packs are placed, and then only from the account that the sensors will use. The sensors can then be configured to automatically check the FTP server periodically to look for the new signature packs and to update themselves once they have been tested.Information Assurance OfficerECSC-1
    SV-20041r1_rule NET-IDPS-029 MEDIUM The Network IDPS administrator will ensure if a SFTP server is used to provide updates to the sensors, the server is configured to allow read-only access to the files within the directory on which the signature packs are placed. In a large scale IDPS deployment, it is common to have an automated update process implemented. This is accomplished by having the updates downloaded on a dedicated SFTP server within the management network. The SFTP server should be configured to allow read-only access to the files within the directory on which the signature packs are placed, and then only from the account that the sensors will use. The sensors can then be configured to automatically check the SFTP server periodically to look for the new signature packs and to update themselves once they have been tested.Information Assurance OfficerECAN-1
    SV-20042r1_rule NET-IDPS-030 MEDIUM The Network IDPS administrator will ensure if an automated scheduler is used to provide updates to the sensors, an account is defined that only the sensors will use. In a large scale IDPS deployment, it is common to have an automated update process implemented. This is accomplished by having the updates downloaded on a dedicated secure file server within the management network. The file server should be configured to allow read-only access to the files within the directory on which the signature packs are placed, and then only from the account that the sensors will use. The sensors can then be configured to automatically check the secure file server periodically to look for the new signature packs and to update themselves.Information Assurance OfficerECAN-1
    SV-20045r1_rule NET-IDPS-031 LOW The Network IDPS administrator will back up configuration settings before applying software or signature updates to ensure that existing settings are not inadvertently lost. There are two types of IDPS updates: software updates and signature updates. Software updates fix bugs in the IDPS software or add new functionality, while signature updates add new detection capabilities or refine existing detection capabilities (e.g., reducing false positives). For many IDPSs, signature updates cause program code to be altered or replaced, so they are really a specialized form of software update. For other IDPSs, signatures are not written in code, so a signature update is a change to the configuration data for the IDPS. Software updates can include any or all IDPS components, including sensors, agents, management servers, and consoles. Software updates for sensors and management servers, particularly appliance-based devices, are often applied by replacing an existing IDPS CD with a new one and rebooting the device. Many IDPSs run the software directly from the CD, so that no software installation is required. Other components, such as agents, require an administrator to install software or apply patches, either manually on each host or automatically through IDPS management software. Some vendors make software and signature updates available for download from their Web sites or other servers; often, the administrator interfaces for IDPSs have features for downloading and installing such updates. Administrators should verify the integrity of updates before applying them, because updates could have been inadvertently or intentionally altered or replaced. The recommended verification method depends on the update’s format, as follows: Files downloaded from a Web site or FTP site. Administrators should compare file checksums provided by the vendor with checksums that they compute for the downloaded files. Update downloaded automatically through the IDPS user interface. If an update is downloaded as a single file or a set of files, either checksums provided by the vendor should be compared to checksums generated by the administrator, or the IDPS user interface itself should perform some sort of integrity check. In some cases, updates might be downloaded and installed as one action, precluding checksum verification; the IDPS user interface should check each update’s integrity as part of this. Removable media (e.g., CD, DVD). Vendors may not provide a specific method for customers to verify the legitimacy of removable media apparently sent by the vendors. If media verification is a concern, administrators should contact their vendors to determine how the media can be verified, such as comparing vendor-provided checksums to checksums computed for files on the media, or verifying digital signatures on the media’s contents to ensure they are valid. Administrators should also consider scanning the media for malware, with the caveat that false positives might be triggered by IDPS signatures for malware on the media. Information Assurance OfficerECSC-1
