Test and Development Zone B Security Technical Implementation Guide

Test systems, to include hardware and software, and/or development systems are not typically secured in accordance with appropriate practices, therefore if they are connected to a production network it is possible to infect or degrade production devices.Information Assurance OfficerECSC-1

It is imperative that communications used for administrative access to test and development components is limited to emergency situations or where out-of-band management would hinder daily operational requirements. In-band management introduces the risk of an attacker gaining access to the network internally or even externally.Information Assurance OfficerECSC-1

In order to ensure a system or application will work efficiently and securely once deployed into a DoD production environment, development must occur on secure platforms. Otherwise, potentially misguided developers may inject code or incorrectly configure an application that could lead to denial of service once deployed into a production environment. In addition, a system or application must be able to run in a STIG compliant environment once fielded. Information Assurance OfficerECSC-1

As systems in a lab or test environment are rarely secure, the network devices supporting the test and development zones must be properly secured IAW STIGs to avoid any test traffic from entering DoD network space or from possibility of compromise. If a tester is working to identify malicious code on a system within a test lab, and that system inadvertently communicates with the DoD production networks or systems, it puts the DoD systems at risk. Information Assurance OfficerECSC-1

Configuration management to include hardware and software inventory control is a key security requirement. There are many reasons to document and baseline the systems/applications within the infrastructure to include: bugs which were fixed find their way back into the system, changes were made that were never documented nor audited so it was overwritten, code fixes being made to an incorrect version of software, etc. Information Assurance OfficerDCPR-1

As lab systems are seldom, if ever, in a STIG compliant, secure state, there must be additional security controls in place to protect DoD networks, DoD user communities, and production infrastructures.Information Assurance OfficerDCCT-1

During the installation of an operating system, the system is most vulnerable to attack because no security controls have been put in place to protect the system. It is very important to block all access to a system while the operating system is being installed and configured until such time that security controls can be implemented. Information Assurance OfficerECSC-1

The systems that reside in Zone B require external access utilizing a DoD network as the transport mechanism. Logical access control mechanisms will be utilized at the network boundary such as strictly controlled ACLs with no ingress traffic origination and established sessions only. Test or development traffic will be isolated/separated from production traffic. Downloading software from the Internet is acceptable in Zone B, however, a DMZ with gateway must be established for such purposes.Information Assurance OfficerEBCR-1

The systems that reside in Zone B require external access utilizing a DoD network as the transport mechanism. Logical access control mechanisms will be utilized at the network boundary such as strictly controlled ACLs with no ingress traffic origination and established sessions only. Test or development traffic will be isolated/separated from production traffic. The permissible activities for Zone B environments include, but are not limited to, user functional acceptance of a product, final stage testing, and Development. Downloading software from the Internet is acceptable in Zone B, however, a DMZ with gateway must be established for such purposes.Information Assurance OfficerEBPW-1

The systems that reside in Zone B require external access utilizing a DoD network as the transport mechanism. Logical access control mechanisms will be utilized at the network boundary such as strictly controlled ACLs with no ingress traffic origination and established sessions only. The guidance for Zone B systems is restricted to unclassified DoD networks; it does not apply to other DoD networks such as the Defense Research and Engineering Network (DREN). Test or development traffic will be isolated/separated from production traffic. The permissible activities for Zone B environments include, but are not limited to, user functional acceptance of a product, final stage testing, and Development. Downloading software from the Internet is acceptable in Zone B, however, a DMZ with gateway must be established for such purposes.Information Assurance OfficerECSC-1

The systems that reside in Zone B require external access utilizing a DoD network as the transport mechanism. Logical access control mechanisms will be utilized at the network boundary such as strictly controlled ACLs with no ingress traffic origination and established sessions only. The guidance for Zone B systems is restricted to unclassified DoD networks. Test or development traffic will be isolated/separated from production traffic. Downloading software from the Internet is acceptable in Zone B, however, a DMZ with gateway must be established for such purposes.Information Assurance OfficerECSC-1

The Secure Remote Computing and the Network Infrastructure STIGs clearly define remote (not physically or logically collocated) access requirements for system administrator or user access to a DoD network. The requirements set forth in the aforementioned STIGs apply to T&D environments as well. As there may be situations in which an SA must access a T&D environment, if they are not located within the testing facility/lab or are teleworking, security requirements must be in place to ensure protection of DoD data and networks. Many network administrators prefer technologies such as Thin Client, Terminal Services, and Virtual Machine architectures, such as Citrix and VMWare, to provide the necessary access to their remote user base. This solution is acceptable in T&D environments as well; however, as DoD LAN clients may use this technology, additional security requirements must be met. The following table defines the overall access requirements for T&D and the following section details virtual machine architectures. The network connectivity employed will determine the baseline security prerequisites listed in the previous section. Network devices, such as routers and firewalls; that support this environment must be STIG compliant. Information Assurance OfficerECSC-1

