Network Infrastructure Policy Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Encapsulated and/or encrypted traffic received from another enclave must not bypass the network perimeter defense without being terminated and inspected before entering the enclaves private network.
Allowing encapsulated traffic to bypass the enclave's network perimeter without being filtered and inspected leaves the enclave vulnerable to malicious traffic that could result in compromise and d...Rule High Severity -
NET-TUNL-028
Group -
NET-TUNL-030
Group -
DSAWG approval must be obtained before tunneling classified traffic outside the components local area network boundaries across a non-DISN or OCONUS DISN unclassified IP wide area network transport infrastructure.
CJCSI 6211.02D instruction establishes policy and responsibilities for the connection of any information systems to the Defense Information Systems Network (DISN) provided transport. Enclosure E ma...Rule High Severity -
NET-TUNL-031
Group -
NET-VLAN-001
Group -
The organization must ensure all switches and associated cross-connect hardware are kept in a secure Intermediate Distribution Frame (IDF) or an enclosed cabinet that is kept locked.
Since the IDF includes all hardware required to connect horizontal wiring to the backbone, it is imperative that all switches and associated cross-connect hardware are kept in a secured IDF or an e...Rule Medium Severity -
NET0090
Group -
Network topology diagrams for the enclave must be maintained and up to date at all times.
To assist in the management, auditing, and security of the network infrastructure facility drawings and topology maps are a necessity. Topology maps are important because they show the overall lay...Rule Medium Severity -
NET0130
Group -
NET0131
Group -
Prior to having external connection provisioned between enclaves, a Memorandum of Agreement (MOA) or Memorandum of Understanding (MOU) must be established.
Prior to establishing a connection with another activity, a Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA) must be established between the two sites prior to connecting with eac...Rule Medium Severity -
NET0135
Group -
NET0168
Group -
If the site has a non-DoD external connection (i.e. Approved Gateway), an Intrusion Detection and Prevention System (IDPS) must be located between the sites Approved Gateway and the perimeter router.
The incorrect placement of the external IDPS may allow unauthorized access to go undetected and limit the ability of security personnel to stop malicious or unauthorized use of the network. In orde...Rule Medium Severity -
NET0170
Group -
NET0180
Group -
NET0185
Group -
NET0198
Group -
Dynamic Host Configuration Protocol (DHCP) audit and event logs must record sufficient forensic data to be stored online for thirty days and offline for one year.
In order to identify and combat IP address spoofing, it is highly recommended that the DHCP server logs MAC addresses and hostnames on the DHCP server, in addition to standard data such as IP addre...Rule Medium Severity -
NET0199
Group -
Dynamic Host Configuration Protocol (DHCP) servers used within SIPRNet infrastructure must be configured with a minimum lease duration time of 30 days.
In order to trace, audit, and investigate suspicious activity, DHCP servers within the SIPRNet infrastructure must have the minimum lease duration time configured to 30 or more days.Rule Low Severity -
NET0210
Group -
NET0346
Group -
All hosted NIPRNet-only applications must be located in a local enclave Demilitarized Zone (DMZ).
Without the protection of a DMZ, production networks will be prone to outside attacks as they are allowing externally accessible services to be accessed on the internal LAN. This can cause many un...Rule Medium Severity -
NET0348
Group -
All Internet-facing applications must be hosted in a DoD Demilitarized Zone (DMZ) Extension.
Without the protection of a DMZ, production networks will be prone to outside attacks as they are allowing externally accessible services to be accessed on the internal LAN. This can cause many un...Rule Medium Severity -
NET0351
Group -
When protecting the boundaries of a network, the firewall must be placed between the private network and the perimeter router and the Demilitarized Zone (DMZ).
The only way to mediate the flow of traffic between the inside network, the outside connection, and the DMZ is to place the firewall into the architecture in a manner that allows the firewall the a...Rule Medium Severity -
NET0365
Group -
The organization must implement a deep packet inspection solution when protecting perimeter boundaries.
Deep packet inspection (DPI) examines the packet beyond the Layer 4 header by examining the payload to identify the application or service. DPI searches for illegal statements, predefined criteria,...Rule High Severity -
NET0369
Group -
A deny-by-default security posture must be implemented for traffic entering and leaving the enclave.
To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or ac...Rule High Severity -
NET0445
Group -
Two-factor authentication must be implemented to restrict access to all network elements.
Without secure management implemented with authenticated access controls, strong two-factor authentication, encryption of the management session and audit logs, unauthorized users may gain access t...Rule Medium Severity -
NET0810
Group -
NET0928
Group -
A policy must be implemented to keep Bogon/Martian rulesets up to date.
A Bogon route or Martian address is a type of packet that should never be routed inbound through the perimeter device. Bogon routes and Martian addresses are commonly found as the source addresses...Rule Medium Severity -
NET0998
Group -
A dedicated management network must be implemented.
To deploy a management network for the purpose of controlling, monitoring, and restricting management traffic, a separate management subnet must be implemented. Define a large enough address block ...Rule Medium Severity -
NET1025
Group -
NET1026
Group -
Syslog messages must be retained for a minimum of 30 days online and then stored offline for one year.
Logging is a critical part of router security. Maintaining an audit trail of system activity logs (syslog) can help identify configuration errors, understand past intrusions, troubleshoot service ...Rule Low Severity -
NET1040
Group -
NET1050
Group -
NET1622
Group -
An Out-of-Band (OOB) management network must be deployed or 24x7 personnel must have console access for device management.
From an architectural point of view, providing Out-Of-Band (OOB) management of network systems is the best first step in any management strategy. No production traffic resides on an out-of-band net...Rule Medium Severity -
NET1815
Group -
All Releasable Local Area Network (REL LAN) environments must be documented in the System Security Authorization Agreement (SSAA).
The ISSM will ensure Releasable Local Area Network (REL LAN) environments are documented in the SSAA.Rule Medium Severity -
NET1816
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.