Network Policy Security Technical Implementation Guide

Network Policy Security Technical Implementation Guide

Details

Version / Release: V8R17

Published: 2014-04-04

Updated At: 2018-09-23 05:14:33

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-8532r2_rule NET0090 MEDIUM Network topology diagrams for the enclave must be maintained and up to date at all times. To assist in the management, auditing, and security of the network infrastructure facility drawings and topology maps are a necessity. Topology maps are important because they show the overall layout of the network infrastructure and where devices are ph
    SV-8533r2_rule NET0130 MEDIUM All external connections must be validated and approved by the CAP and DAA, SNAP or CCAO requirements have been met, and MOA and MOU is established between enclaves, prior to connections. Every site must have a security policy to address filtering of the traffic to and from those connections. This documentation along with diagrams of the network topology is required to be submitted to the Connection Approval Process (CAP) for approval to
    SV-8534r3_rule NET0135 MEDIUM External connections to the network must be reviewed and the documentation updated semi-annually, at a minimum. A network is only as secure as its weakest link. It is imperative that all external connections be reviewed and kept to a minimum needed for operations. All external connections should be treated as untrusted networks. Reviewing who or what the network is
    SV-8535r2_rule NET0140 LOW The connection between the CSU/DSU and the local exchange carriers (LEC) data service jack (i.e., demarc) must be located in a secure environment. DOD leased lines carry an aggregate of sensitive and non-sensitive data; therefore unauthorized access must be restricted. Inadequate cable protection can lead to damage and denial of service attacks against the site and the LAN infrastructure.Information
    SV-8536r2_rule NET0141 LOW Network management modems connected to all Channel Service Units (CSUs)/Data Service Units (DSUs) must be disconnected when not in use. DOD leased lines carry an aggregate of sensitive and non-sensitive data; therefore: unauthorized access must be restricted. Inadequate cable protection can lead to damage and denial of service attacks against the site and the LAN infrastructure.Informatio
    SV-8537r2_rule NET0160 HIGH Written approval must obtained from the GIG Waiver Panel or the Office of the DoD Chief Information Officer (DoD CIO) prior to establishing an ISP connection. Analysis of DoD reported incidents reveal current protective measures at the NIPRNet boundary points are insufficient. Documented ISPs and validated architectures for DMZs are necessary to protect internal network resources from cyber attacks originating
    SV-8538r3_rule NET0170 MEDIUM External network connections must not bypass the organizations perimeter security devices unless documented and approved by the DAA. Without taking the proper safeguards, external networks connected to the organization will impose security risks unless properly routed through the perimeter security devices. Since external networks to the organization are considered to be untrusted, th
    SV-8540r2_rule NET0210 MEDIUM All network infrastructure devices (i.e., IDS, routers, RAS, NAS, firewalls, etc.) must be located in a secure room with limited access. If all communications devices are not installed within controlled access areas, risk of unauthorized access and equipment failure exists, which could result in denial of service or security compromise. It is not sufficient to limit access to only the out
    SV-8541r2_rule NET0260 MEDIUM All passwords must be created and maintained in accordance with the rules outlined in DoDi 8500.2, IAIA-1, and IAIA-2. Devices protected with weak password schemes provide the opportunity for anyone to crack the password, gaining access to the device and causing network, device, or information damage or denial of service.Information Assurance OfficerECSC-1
    SV-8542r2_rule NET0270 MEDIUM Locally configured passwords used on communications devices must be recorded then stored in a secure and controlled manner. Passwords should be recorded and stored in a secure location for emergency use. This helps prevent time consuming password recovery techniques and denial of administrator access, in the event a password is forgotten or the individual with the access is i
    SV-8544r2_rule NET0420 MEDIUM A key management policy must be implemented to include key generation, distribution, storage, usage, lifetime duration, and destruction of all keys used for encryption. If the MD5 keys used for routing protocols are guessed, the malicious user could create havoc within the network and between subscribing networks by advertising incorrect routes and redirecting traffic. Changing the keys frequently reduces the risk of the
    SV-8545r1_rule NET1628 MEDIUM The IAO/NSO will ensure modems are not connected to the console port. Access to network devices via a modem is potentially very risky. If an intruder were to gain access via a modem, the potential for denial of service attacks, interception of sensitive information, and other destructive actions is greatly increased. The
    SV-8546r1_rule NET1025 LOW The IAO/NSO will ensure a centralized syslog server is deployed and configured by the syslog administrator to store all syslog messages for a minimum of 30 days online and then stored offline for one year. Logging is a critical part of router security. Maintaining an audit trail of system activity logs (syslog) can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network.