Zone B systems may not be fully STIG compliant, there may be sub-zones within a Zone B that may not have STIG’d systems. Therefore, if utilizing a remote access solution, appropriate steps must be taken to isolate the systems that are not in compliance and non-production systems employed to access them. If utilizing a DoD LAN client or workstation, the user must be proxied by a STIG compliant device that acts as a gateway to the Zone B system. There is no egress from the Zone B system to the LAN client unless utilizing a proxy or Virtual Machine architecture. Zone D systems may have remote access capabilities; however, a DoD production LAN client/workstation will not be used to connect to a Zone D system. Information Assurance OfficerECSC-1

Virtual Machine clients provide a means for remote access into a separate enclave infrastructure using the same hardware the production client/OS resides on. As T&D environments are not always secure, this poses additional risk to the DoD desktop client or device if that device is utilizing such an architecture for remote access. Virtual machine technology permits multiple operating systems to reside on a single hardware platform, yet act as logically separate instances. In this environment, the guest operating system acts completely independent of the host operating system, however, in reality it is simulated in a contained software environment by the host system. The guest on a host system has the ability to be wholly contained and communicate independently of the host OS. Network traffic can be restricted on the guest OS and can be logically separated from any other guest or host OS on the platform. Information Assurance OfficerECSC-1

Up-to-date documentation is essential in assisting with the management, auditing, and security of the network infrastructure used to support the test and development environment. Network diagrams are important because they show the overall layout where devices are physically located within the network infrastructure. Diagrams also show the relationship and connectivity between devices where possible intrusive attacks could take place. Having up-to-date network diagrams will also help show what the security, traffic, and physical impact of adding a system will be on the network.Information Assurance OfficerInformation Assurance ManagerDCHW-1

Prior to connecting to a live operational network, such as the DISN, systems, at minimum, receive an IATO. A system without an IATO does not show adequate effort to meet IA controls and security requirements and may pose a risk to other computers or systems connecting to the operational network.Information Assurance OfficerInformation Assurance ManagerEBCR-1

An asset management system is used to send out notifications on vulnerabilities in commercial and military information infrastructures as they are discovered. If the organization's assets are not registered with an asset management system, administrators will not be notified of important vulnerabilities such as viruses, denial of service attacks, system weaknesses, back doors, and other potentially harmful situations. Additionally, there will be no way to enter, track, or resolve findings during a review.VIVM-1

It is important to restrict administrative access to the supporting network infrastructure and systems in the test and development environment, as it reduces the risk of data theft or interception from an attacker on the operational network.ECSC-1

An impersistent connection is any temporary connection needed to another test and development environment or DoD operational network where testing is not feasible. As any unvetted connection or device will create additional risk and compromise the entire environment, it is up to the Authorizing Official for the organization to accept the risk of an impersistent connection.EBCR-1, ECSD-1

To reduce the risk of compromise of DoD operational networks and data, application and system development needs to be limited to systems within a network segment designated for development only.ECSC-1

A HIDS or HIPS application is a secondary line of defense behind the antivirus. The application will monitor all ports and the dynamic state of a development system. If the application detects irregularities on the system, it will block incoming traffic that may potentially compromise the development system that can lead to a DoS or data theft.ECID-1, ECSC-1

A firewall provides a line of defense against malicious attacks. To be effective, it must be enabled and properly configured.ECSC-1

Major software vendors release security patches and hotfixes to their products when security vulnerabilities are discovered. It is essential that these updates be applied in a timely manner to prevent unauthorized individuals from exploiting identified vulnerabilities.ECSC-1, VIVM-1

Change management is the formal review process that ensures that all changes made to a system or application receives formal review and approval. Change management reduces impacts from proposed changes that could possibly have interruptions to the services provided. Recording all changes for applications will be accomplished by a configuration management policy. The configuration management policy will capture the actual changes to software code and anything else affected by the change.DCII-1, DCPR-1

Without the approval of the Change Control Authority, data moved from the test and development network into an operational network could pose a risk of containing malicious code or cause other unintended consequences to live operational data. Data moving into operational networks from final stage preparation must always be vetted and approved.ECSC-1, ECSD-1, ECSD-2

Prior to release of the application receiving an IATO for deployment into a DoD operational network, the application will have a thorough code review. Along with the proper testing, the code review will specify flaws causing security, compatibility, or reliability concerns that may compromise the operational network.DCSQ-1, ECSC-1, ECSD-1, ECSD-2

Restricting access to source code and the application to authorized users will limit the risk of source code theft or other potential compromise.ECAN-1, ECCD-1, ECLP-1