    SV-20046r1_rule NET-IDPS-032 LOW The Network IDPS administrator will compare and verify IDPS update’s file checksums provided by the vendor with checksums computed from downloaded files. If removable media (CD) is used for updates, its' content will be verified. There are two types of IDPS updates: software updates and signature updates. Software updates fix bugs in the IDPS software or add new functionality, while signature updates add new detection capabilities or refine existing detection capabilities (e.g., reducing false positives). For many IDPSs, signature updates cause program code to be altered or replaced, so they are really a specialized form of software update. For other IDPSs, signatures are not written in code, so a signature update is a change to the configuration data for the IDPS. Software updates can include any or all IDPS components, including sensors, agents, management servers, and consoles. Software updates for sensors and management servers, particularly appliance-based devices, are often applied by replacing an existing IDPS CD with a new one and rebooting the device. Many IDPSs run the software directly from the CD, so that no software installation is required. Other components, such as agents, require an administrator to install software or apply patches, either manually on each host or automatically through IDPS management software. Some vendors make software and signature updates available for download from their Web sites or other servers; often, the administrator interfaces for IDPSs have features for downloading and installing such updates. Administrators should verify the integrity of updates before applying them, because updates could have been inadvertently or intentionally altered or replaced. The recommended verification method depends on the update’s format, as follows: Files downloaded from a Web site or FTP site. Administrators should compare file checksums provided by the vendor with checksums that they compute for the downloaded files. Update downloaded automatically through the IDPS user interface. If an update is downloaded as a single file or a set of files, either checksums provided by the vendor should be compared to checksums generated by the administrator, or the IDPS user interface itself should perform some sort of integrity check. In some cases, updates might be downloaded and installed as one action, precluding checksum verification; the IDPS user interface should check each update’s integrity as part of this. Removable media (e.g., CD, DVD). Vendors may not provide a specific method for customers to verify the legitimacy of removable media apparently sent by the vendors. If media verification is a concern, administrators should contact their vendors to determine how the media can be verified, such as comparing vendor-provided checksums to checksums computed for files on the media, or verifying digital signatures on the media’s contents to ensure they are valid. Administrators should also consider scanning the media for malware, with the caveat that false positives might be triggered by IDPS signatures for malware on the media. Information Assurance OfficerECSC-1
    SV-20059r1_rule NET-VLAN-010 MEDIUM The IAO will ensure the Server Farm is segmented by isolating business functions such as databases, applications, web, and email using VLAN provisioning. VLANs can offer significant benefits in a multi-service network by providing a convenient way of isolating different equipment and traffic type. Network traffic with differing security policies within the server farm should be logically grouped using multiple VLANs. Each type of device or server such as payroll, research and development, voice over IP, wireless, etc would have mutually exclusive VLANs. This type of architecture forces layer 3 routing and thereby enables all the filtering capabilities of the layer 3 devices, in addition to strategic placed firewalls inside the enclave. Each server type should have its own VLAN.Information Assurance OfficerDCSP-1
    SV-20060r1_rule NET-VLAN-013 MEDIUM The IAO will ensure the Server Farm that provides floor space to multiple clients isolate the client’s data by separate VLANs. Data Centers that rent floor space, power and IT processing for multiple customers have additional security responsibilities to their customers. Protecting a client’s data from other clients is necessary. Segmentation is used to make it harder for a client that compromises a server to get access to the information exchanged in other parts of the data center. Information Assurance OfficerDCSP-1
    SV-20067r1_rule NET-VLAN-016 MEDIUM The IAO will ensure applications with public access containing web, database and application functions that can not be separated will be isolated on a separate VLAN in the DMZ. If an application cannot be tier separated, then the architecture will allow for logically moving the entire application and host onto a separate VLAN within the DMZ to ensure that potential compromise does not give open access to other Server Farm components. This will be accomplished by utilizing a Virtual Route Forwarding capability in the DMZ Internal router that will segregate traffic into a separate VLAN so that it can still maintain its current security/availability for production support. The physical location of the processing may not necessarily change.Information Assurance OfficerDCSP-1
    SV-20068r1_rule NET-VLAN-017 MEDIUM The IAO will ensure the Regional Enclave DMZ separates web traffic into an isolated VLAN. A way to reduce the risk of attacks within the DMZ is creating separate broadcast domains forming security zones for each technology requiring DMZ services. By isolating the services within the DMZ reduces potential compromises to the broadcast domain and does not give open access to other servers within the DMZ. This can be accomplished by utilizing a Virtual Route Forwarding capability in the DMZ Internal router or establishing VLANs on the firewall itself that segregates traffic into separate VLANs. The Regional Enclave DMZ supporting the Bases, Camps, Posts, Stations and mobile locations such as ships and tactical units provides stronger security domains by extending the protections using layer 2 provisioning for web, IM, streaming media, FTP, email, DNS, and applications that can not use backend architectures.Information Assurance OfficerDCSP-1