    SV-8547r1_rule NET1040 LOW The IAO will ensure all current and previous router and switch configurations are stored in a secured location. Storage can take place on a classified network, an OOB network, or offline. The configurations can only be accessed by the server or network administrator. If the router or switch's non-volatile memory are lost without a recent configuration stored in an offline location, it may take time to recover that segment of the network. Users connected directly to the switch or router will be without service for a l
    SV-8548r1_rule NET1060 HIGH The IAO will ensure that passwords contained within a router, switch, or firewall configuration file are not stored offline unencrypted. Many attacks on DOD computer systems are launched from within the network by unsatisfied or disgruntled employees, therefore, it is imperative that all router passwords are encrypted so they cannot be intercepted by viewing the console. If the router netw
    SV-8549r1_rule NET1070 MEDIUM The IAO/NSO will authorize and maintain justification for all TFTP implementations. TFTP requies no password.Information Assurance OfficerDCBP-1, ECSC-1
    SV-8550r1_rule NET1110 MEDIUM The IAO/NSO will ensure all changes and updates are documented in a manner suitable for review and audit. Change management is the formal review process that ensures that all changes made to a system receive formal review and approval. Change management reduces impacts from proposed changes that could possibly have interruptions to the services provided. Re
    SV-8551r2_rule NET0345 MEDIUM Firewalls must have a protection profile by the NIAP Evaluation and Validation Program before being placed on the network. The only assurance that the firewall meets or exceeds the minimum security requirements is the evaluation and validation by an accredited licensed/approved evaluation facility.Information Assurance OfficerDCAS-1, DCSR-1, DCSR-2, DCSR-3, ECSC-1
    SV-8552r2_rule NET0351 MEDIUM When protecting the boundaries of a network, the firewall must be placed between the private network and the perimeter router and the DMZ. The only way to mediate the flow of traffic between the inside network, the outside connection, and the DMZ is to place the firewall into the architecture in a manner that allows the firewall the ability to screen content for all three destinations.Inform
    SV-8553r2_rule NET0384 LOW The firewall administrator must subscribe to the vendors vulnerability mailing list to be made aware of required upgrades and patches. Not being on the vendors vulnerability list can lead to the firewall software not being updated when a new release or security patch is released by the vendor.Information Assurance OfficerECSC-1
    SV-8554r1_rule NET1280 LOW The IAO/NSO will ensure there is a review on a daily basis, of the firewall log data by the firewall administrator (FA), or other qualified personnel, to determine if attacks or inappropriate activity has occurred. The firewall logs can be used for forensic analysis in support of incident as well as to aid with normal traffic analysis. Information Assurance OfficerECAT-1, ECAT-2, ECSC-1
    SV-8556r3_rule NET1284 LOW The organizations firewall configurations must be backed up weekly and whenever configuration changes occur. Without a proper backup plan, a recovery of the device can take an extensive amount of time and resources to get the device back online. Information Assurance OfficerCODB-1, CODB-2, CODB-3, ECSC-1
    SV-8557r2_rule NET1286 LOW The organization must back up audit logs weekly. Audit logs can be used for forensic analysis in support of incident response and to aid with normal traffic analysis. A backup scheme to move audit logs offine for archiving is necessary in case of a potential outage where current logs are unavailable.Inf
    SV-8561r2_rule NET1328 LOW Data reviewed from the enclave IDS/IPS must be restricted to CNDSP and local authorized personnel only. It is imperative traffic from the IDPS monitoring enclave traffic is only reviewed and monitored by trusted and authorized personnel with a need to know.Information Assurance OfficerDCCS-2, ECSC-1
    SV-8562r1_rule NET1340 MEDIUM The IAO/NSO will establish policies outlining procedures to notify U.S. Cyber Command when suspicious activity is observed. A network intrusion system is a policy enforcement mechanism that the site must use to enforce the Enclave Security Policy. If a clear policy has not be established for reporting suspicious activity to the U.S. Cyber Command (USCYBERCOM), then the site, a
    SV-8563r1_rule NET1342 MEDIUM The IAO/NSO will ensure that authorized reviewers of Network IDS data are identified in writing by the site’s IAM. To preserve the chain of custody for possible legal action, all reviewers of the NID data must be have an authorization letter from the site commander outlining the individuals need to know.Information Assurance OfficerECAN-1, ECSC-1
    SV-8564r2_rule NET-IDPS-033 MEDIUM The organization must establish weekly data backup procedures for the network IDS/IPS data.The organization must establish weekly data backup procedures for the network IDS/IPS. IDS/IPS data needs to be backed up to ensure preservation in the case a loss of IDS/IPS data due to hardware failure or malicious activity.Information Assurance OfficerCODB-1, CODB-2, CODB-3, ECSC-1
    SV-8566r1_rule NET-IDPS-035 LOW The Network IDS administrator will subscribe to the vendor’s vulnerability mailing list. The Network IDS administrator will update the Network IDS when software is provided by Field Security Operations for the RealSecure distribution, and for all other Network IDS software distributions when a security-related update is provided by the vendor. Keeping the NID software updated with the latest engine and attack signatures will allow for the NID to detect all forms of known attacks. Not maintaining the NID properly could allow for attacks to go unnoticed.Information Assurance OfficerECSC-1
    SV-8567r2_rule NET-VLAN-001 MEDIUM The organization must ensure all switches and associated cross-connect hardware are kept in a secure IDF or an enclosed cabinet that is kept locked. Since the IDF includes all hardware required to connect horizontal wiring to the backbone, it is imperative that all switches and associated cross-connect hardware are kept in a secured IDF or an enclosed cabinet that is kept locked. This will also preven
    SV-8578r1_rule NET1670 LOW The IAO/NSO will establish and maintain a standard operating procedure managing SNMP community strings and usernames to include the following: - Community string and username expiration period - SNMP community string and username distribution including determination of membership Without a SOP to manage the SNMP community strings, the chance that these strings will be used to gain access to network managed devices is increased. If an attacker gains access to network devices, denial of service, interception of sensitive information