Permitted activities in test and development environments include, but are not limited to, extensive testing using tools not otherwise permitted, working with potential malicious code, and working with ports, protocols, and services that are otherwise restricted via DoD policy. Infrastructure devices are not required to adhere to PPS regulations, as the network traffic does not access or traverse any operational DoD network. Unacceptable activities include network access to DoD operational systems or networks.ECSC-1

Acting as the first hop into a test and development environment, the gateway can implement proper routing and provide a first layer of defense against attacks and other unintentional compromise or spillage of sensitive information into the operational network.DCSP-1, ECSC-1

In accordance with the DoD 8551.1 policy, the test and development environment may require external access to live operational data to perform final stage testing. All network connections for the test and development environment must make use of the PPS CAL at the appropriate boundaries.DCPP-1

Most systems that reside in the test and development environment require external access using a DoD network as the transport mechanism. Logical access control mechanisms, such as strictly controlled ACLs for both ingress and egress traffic, must be utilized at the environment boundary. The permissible activities for test and development environments include, but are not limited to, user functional acceptance of a product, final stage testing, and development. Downloading software from the Internet is acceptable for the environment; however, establish a DMZ for such purposes.DCSP-1, EBBD-1, EBBD-2, EBBD-3, ECSC-1

Logical network segmentation is a way to restrict access between test and development systems to reduce the chance of code becoming victim to compromise. Since test and development segments may not have the same level of IA assurance, logical separation is required. DCSP-1, ECSC-1

To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture between test and development environments. All ingress and egress traffic not explicitly permitted between test and development environments must be denied. Such rule sets prevent many malicious exploits or accidental leakage by regulating the ports, protocols, or services necessary to each environment.ECSC-1

Remote access to the environment using unapproved encryption mechanism is inherently dangerous because anyone with a packet sniffer and access to the network can acquire the device's account and password information. With this intercepted information, a malicious user could gain access to the device, cause denial of service attacks, intercept sensitive information, or perform other destructive actions.EBRU-1, ECCT-1, ECCT-2

The VPN software on a host can be configured in either of two modes. It can be set to encrypt all IP traffic originating from that host, and send all of that traffic to the remote IP address of the network gateway. This configuration is called “tunnel-all” mode, because all IP traffic from the host must traverse the VPN tunnel to the remote system, where it will either be processed or further forwarded to additional IP addresses after decryption. Alternately, the VPN software can be set only to encrypt traffic that is specifically addressed to an IP at the other end of the VPN tunnel. All other IP traffic bypasses the VPN encryption and routing process, and is handled by the host as if the VPN relationship did not exist. This configuration is called “split-tunnel” mode, because the IP traffic from the host is split between encrypted packets sent across the VPN tunnel and unencrypted packets sent to all other external addresses. There are security and operational implications in the decision of whether to use split-tunnel or tunnel-all mode. Placing a host in tunnel-all mode makes it appear to the rest of the world as a node on the connected logical (VPN-connected) network. It no longer has an identity to the outside world based on the local physical network. In tunnel-all mode, all traffic between the remote host and any other host can be subject to inspection and processing by the security policy devices of the remote VPN-linked network. This improves the security aspects of the connected network, since it can enforce all security policies on the VPN-connected computer.ECSC-1

Attacks on virtual machines from other VMs through denial of service and other attacks potentially stealing sensitive data such as source code used in application development. It is imperative to keep DoD operational virtual machines on physically separate platforms from test and development virtual machines.ECSC-1

It is mandatory that data from an untrusted network or website that is to be used in a testing and development environment be downloaded through a secure perimeter. Bringing data directly from an untrusted network or downloaded from a personal computer or home Internet connection must be prohibited. Scanning data is crucial to ensure the integrity of the information prior to deployment for T&D processes. While not an all-inclusive list, data in this situation includes OS patches, application updates, operating systems, development tools, and test data. In the T&D environment, there will typically be one or more IA-compliant systems accessing a secure Internet connection. If a secure Internet connection is not available, such as in Zone D, a connection in another zone can be used and the data moved by approved physical media into the zone. Scanning the data with an anti-virus program will reduce the risk of exploits and of having vulnerable systems in the T&D environment taken over. Downloading data from a single workstation for all zone environments is acceptable. Organizations with NIPRNet connections must download all data through their NIPR connection for scanning at the IAPs. Contractors or other DoD organizations without any direct NIPRNet connectivity will need to use a secure Internet connection following all applicable DoD IA policy and STIG requirements.

Without policies and procedures in place, the organization will not have the authority to hold personnel accountable for improperly handling or transporting data into the test and development environment. The documents need to include guidance for both physical and electronic data migration.