    SV-20069r1_rule NET-VLAN-018 MEDIUM The IAO will ensure the Regional Enclave DMZ separates FTP traffic into a VLAN. A way to reduce the risk of attacks within the DMZ is creating separate broadcast domains forming security zones for each technology requiring DMZ services. By isolating the services within the DMZ reduces potential compromises to the broadcast domain and does not give open access to other servers within the DMZ. This can be accomplished by utilizing a Virtual Route Forwarding capability in the DMZ Internal router or establishing VLANs on the firewall itself that segregates traffic into separate VLANs. The Regional Enclave DMZ supporting the Bases, Camps, Posts, Stations and mobile locations such as ships and tactical units provides stronger security domains by extending the protections using layer 2 provisioning for web, IM, streaming media, FTP, email, DNS, and applications that can not use backend architectures. Information Assurance OfficerDCSP-1
    SV-20071r1_rule NET-VLAN-020 MEDIUM The IAO will ensure the Regional Enclave DMZ separates instant messaging traffic into a VLAN. A way to reduce the risk of attacks within the DMZ is creating separate broadcast domains forming security zones for each technology requiring DMZ services. By isolating the services within the DMZ reduces potential compromises to the broadcast domain and does not give open access to other servers within the DMZ. This can be accomplished by utilizing a Virtual Route Forwarding capability in the DMZ Internal router or establishing VLANs on the firewall itself that segregates traffic into separate VLANs. The Regional Enclave DMZ supporting the Bases, Camps, Posts, Stations and mobile locations such as ships and tactical units provides stronger security domains by extending the protections using layer 2 provisioning for web, IM, streaming media, FTP, email, DNS, and applications that can not use backend architectures. Information Assurance OfficerDCSP-1
    SV-20072r1_rule NET-VLAN-021 MEDIUM The IAO will ensure the Regional Enclave DMZ separates streaming media (VoIP, Video) into a VLAN. A way to reduce the risk of attacks within the DMZ is creating separate broadcast domains forming security zones for each technology requiring DMZ services. By isolating the services within the DMZ reduces potential compromises to the broadcast domain and does not give open access to other servers within the DMZ. This can be accomplished by utilizing a Virtual Route Forwarding capability in the DMZ Internal router or establishing VLANs on the firewall itself that segregates traffic into separate VLANs. The Regional Enclave DMZ supporting the Bases, Camps, Posts, Stations and mobile locations such as ships and tactical units provides stronger security domains by extending the protections using layer 2 provisioning for web, IM, streaming media, FTP, email, DNS, and applications that can not use backend architectures.Information Assurance OfficerDCSP-1
    SV-20073r1_rule NET-VLAN-022 MEDIUM The IAO will ensure the Regional Enclave DMZ separates email and AD traffic into a VLANs according to device-type, e.g. email front-end relay server in a VLAN and Internet Security and Acceleration (ISA) server in a VLAN. A way to reduce the risk of attacks within the DMZ is creating separate broadcast domains forming security zones for each technology requiring DMZ services. By isolating the services within the DMZ reduces potential compromises to the broadcast domain and does not give open access to other servers within the DMZ. This can be accomplished by utilizing a Virtual Route Forwarding capability in the DMZ Internal router or establishing VLANs on the firewall itself that segregates traffic into separate VLANs. The Regional Enclave DMZ supporting the Bases, Camps, Posts, Stations and mobile locations such as ships and tactical units provides stronger security domains by extending the protections using layer 2 provisioning for web, IM, streaming media, FTP, email, DNS, and applications that can not use backend architectures. Information Assurance OfficerDCSP-1
    SV-20105r1_rule NET-NAC-007 LOW The IAO/NSO will ensure the network access control solution supports wired, wireless and remote access NARs (clients). Without a secure network access solution implemented rogue and/or non-policy compliant devices can gain access to the network and its resources.Information Assurance OfficerECSC-1
    SV-20106r1_rule NET-NAC-008 LOW The network access control solution will not use the DHCP mechanism to separate authenticated and non-authenticated network access requests due to known weaknesses that bypass the authentication process by rogue devices with self-configured IP addresses. Layer 3 DHCP authentication is considered an insecure mechanism because of the relative ease by which it can be bypassed. A rogue device with a self-configured IP address on the secure network can effectively bypass the authentication process.Information Assurance OfficerECSC-1
    SV-20111r1_rule NET-NAC-030 MEDIUM The IAO/NSO will ensure wall jacks are secured with MAC address definitions on switch ports or Manual Authentication by the SA is used on all access ports not capable of authentication software being loaded on the client, example printers. In a Manual Authentication implementation an SA is prompt by an authentication server during the authentication process. Instead of an authentication server making an access control decision independently, the authentication server presents an SA with a dialog box to authorize access to an endpoint entity requesting network access. A device starts as a node on the untrusted sub-enclave. The authentication server, upon receiving authorization from an SA, sends an appropriate message to the PEP, which is either a switch or wireless access point. Once initial network access is granted, the device’s VLAN is switched to the trusted sub-enclave, and the authorization remains in effect until the device is removed from the network.Information Assurance OfficerDCSP-1