    SV-8579r2_rule NET1730 MEDIUM The IAO/NSO will ensure that the management workstation is located in a secure environment. Many attacks on DOD computer systems are launched from within the network by unsatisfied or disgruntled employees, therefore, it is imperative that the NMS be located in a secure area that allows access to authorized personnel only. If unauthorized users
    SV-8580r1_rule NET1740 MEDIUM The IAO/NSO will ensure that only those accounts necessary for the operation of the system and for access logging are maintained. Without proper account maintenance, unauthorized users could gain access to the NMS. If unauthorized users gain access to the NMS through an invalid account they could change device configurations or cause denial of service conditions. Information Assura
    SV-8585r2_rule NET0198 LOW DHCP audit and event logs must log hostnames and MAC addresses to be stored online for thirty days and offline for one year. In order to identify and combat IP address spoofing, it is highly recommended that the DHCP server logs MAC addresses and hostnames on the DHCP server.Information Assurance OfficerDCBP-1, ECAR-1, ECAR-2, ECAR-3, ECSC-1
    SV-8586r2_rule NET0199 LOW DHCP servers used within SIPRNet infrastructure must be configured with a minimum lease duration time of thirty days. In order to trace, audit, and investigate suspicious activity, DHCP servers within the SIPRNet infrastructure must have the minimum lease duration time configured to 30 or more days.Information Assurance OfficerECSC-1
    SV-8758r2_rule NET-IDPS-021 MEDIUM An IDPS must be installed, operational and actively monitored in a physical location that monitors all unencrypted traffic entering and leaving the enclave. Per CJCSI 6510.01F, Enclosure A-5, Paragraph 8, “DOD ISs (e.g., enclaves, applications, outsourced IT-based process, and platform IT interconnections) shall be monitored to detect and react to incidents, intrusions, disruption of services, or other una
    SV-8759r1_rule NET1344 MEDIUM The IAO/NSO will ensure that any unauthorized traffic is logged for further investigation. Audit logs are necessary to provide a trail of evidence in case the network is compromised. With this information, the network administrator can devise ways to block the attack and possibly identify and prosecute the attacker. Information supplied by an I
    SV-8760r1_rule NET-TUNL-027 LOW The IAM will ensure that the site retains administrative oversight and control privileges on the IPSEC/VPN device within their security enclave if access is granted to the local network. Without administrative oversight and control privileges on the VPN device, the site would have no way of verifying the security controls placed on the device.Information Assurance OfficerECSC-1
    SV-8778r6_rule WIR0005 HIGH All wireless/mobile systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) must be approved by the approval authority prior to installation and use for processing DoD information. Unauthorized wireless systems expose DoD networks to attack. The DAA and appropriate commanders must be aware of all wireless systems used at the site. DAAs should ensure a risk assessment for each system including associated services and peripherals, is
    SV-8779r6_rule WIR0015 LOW The site IAO must maintain a list of all DAA-approved wireless and non-wireless PED devices that store, process, or transmit DoD information. The site must maintain a list of all DAA-approved wireless and non-wireless CMDs. Close tracking of authorized wireless devices will facilitate the search for rogue devices. Sites must keep good inventory control over wireless and handheld devices used to
    SV-8792r5_rule WIR0020 LOW Wireless devices connecting directly or indirectly to the network must be included in the site security plan. The DAA and site commander must be aware of all approved wireless devices used at the site or DoD data could be exposed to unauthorized people. Documentation of the enclave configuration must include all attached systems. If the current configuration ca
    SV-12294r3_rule NET0369 HIGH A deny by default security posture must be implemented for traffic entering and leaving the enclave. To prevent malicious or accidental leakage of traffic, organizations must implement a deny by default security posture. Perimeter routers, boundary controllers, or firewalls must deny all incoming and outgoing traffic not expressly permitted. Such ruleset
    SV-12625r5_rule WIR0035 HIGH Wireless devices must not be allowed in a permanent, temporary, or mobile Sensitive Compartmented Information Facilities (SCIFs), unless approved by the SCIF Cognizant Security Authority (CSA) in accordance with Intelligence Community Directive 503 and Director Central Intelligence Directive (DCID) 6/9, the DAA, and the site Special Security Officer (SSO). Emanations from computing devices in the secured area may be transmitted or picked up inadvertently by wireless devices.Information Assurance OfficerInformation Assurance ManagerOtherECSC-1, ECWN-1
    SV-12654r1_rule NET1815 MEDIUM The IAM will ensure REL LAN environments are documented in the SSAA. The IAM will ensure REL LAN environments are documented in the SSAA.Information Assurance OfficerECSC-1
    SV-12655r1_rule NET1816 MEDIUM The IAM will ensure annual reviews are performed on REL LAN environments. If a REL LAN environment is present the IAM will ensure REL LAN reviews are performed annually.Information Assurance OfficerECSC-1
    SV-12659r4_rule WIR0040 MEDIUM Wireless devices must not be operated in areas where classified information is electronically stored, processed, or transmitted unless required conditions are followed. The operation of electronic equipment and emanations must be controlled in and around areas where sensitive information is kept or processed. Sites should post signs and train users to this requirement to mitigate this vulnerability.System AdministratorI
    SV-14593r5_rule WIR0030 LOW All users of mobile devices or wireless devices must sign a user agreement before the mobile or wireless device is issued to the user and the user agreement used at the site must include required content. Lack of user training and understanding of responsibilities to safeguard wireless technology is a significant vulnerability to the enclave. Once policies are established, users must be trained to these requirements or the risk to the network remains. Use
    SV-14615r3_rule WIR0130 LOW WLAN equipment obtained through acquisition programs must be JITC interoperability certified. Interoperability certification assures that warfighters can communicate effectively in joint, combined, coalition, and interagency environments. There is some degree of risk that systems without JITC certification will fail to interoperate. WLAN equipme
    SV-15259r2_rule NET0168 MEDIUM If the site has a non-DoD external connection (Approved Gateway), an external IPS/IDS must be located between the sites Approved Gateway (Service Delivery Router) and the premise router. The incorrect placement of the external IPS/IDS may allow unauthorized access to go undetected and limit the ability of security personnel to stop malicious or unauthorized use of the network. In order to ensure that an attempted or existing attack goes u
    SV-15263r3_rule NET0346 MEDIUM All hosted NIPRNet-only applications must be located in a local enclave DMZ. Without the protection of Demilitarized Zone (DMZ) architecture, production networks will be prone to outside attacks as they are allowing externally accessible services to be accessed on the internal LAN. This can cause many undesired consequences such
    SV-15264r3_rule NET0347 LOW Accreditation documentation must be maintained and up to date to reflect the installation or modification of the organizations firewall. A firewall is the first policy enforcement mechanism that the organization uses to enforce the Enclave Security Policy. If the configuration cannot be maintained, the security for the organization is suspect and may allow for exploits to be utilized, gain
    SV-15265r3_rule NET0348 MEDIUM All Internet facing applications must be logically implemented in a DoD DMZ Extension. Without the protection of Demilitarized Zone (DMZ) architecture, production networks will be prone to outside attacks as they are allowing externally accessible services to be accessed on the internal LAN. This can cause many undesired consequences such
    SV-15267r2_rule NET0355 MEDIUM When protecting the boundaries of a network, the firewall and IDS/IPS must use separate components or the physical integrated device has separate hardware components (i.e., CPU, memory, etc) for the firewall and IDS/IPS. An integrated solution implemented within DoD should not waive from defense in depth practices. Many solutions available have leveraged processors and memory. Once this technology is compromised all security layers of defense are subject to DOS in a singl
    SV-15268r5_rule NET0365 HIGH The organization must implement a deep packet inspection solution when protecting perimeter boundaries. Deep packet inspection is an inspection engine that analyzes data at the application layer, typically layers 5 through 7 of the OSI model. Examples of deep packet inspection and application-level filtering include checking the type of attachments include
    SV-15441r1_rule NET1621 MEDIUM The IAO will properly register all network components in an asset management tracking system such as VMS. Vulnerability Management is the process of ensuring all network assets that are affected by an IAVM notice are addressed and corrected within a time period specified in the IAVM notice. VMS will notify Commands, Services, and Agencies of new and potential
    SV-15442r1_rule NET1622 MEDIUM The IAO/NSO will ensure an OOB management network is in place for MAC I systems or 24x7 personnel have immediate console access (direct connection method) for communication device management. From an architectural point of view, providing Out-Of-Band (OOB) management of network systems is the best first step in any management strategy. No production traffic resides on an out-of-band network. The biggest advantage to implementation of an OOB ne
    SV-15462r1_rule NET1111 MEDIUM The IAO/NSO will ensure request forms are used to aid in recording the audit trail. Change management is the formal review process that ensures that all changes made to a system receive formal review and approval. Change management reduces impacts from proposed changes that could possibly have interruptions to the services provided. Re
    SV-15463r1_rule NET1113 MEDIUM The IAO/NSO will ensure current paper or electronic copies of configurations are maintained in a secure location. Change management is the formal review process that ensures that all changes made to a system receive formal review and approval. Change management reduces impacts from proposed changes that could possibly have interruptions to the services provided. Re
    SV-15473r1_rule NET0445 MEDIUM To ensure the proper authorized network administrator is the only one who can access the device, the IAO/NSO will ensure device management is restricted by two-factor authentication (e.g., SecurID, DoD PKI, or alternate token logon). Without secure management implemented with authenticated access controls, strong two-factor authentication, encryption of the management session and audit logs, unauthorized users may gain access to network managed devices compromised, large parts of the
    SV-15482r1_rule NET1281 LOW The IAO will ensure a HIDS is implemented on the syslog servers. A syslog server provides the network administrator the ability to configure all of the communication devices on a network to send log messages to a centralized host for review, correlation, reporting, and storage. This implementation provides for easier m
    SV-15483r1_rule NET1287 LOW The IAO/NSO will ensure the audit logs are protected from deletion. The firewall logs can be used for forensic analysis in support of incident as well as to aid with normal traffic analysis. It can take numerous days to recover from a firewall outage when a proper backup scheme is not used.Information Assurance OfficerECS
    SV-15488r1_rule NET-IDPS-022 MEDIUM The IAO will ensure IDPS components that have been evaluated and validated against NIAP existing profiles are placed in the network infrastructure. The only assurance that the intrusion detection/protection system meets or exceeds the minimum security requirements is the evaluation and validation by an accredited licensed/approved evaluation facility.Information Assurance OfficerDCAS-1, DCSR-1, DCSR-
    SV-15490r1_rule NET1432 MEDIUM The IAO/NSO will ensure if Sticky MAC Port Security is implemented, the running and startup configuration files are identical. Port security with sticky MAC enables the switch to be set to one or more MAC addresses dynamically by learning the MAC address. As with static MAC port security, the number of MAC addresses that it will learn is limited to the maximum number allowed as d
    SV-15491r1_rule NET1433 MEDIUM The IAO will ensure that if Sticky MAC Port Security is implemented, a policy is in place that prohibits connection to the switchport unless it has been approved. Port security with sticky MAC enables the switch to be set to one or more MAC addresses dynamically by learning the MAC address. As with static MAC port security, the number of MAC addresses that it will learn is limited to the maximum number allowed as d