    SV-20117r1_rule NET-NAC-017 MEDIUM The IAO/NSO will ensure the VPN concentrator is connected to the network access control gateway’s untrusted interface. Non-trusted resources are resources that are not authenticated in a NAC solution implementing only the authentication component of NAC. Non-trusted resources could become resources that have been authenticated but have not had a successful policy assessment when the automated policy assessment component has been implemented. The remote network access control solution for the roaming workstations requires a layer 3 gateway using 802.1x EAP architecture or a Layer 3 gateway inline solution. For remote NARs, an inline gateway NAC solution is typically the only viable option. In multi-vendor environments, after successful authentication to the VPN concentrator the traffic is forced through the NAC gateway than communicates with an agent on the roaming workstation that passes authentication and health credentials. The NAC gateway passes authentication requests to the authentication server in the same manner it would for a local workstation. The interface on the NAC gateway is considered the untrusted interface and is treated with the same level of trust as the local workstation that has not been authentication. Some vendors can pass authentication data directly from their VPN Concentrator to their NAC solution, so the supplicant doesn't need to reauthenticate. The NAC gateway provides the policy enforcement allowing or denying the traffic to the production enclave.Information Assurance OfficerECSC-1
    SV-20120r1_rule NET1352 MEDIUM The Network administrator will implement additional intrusion protection that detect both specific attacks on mail and traffic types (protocols) that should not be seen on the segments containing mail servers at the regional enclave mail perimeter. Network segments containing mail servers should have an appliance or sensors installed that monitor, inspect and log all recognized mail traffic. Specific MIME types should be denied, message size violations identified and content inspection performed verifying header and body type matches. Signatures should be implemented to enforce policies on text, video, audio, images, and applications. Real-time monitoring of email traffic is critical to preventing hackers from utilizing email to gain access to internal systems. Detection of attacks and exploits in email, such as malformed MIME, requires continuous monitoring of all email. Anti spam technology is an essential element in mail security. The mail perimeter at the regional or standalone enclave must be capable of providing connection analysis identifying where a message is going and where it came from by use of blacklists, whitelists, and DNS interrogation to identify spam from hijacked e-mail servers. The mail perimeter at the regional or standalone enclave must be capable of dictionary analysis processes based on a combination of URL filtering, content filtering and Bayesian filtering (dictionaries which rate words by their probability of being in a spam message). The mail perimeter at the regional or standalone enclave must be capable of providing protocol analysis by recognizing abuse of or deviation from e-mail protocols. Protocol analysis is based on forgery detection, header analysis and domain spoofing detection. Information Assurance OfficerEBBD-1
    SV-20145r2_rule NET-WIDS-001 MEDIUM The site will conduct continuous wireless IDS scanning. Note: This requirement applies to all DoD sites that operate DoD computer networks, including sites that have no authorized WLAN systems. DoD networks are at risk and DoD data could be compromised if wireless scanning is not conducted to identify unauthorized WLAN clients and access points connected to or attempting to connect to the network.Information Assurance OfficerECWN-1
    SV-21976r5_rule WIR0045 HIGH Computers with an embedded wireless system must have the radio removed before the computer is used to transfer, receive, store, or process classified information. With the increasing popularity of wireless networking, most laptops have wireless NICs installed on the laptop motherboard. Although the system administrator may disable these embedded NICs, the user may purposefully or accidentally enable the device. These devices may also inadvertently transmit ambient sound or electronic signals. Therefore, simply disabling the transmit capability is an inadequate solution for computers processing classified information. In addition, embedded wireless cards do not meet DoD security requirements for classified wireless usage.System AdministratorInformation Assurance OfficerECWN-1
    SV-22064r3_rule WIR0125-02 MEDIUM The WLAN implementation of AES-CCMP must be FIPS 140-2 validated. Most known security breaches of cryptography result from improper implementation of the cryptography, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance that cryptography is implemented correctly, and is required for Federal Government uses of cryptography in non-classified applications.System AdministratorInformation Assurance OfficerECCT-1, ECSC-1, ECWN-1
    SV-22066r2_rule WIR0145-02 LOW WIDS sensor scan results must be saved for at least one year. DoDD 8100.2 requires ALL DoD networks use a wireless IDS to scan for unauthorized wireless devices. If sites do not maintain scan logs, it cannot be determined if IDS findings are isolated and harmless events or a more sustained, methodical attack on the system.System AdministratorInformation Assurance OfficerECWN-1