    SV-15492r1_rule NET1440 MEDIUM The IAO/NSO will ensure VMPS must not be used to provide port authentication or dynamic VLAN assignment. VMPS allows a switch to dynamically assign VLANs to users based on the workstation’s MAC address or the user’s identity when used with the User Registration Tool. A switch is configured and designated as the VMPS server while the remainder of the swi
    SV-15493r4_rule NET-TUNL-026 HIGH Encapsulated traffic received from another enclave or enterprise must not bypass the perimeter defense, which includes firewall and IDS/IPS devices, without being terminated and inspected before entering the enclaves private network. Allowing encapsulated traffic from other enclaves or enterprises to bypass the enclave's perimeter without being properly filtered and inspected leaves the enclave vulnerable to malicious traffic passed by the source network. Administrators must be aware
    SV-15494r1_rule NET-TUNL-028 MEDIUM Tunneling of SIPRNet across long-haul infrastructure must be accepted by the Classified Data Service Manager (DISA/GS21) via request expressing the requirement with supporting rationale and must be IAW CJCSI 6211.02C, DISN policy. If tunneling of SIPRNet is required, contact the Classified Data Service Manager (DISA/GS21) to express the requirements with supporting rationale. If the DISN solution proposed by the DISN Service Manager is accepted, and cryptography is employed (Type
    SV-15495r1_rule NET-TUNL-029 MEDIUM If the tunneled SIPRNet solution over NIPRNet will be in place for more than 365 days, then the SIPRNet must be used or the IAO be in receipt of GIG Waiver Policy, DoDD 8100.1 . If tunneling of SIPRNet is required, contact the Classified Data Service Manager (DISA/GS21) to express the requirements with supporting rationale. If the DISN solution proposed by the DISN Service Manager is accepted, and cryptography is employed (Type
    SV-15496r1_rule NET-TUNL-030 HIGH If SIPRNet traffic is being tunneled on a commercial ISP it must be approved by the OSD GIG Waiver Panel and the IAO be in receipt of GIG Waiver Policy, DoDD 8100.1 . If tunneling of SIPRNet is required, contact the Classified Data Service Manager (DISA/GS21) to express the requirements with supporting rationale. If the DISN solution proposed by the DISN Service Manager is accepted, and cryptography is employed (Type
    SV-15497r1_rule NET1826 HIGH Leasing of point-to-point circuits that extend classified backside connectivity to any non-DoD, foreign or contractor facility is prohibited unless the termination is government operated in the contractor or foreign government facility. Leasing of point-to-point circuits that extend classified backside circuits to non-DoD, foreign or contractor facilities is prohibited unless the termination is government operated in the contractor or foreign government facility.Information Assurance Off
    SV-15498r1_rule NET1827 MEDIUM The IAO/NSO will have all C2 and non-C2 exceptions of SIPRNet use documented in the enclave’s accreditation package and an Interim Authority to Connect/Authority to Connect (IATC/ATC) amending the connection approval received, prior to implementation. Any exception to use SIPRNet must be documented in an update to the enclave’s accreditation package and an Interim Authority to Connect/Authority to Connect (IATC/ATC) amending the connection approval received prior to implementation. Information Assur
    SV-15499r1_rule NET-TUNL-031 MEDIUM If the tunneled SIPRNet solution proposed by the DISN Service Manager is accepted, Type 1 cryptography will be employed for data protection. The need for classified tunneling across NIPRNet or a commercial IP infrastructure is approved on a “case by case” basis. The use of a commercial IP service must be approved by the OSD GIG Waiver Panel. Requirements can be referenced in DoDD 8100.1,
    SV-15500r1_rule NET1830 MEDIUM The IAM will ensure the controls over the type of data to be moved are described in classification guidance, Executive Orders, or other issuances pertaining to controls over categories of information. Controls over the type of data to be moved are described in classification guidance, Executive Orders, or other issuances pertaining to controls over categories of information. Information Assurance OfficerECSC-1
    SV-15501r1_rule NET1832 MEDIUM The IAM will ensure the VPN tunnel demarcation is located in facilities authorized to process classified US government information, classified at the Secret Level (for SIPRNet). Tunnel terminus or demarcation point will be in facilities authorized to process classified US government information classified at the Secret level (for SIPRNet). Information Assurance OfficerECSC-1
    SV-15612r2_rule WIR0100 LOW The relevant U.S. Forces Command (USFORSCOM) or host nation must approve the use of wireless equipment prior to operation of such equipment outside the United States and Its Possessions (US&P). When using a wireless system outside of the US&P, host nation wireless spectrum regulations must be followed. Otherwise the system could interfere with or be disrupted by host nation communications systems.Information Assurance OfficerDesignated Approvin
    SV-15655r2_rule WIR0145-01 MEDIUM The site must scan the radio frequency spectrum for unauthorized WLAN devices. Unauthorized WLAN devices threaten DoD networks in a variety of ways. If someone installs an access point on a DoD network, then people may use that access point to access network resources without any perimeter security controls, which significantly deg
    SV-15662r4_rule WIR0025 MEDIUM All wireless network devices, such as wireless Intrusion Detection System (IDS) and wireless routers, access points, gateways, and controllers must be located in a secure room with limited access or otherwise secured to prevent tampering or theft. DoD data and the network could be exposed to attack if wireless network devices are not physically protected. The Network Security Officer (NSO) will ensure all wireless network devices (i.e., IDS, routers, servers, Remote Access System (RAS), firewalls,
    SV-16017r2_rule NET-IPV6-050 HIGH When using IPv6 and IPv4 in a dual stack environment, the IPv6 security policy must mirror the IPv4 security policy. The similarities between IPv4- and IPv6-based threats lead to the conclusion that security measures developed and field proven for IPv4 should be used with IPv6. A first step in securing IPv6 deployments is to match IPv4 security policies. Once this is ac
    SV-16070r1_rule NET-IPV6-053 HIGH The IAO/NSO will ensure AG does not have Tunnel Broker solutions implemented for IPv6 transition Tunnel brokers (TB) can be seen as virtual IPv6 ISPs, providing IPv6 connectivity to users already connected to the IPv4 Internet. In the emerging IPv6 Internet it is expected that many tunnel brokers will be available so that the user will just have to
    SV-16071r1_rule NET-IPV6-054 HIGH The IAO/NSO will ensure if TCP-UDP Relay is implemented in the enclave it will not cross the enclave boundary. Malicious party may try to use Transport Relay Translator (TRT) systems to circumventing ingress filtering, or to achieve some other improper use. TRT systems should implement access control to prevent such improper usage. A careless TRT implementation m
    SV-16072r1_rule NET-IPV6-055 HIGH The IAO/NSO will ensure Bump-in-the-Stack (BIS) does not cross the enclave boundary. The Bump in the Stack (BIS) [RFC2767] translation mechanism is similar to taking the NAT-PT approach with Stateless IP/ICMP Translator (SIIT) and moving it to the OS protocol stack within each host. Unlike SIIT however, it assumes an underlying IPv6 infra
    SV-16081r1_rule NET-IPV6-056 HIGH The IAO/NSO will ensure SOCKS-Based Gateway does not cross the enclave boundary. The SOCKS-based IPv6/IPv4 gateway mechanism is for communication between IPv4-only and IPv6-only hosts. It consists of additional functionality in both the end system (client) and the dual-stack gateway (router) to permit a communications environment that
    SV-16082r1_rule NET-IPV6-057 MEDIUM The IAO/NSO will ensure the enclave boundary does not have any other IPv6 Transition Mechanisms implemented when supporting NAT-PT. Network Address Translation with Protocol Translation (NAT-PT), defined in [RFC2766], is a service that can be used to translate data sent between IP-heterogeneous nodes. NAT-PT translates a IPv4 datagram into a semantically equivalent IPv6 datagram or vi
    SV-16251r1_rule NET-IDPS-036 LOW The IDS administrator will update the Network IDS when updates are provided by the vendor. Keeping the NID software updated with the latest software and signatures will allow for the NID to detect all forms of known attacks. Not maintaining the NID properly could allow for attacks to go unnoticed.Information Assurance OfficerECSC-1
    SV-16257r1_rule NET1114 MEDIUM The IAO/NSO will ensure only authorized personnel, with proper verifiable credentials, are allowed to request changes to routing tables or service parameters. Limiting the number of people that can request changes to router tables and service parameters limits the chance of errors and thus limits the chance of creating a denial-of-service vulnerability.Information Assurance OfficerECSC-1
    SV-16721r5_rule WIR0010-01 MEDIUM Personnally owned or contractor owned CMDs must not be used to transmit, receive, store, or process DoD information or connect to DoD networks. The use of unauthorized personally-owned CMDs to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized people. The DoD CIO currently prohitibits the use of personally owned or contractor owned CMDs (Bring Your Own D
    SV-18981r1_rule NET0998 MEDIUM A separate management subnet has not been implemented. To deploy a management network for the purpose of controlling, monitoring, and restricting management traffic, a separate management subnet must be implemented. Define a large enough address block that will enable the management network to scale in propor
    SV-19142r1_rule NET0999 MEDIUM Not all management network elements with an IP address from management address block. The management network must have its own subnet in order to enforce control and access boundaries provided by Layer 3 network nodes such as routers and firewalls. Management traffic between the managed network elements and the management network is routed
    SV-19152r1_rule NET0810 LOW Two NTP servers have not been deployed in the management network. NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time is critical. It is imperative that all single points of fai
    SV-19307r1_rule NET1002 MEDIUM The management station or server is not connected to the management VLAN. If the management systems reside within the same layer 2 switching domain as the managed network elements, then separate VLANs must be deployed to provide separation at that level. In this case, the management network still has its own subnet while at the
    SV-20025r1_rule NET-IDPS-016 MEDIUM The IAO will ensure an IDPS sensor is monitoring DMZ segments housing all public servers. The initial step in IDPS deployment is determining where sensors should be placed. Because attacks originate at the enclave perimeter and within the enclave boundary an IDPS implementation at the enclave perimeter only will not suffice. By placing IDPS te
    SV-20027r1_rule NET-IDPS-018 MEDIUM The IAO will ensure an IDPS sensor is monitoring Server Farms segments containing databases, private backend servers, and personnel data. The initial step in IDPS deployment is determining where sensors should be placed. Because attacks originate at the enclave perimeter and within the enclave boundary an IDPS implementation at the enclave perimeter only will not suffice. By placing IDPS te
    SV-20028r1_rule NET-IDPS-019 MEDIUM The IAO will ensure an IDPS sensor is monitoring segments that house network security management servers (Network Management segments or OOB networks). The initial step in IDPS deployment is determining where sensors should be placed. Because attacks originate at the enclave perimeter and within the enclave boundary an IDPS implementation at the enclave perimeter only will not suffice. By placing IDPS te
    SV-20030r1_rule NET-IDPS-023 MEDIUM The IAO/NSO will ensure the Regional Enclave has developed a hierarchical structure that allows the local enclave (base, camp, post, station) sensor data to be exported to the regional enclave management network segment. The enterprise Regional Enclave will develop a hierarchical monitoring structure that allows the captured local enclave (base, camp, post, and station) traffic to be exported to the regional enclave for trend analysis and reporting.Information Assurance O
    SV-20031r1_rule NET-IDPS-024 MEDIUM The IAO/NSO will ensure the sensor traffic in transit will be protected at all times via an OOB network or an authenticated tunnel between site locations. User interface services must be physically or logically separated from data storage and management services. Data from IDS sensors must be protected by confidentiality controls; from being lost and altered.Information Assurance OfficerDCNR-1, DCPA-1
    SV-20032r1_rule NET-IDPS-025 MEDIUM The SA will ensure IDPS communication traffic from the sensor to the management and database servers traverses a separate VLAN logically separating IDPS traffic from all other enclave traffic. All IDPS data collected by agents in the enclave at required locations must also be protected by logical separation when in transit from the agent to the management or database servers located on the Network Management subnet.Information Assurance Officer