    SV-22070r2_rule WIR0115-02 MEDIUM The WLAN implementation of EAP-TLS must be FIPS 140-2 validated. Most known security breaches of cryptography result from improper implementation of the cryptography, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance that cryptography is implemented correctly, and is required for Federal Government uses of cryptography in non-classified applications.System AdministratorInformation Assurance OfficerECSC-1, ECWN-1
    SV-28600r1_rule NET-SRVFRM-006 MEDIUM The IAO will ensure that the server farm is protected by a reverse proxy that only allows connections from authorized hosts requesting authorized services. A reverse proxy acts on behalf of a server. The reverse proxy accepts the connection from the client and forwards it to the server. It also receives the response from the server and forwards it to the client. A reverse proxy helps in protecting applications by inspecting the requests for malicious requests. On finding malicious content in the request, the reverse proxy may simply drop the request. The security of reverse proxy checks for malicious content using a database or databases which contain a set of allowed or disallowed content. Database AdministratorInformation Assurance OfficerEBBD-1
    SV-28616r2_rule NET1050 MEDIUM The organization must encrypt all network device configurations while stored offline. If a network device's non-volatile memory is lost without a recent configuration stored in an offline location, it may take time to recover that segment of the network. Users connected directly to the switch or router will be without service for a longer than acceptable time. Encrypting the configuration stored offline protects the data at rest and provides additional security to prevent tampering and potentially cause a network outage if the configuration were to be put into service.System AdministratorInformation Assurance OfficerCOBR-1, ECCD-1
    SV-31432r3_rule WIR0123 MEDIUM WLAN access points and supporting authentication servers used for Internet-only connections must reside in a dedicated subnet off of the perimeter firewall. If the access point or its supporting authentication server is placed in front of the perimeter firewall, then it has no firewall protection against an attack. If the access point or its supporting authentication server is placed behind the perimeter firewall (on the internal network), then any breach of these devices could lead to attacks on other DoD information systems.System AdministratorInformation Assurance OfficerECWN-1
    SV-31437r2_rule WIR0124 MEDIUM The perimeter firewall must be configured as required for the dedicated Internet-only WLAN infrastructure subnet. If the perimeter firewall is not configured as required, users connecting to an access point may be able to compromise internal DoD information systems.System AdministratorInformation Assurance OfficerECWN-1
    SV-39891r2_rule WIR0114 MEDIUM The WLAN must be WPA2-Enterprise certified. The Wi-Fi Alliance WPA2-Enterprise certification means the WLAN equipment can support DoD requirements, most notably EAP-TLS and AES-CCMP. If the equipment has not been WPA-Enterprise certified, then the equipment may not have the required security functionality to protect DoD networks and information.Information Assurance OfficerECSC-1, ECWN-1
    SV-41919r2_rule NET0180 MEDIUM All global address ranges used on unclassified and classified networks must be properly registered with the DoD Network Information Center (NIC). If network address space is not properly configured, managed, and controlled, the network could be accessed by unauthorized personnel resulting in security compromise of site information and resources. Allowing subscribers onto the network whose IP addresses are not registered with the .Mil NIC may allow unauthorized users access into the network. These unauthorized users could then monitor the network, steal passwords, and access classified information.Information Assurance OfficerNetwork Security OfficerECSC-1
    SV-41924r5_rule NET0185 MEDIUM IP Addresses used within an organizations SIPRNet enclave must be authorized .smil.mil or .sgov.gov addresses assigned by the DoD Network Information Center (NIC). As per CNSSI No. 1016, the DoD has an enterprise level security-focused configuration management (SecCM) requirement to support end-to-end monitoring of SIPRNet, as a National Security System (NSS). The use of Network Address Translation (NAT) and private IP address space inhibits the view of specialized DISN enterprise tools in tracking client level enclave to enclave traffic, monitoring client use of enterprise level application services, and detecting anomalies and potential malicious attacks in SIPRnet client application traffic flows. Enclave nodes that communicate outside the organization’s enclave to other SIPRnet enclaves or enterprise services cannot use NATed private addresses via an enclave proxy without the permission of the SIPRnet DISN Authorizing Official, the DISA DAA.Information Assurance OfficerDCSP-1, ECSC-1
    SV-44284r1_rule NET0928 MEDIUM A policy must be implemented to keep Bogon/Martian rulesets up to date. A bogon route or martian address is a type of packet that should never be routed inbound through the perimeter device. Bogon routes and martian addressesare commonly found as the source addresses of DDoS attacks. By not having a policy implemented to keep these addresses up to date, the enclave will run the risk of allowing illegitimate traffic into the enclave or even blocking legitimate traffic. Also, if there are rulesets with "any" as the source address then Bogons/Martians must be applied. Bogons and Martian addresses can be kept up to date routinely checking the IANA website or creating an account with Team Cymru to retrieve these lists in one of many ways. http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml http://www.team-cymru.org/Services/Bogons/System AdministratorInformation Assurance OfficerNetwork Security Officer