    SV-20039r1_rule NET-IDPS-027 LOW The Network IDPS administrator will ensure that any products collecting baselines for anomaly-based detection have their baselines rebuilt periodically to support accurate detection. Readiness is required for INFOCON levels, additional information can be found in Strategic Command Directive (SD) 527-1. Administrators should ensure that any products collecting baselines for anomaly-based detection have their baselines rebuilt periodically as needed to support accurate detection. The IAM is required to have the enclave prepared for readiness by raising
    SV-20040r1_rule NET-IDPS-028 MEDIUM The Network IDPS administrator located at a regional enterprise enclave will establish an automated update for enterprise sensor update deployments to Base, Camp, Post and Station local networks. In a large scale IDPS deployment, it is common to have an automated update process implemented. This is accomplished by having the updates downloaded on a dedicated FTP server within the management network. The FTP server should be configured to allow rea
    SV-20041r1_rule NET-IDPS-029 MEDIUM The Network IDPS administrator will ensure if a SFTP server is used to provide updates to the sensors, the server is configured to allow read-only access to the files within the directory on which the signature packs are placed. In a large scale IDPS deployment, it is common to have an automated update process implemented. This is accomplished by having the updates downloaded on a dedicated SFTP server within the management network. The SFTP server should be configured to allow r
    SV-20042r1_rule NET-IDPS-030 MEDIUM The Network IDPS administrator will ensure if an automated scheduler is used to provide updates to the sensors, an account is defined that only the sensors will use. In a large scale IDPS deployment, it is common to have an automated update process implemented. This is accomplished by having the updates downloaded on a dedicated secure file server within the management network. The file server should be configured to
    SV-20045r1_rule NET-IDPS-031 LOW The Network IDPS administrator will back up configuration settings before applying software or signature updates to ensure that existing settings are not inadvertently lost. There are two types of IDPS updates: software updates and signature updates. Software updates fix bugs in the IDPS software or add new functionality, while signature updates add new detection capabilities or refine existing detection capabilities (e.g., r
    SV-20046r1_rule NET-IDPS-032 LOW The Network IDPS administrator will compare and verify IDPS update’s file checksums provided by the vendor with checksums computed from downloaded files. If removable media (CD) is used for updates, its' content will be verified. There are two types of IDPS updates: software updates and signature updates. Software updates fix bugs in the IDPS software or add new functionality, while signature updates add new detection capabilities or refine existing detection capabilities (e.g., r
    SV-20059r1_rule NET-VLAN-010 MEDIUM The IAO will ensure the Server Farm is segmented by isolating business functions such as databases, applications, web, and email using VLAN provisioning. VLANs can offer significant benefits in a multi-service network by providing a convenient way of isolating different equipment and traffic type. Network traffic with differing security policies within the server farm should be logically grouped using mult
    SV-20060r1_rule NET-VLAN-013 MEDIUM The IAO will ensure the Server Farm that provides floor space to multiple clients isolate the client’s data by separate VLANs. Data Centers that rent floor space, power and IT processing for multiple customers have additional security responsibilities to their customers. Protecting a client’s data from other clients is necessary. Segmentation is used to make it harder for a cl
    SV-20067r1_rule NET-VLAN-016 MEDIUM The IAO will ensure applications with public access containing web, database and application functions that can not be separated will be isolated on a separate VLAN in the DMZ. If an application cannot be tier separated, then the architecture will allow for logically moving the entire application and host onto a separate VLAN within the DMZ to ensure that potential compromise does not give open access to other Server Farm compon
    SV-20068r1_rule NET-VLAN-017 MEDIUM The IAO will ensure the Regional Enclave DMZ separates web traffic into an isolated VLAN. A way to reduce the risk of attacks within the DMZ is creating separate broadcast domains forming security zones for each technology requiring DMZ services. By isolating the services within the DMZ reduces potential compromises to the broadcast domain and
    SV-20069r1_rule NET-VLAN-018 MEDIUM The IAO will ensure the Regional Enclave DMZ separates FTP traffic into a VLAN. A way to reduce the risk of attacks within the DMZ is creating separate broadcast domains forming security zones for each technology requiring DMZ services. By isolating the services within the DMZ reduces potential compromises to the broadcast domain and
    SV-20071r1_rule NET-VLAN-020 MEDIUM The IAO will ensure the Regional Enclave DMZ separates instant messaging traffic into a VLAN. A way to reduce the risk of attacks within the DMZ is creating separate broadcast domains forming security zones for each technology requiring DMZ services. By isolating the services within the DMZ reduces potential compromises to the broadcast domain and
    SV-20072r1_rule NET-VLAN-021 MEDIUM The IAO will ensure the Regional Enclave DMZ separates streaming media (VoIP, Video) into a VLAN. A way to reduce the risk of attacks within the DMZ is creating separate broadcast domains forming security zones for each technology requiring DMZ services. By isolating the services within the DMZ reduces potential compromises to the broadcast domain and
    SV-20073r1_rule NET-VLAN-022 MEDIUM The IAO will ensure the Regional Enclave DMZ separates email and AD traffic into a VLANs according to device-type, e.g. email front-end relay server in a VLAN and Internet Security and Acceleration (ISA) server in a VLAN. A way to reduce the risk of attacks within the DMZ is creating separate broadcast domains forming security zones for each technology requiring DMZ services. By isolating the services within the DMZ reduces potential compromises to the broadcast domain and
    SV-20105r1_rule NET-NAC-007 LOW The IAO/NSO will ensure the network access control solution supports wired, wireless and remote access NARs (clients). Without a secure network access solution implemented rogue and/or non-policy compliant devices can gain access to the network and its resources.Information Assurance OfficerECSC-1
    SV-20106r1_rule NET-NAC-008 LOW The network access control solution will not use the DHCP mechanism to separate authenticated and non-authenticated network access requests due to known weaknesses that bypass the authentication process by rogue devices with self-configured IP addresses. Layer 3 DHCP authentication is considered an insecure mechanism because of the relative ease by which it can be bypassed. A rogue device with a self-configured IP address on the secure network can effectively bypass the authentication process.Information
    SV-20111r1_rule NET-NAC-030 MEDIUM The IAO/NSO will ensure wall jacks are secured with MAC address definitions on switch ports or Manual Authentication by the SA is used on all access ports not capable of authentication software being loaded on the client, example printers. In a Manual Authentication implementation an SA is prompt by an authentication server during the authentication process. Instead of an authentication server making an access control decision independently, the authentication server presents an SA with a d
    SV-20117r1_rule NET-NAC-017 MEDIUM The IAO/NSO will ensure the VPN concentrator is connected to the network access control gateway’s untrusted interface. Non-trusted resources are resources that are not authenticated in a NAC solution implementing only the authentication component of NAC. Non-trusted resources could become resources that have been authenticated but have not had a successful policy assessme
    SV-20120r1_rule NET1352 MEDIUM The Network administrator will implement additional intrusion protection that detect both specific attacks on mail and traffic types (protocols) that should not be seen on the segments containing mail servers at the regional enclave mail perimeter. Network segments containing mail servers should have an appliance or sensors installed that monitor, inspect and log all recognized mail traffic. Specific MIME types should be denied, message size violations identified and content inspection performed ver
    SV-20145r2_rule NET-WIDS-001 MEDIUM The site will conduct continuous wireless IDS scanning. Note: This requirement applies to all DoD sites that operate DoD computer networks, including sites that have no authorized WLAN systems. DoD networks are at risk and DoD data could be compromised if wireless scanning is not conducted to identify unauthorized WLAN clients and access points connected to or attempting to connect to the network.Information Assurance OfficerECWN-1
    SV-21976r5_rule WIR0045 HIGH Computers with an embedded wireless system must have the radio removed before the computer is used to transfer, receive, store, or process classified information. With the increasing popularity of wireless networking, most laptops have wireless NICs installed on the laptop motherboard. Although the system administrator may disable these embedded NICs, the user may purposefully or accidentally enable the device. The
    SV-22064r3_rule WIR0125-02 MEDIUM The WLAN implementation of AES-CCMP must be FIPS 140-2 validated. Most known security breaches of cryptography result from improper implementation of the cryptography, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance that cryptography is implemented correctly, and is require
    SV-22066r2_rule WIR0145-02 LOW WIDS sensor scan results must be saved for at least one year. DoDD 8100.2 requires ALL DoD networks use a wireless IDS to scan for unauthorized wireless devices. If sites do not maintain scan logs, it cannot be determined if IDS findings are isolated and harmless events or a more sustained, methodical attack on the
    SV-22070r2_rule WIR0115-02 MEDIUM The WLAN implementation of EAP-TLS must be FIPS 140-2 validated. Most known security breaches of cryptography result from improper implementation of the cryptography, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance that cryptography is implemented correctly, and is require
    SV-28600r1_rule NET-SRVFRM-006 MEDIUM The IAO will ensure that the server farm is protected by a reverse proxy that only allows connections from authorized hosts requesting authorized services. A reverse proxy acts on behalf of a server. The reverse proxy accepts the connection from the client and forwards it to the server. It also receives the response from the server and forwards it to the client. A reverse proxy helps in protecting applicatio
    SV-28616r2_rule NET1050 MEDIUM The organization must encrypt all network device configurations while stored offline. If a network device's non-volatile memory is lost without a recent configuration stored in an offline location, it may take time to recover that segment of the network. Users connected directly to the switch or router will be without service for a longer
    SV-31432r3_rule WIR0123 MEDIUM WLAN access points and supporting authentication servers used for Internet-only connections must reside in a dedicated subnet off of the perimeter firewall. If the access point or its supporting authentication server is placed in front of the perimeter firewall, then it has no firewall protection against an attack. If the access point or its supporting authentication server is placed behind the perimeter fir
    SV-31437r2_rule WIR0124 MEDIUM The perimeter firewall must be configured as required for the dedicated Internet-only WLAN infrastructure subnet. If the perimeter firewall is not configured as required, users connecting to an access point may be able to compromise internal DoD information systems.System AdministratorInformation Assurance OfficerECWN-1
    SV-39891r2_rule WIR0114 MEDIUM The WLAN must be WPA2-Enterprise certified. The Wi-Fi Alliance WPA2-Enterprise certification means the WLAN equipment can support DoD requirements, most notably EAP-TLS and AES-CCMP. If the equipment has not been WPA-Enterprise certified, then the equipment may not have the required security funct
    SV-41919r2_rule NET0180 MEDIUM All global address ranges used on unclassified and classified networks must be properly registered with the DoD Network Information Center (NIC). If network address space is not properly configured, managed, and controlled, the network could be accessed by unauthorized personnel resulting in security compromise of site information and resources. Allowing subscribers onto the network whose IP addres
    SV-41924r5_rule NET0185 MEDIUM IP Addresses used within an organizations SIPRNet enclave must be authorized .smil.mil or .sgov.gov addresses assigned by the DoD Network Information Center (NIC). As per CNSSI No. 1016, the DoD has an enterprise level security-focused configuration management (SecCM) requirement to support end-to-end monitoring of SIPRNet, as a National Security System (NSS). The use of Network Address Translation (NAT) and privat
    SV-44284r1_rule NET0928 MEDIUM A policy must be implemented to keep Bogon/Martian rulesets up to date. A bogon route or martian address is a type of packet that should never be routed inbound through the perimeter device. Bogon routes and martian addressesare commonly found as the source addresses of DDoS attacks. By not having a policy implemented to ke