Network Infrastructure Policy Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
NET0180
<GroupDescription></GroupDescription>Group -
All global address ranges used on unclassified and classified networks must be properly registered with the DoD Network Information Center (NIC).
<VulnDiscussion>If network address space is not properly configured, managed, and controlled, the network could be accessed by unauthorized p...Rule Medium Severity -
NET0185
<GroupDescription></GroupDescription>Group -
Network Address Translation (NAT) and private IP address space must not be deployed within the SIPRNet enclave.
<VulnDiscussion>The DoD has an enterprise level security-focused configuration management (SecCM) requirement to support end-to-end monitorin...Rule Medium Severity -
NET0198
<GroupDescription></GroupDescription>Group -
Dynamic Host Configuration Protocol (DHCP) audit and event logs must record sufficient forensic data to be stored online for thirty days and offline for one year.
<VulnDiscussion>In order to identify and combat IP address spoofing, it is highly recommended that the DHCP server logs MAC addresses and hos...Rule Medium Severity -
NET0199
<GroupDescription></GroupDescription>Group -
Dynamic Host Configuration Protocol (DHCP) servers used within SIPRNet infrastructure must be configured with a minimum lease duration time of 30 days.
<VulnDiscussion>In order to trace, audit, and investigate suspicious activity, DHCP servers within the SIPRNet infrastructure must have the m...Rule Low Severity -
NET0210
<GroupDescription></GroupDescription>Group -
All network infrastructure devices must be located in a secure room with limited access.
<VulnDiscussion>If all communications devices are not installed within controlled access areas, risk of unauthorized access and equipment fai...Rule Medium Severity -
NET0346
<GroupDescription></GroupDescription>Group -
All hosted NIPRNet-only applications must be located in a local enclave Demilitarized Zone (DMZ).
<VulnDiscussion>Without the protection of a DMZ, production networks will be prone to outside attacks as they are allowing externally accessi...Rule Medium Severity -
NET0348
<GroupDescription></GroupDescription>Group -
All Internet-facing applications must be hosted in a DoD Demilitarized Zone (DMZ) Extension.
<VulnDiscussion>Without the protection of a DMZ, production networks will be prone to outside attacks as they are allowing externally accessi...Rule Medium Severity -
NET0351
<GroupDescription></GroupDescription>Group -
When protecting the boundaries of a network, the firewall must be placed between the private network and the perimeter router and the Demilitarized Zone (DMZ).
<VulnDiscussion>The only way to mediate the flow of traffic between the inside network, the outside connection, and the DMZ is to place the f...Rule Medium Severity -
NET0365
<GroupDescription></GroupDescription>Group -
The organization must implement a deep packet inspection solution when protecting perimeter boundaries.
<VulnDiscussion>Deep packet inspection (DPI) examines the packet beyond the Layer 4 header by examining the payload to identify the applicati...Rule High Severity -
NET0369
<GroupDescription></GroupDescription>Group -
A deny-by-default security posture must be implemented for traffic entering and leaving the enclave.
<VulnDiscussion>To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the...Rule High Severity -
NET0445
<GroupDescription></GroupDescription>Group -
Two-factor authentication must be implemented to restrict access to all network elements.
<VulnDiscussion>Without secure management implemented with authenticated access controls, strong two-factor authentication, encryption of the...Rule Medium Severity -
NET0810
<GroupDescription></GroupDescription>Group -
Two Network Time Protocol (NTP) servers must be deployed in the management network.
<VulnDiscussion>NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source...Rule Low Severity -
NET0928
<GroupDescription></GroupDescription>Group -
A policy must be implemented to keep Bogon/Martian rulesets up to date.
<VulnDiscussion>A Bogon route or Martian address is a type of packet that should never be routed inbound through the perimeter device. Bogon...Rule Medium Severity -
NET0998
<GroupDescription></GroupDescription>Group -
A dedicated management network must be implemented.
<VulnDiscussion>To deploy a management network for the purpose of controlling, monitoring, and restricting management traffic, a separate man...Rule Medium Severity -
NET1025
<GroupDescription></GroupDescription>Group -
A minimum of two syslog servers must be deployed in the management network.
<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, understand past intrusions, troubl...Rule Low Severity -
NET1026
<GroupDescription></GroupDescription>Group -
Syslog messages must be retained for a minimum of 30 days online and then stored offline for one year.
<VulnDiscussion>Logging is a critical part of router security. Maintaining an audit trail of system activity logs (syslog) can help identify...Rule Low Severity -
NET1040
<GroupDescription></GroupDescription>Group -
Current and previous network element configurations must be stored in a secured location.
<VulnDiscussion>If the network element's non-volatile memory is lost without a recent configuration stored in an offline location, it may tak...Rule Low Severity -
NET1050
<GroupDescription></GroupDescription>Group -
The organization must encrypt all network device configurations while stored offline.
<VulnDiscussion>If a network device's non-volatile memory is lost without a recent configuration stored in an offline location, it may take t...Rule Medium Severity -
NET1622
<GroupDescription></GroupDescription>Group -
An Out-of-Band (OOB) management network must be deployed or 24x7 personnel must have console access for device management.
<VulnDiscussion>From an architectural point of view, providing Out-Of-Band (OOB) management of network systems is the best first step in any ...Rule Medium Severity -
NET1815
<GroupDescription></GroupDescription>Group -
All Releasable Local Area Network (REL LAN) environments must be documented in the System Security Authorization Agreement (SSAA).
<VulnDiscussion>The ISSM will ensure Releasable Local Area Network (REL LAN) environments are documented in the SSAA.</VulnDiscussion>&...Rule Medium Severity -
NET1816
<GroupDescription></GroupDescription>Group -
Annual reviews must be performed on all Releasable Local Area Network (REL LAN) environments.
<VulnDiscussion>The ISSM will ensure Releasable Local Area Network (REL LAN) reviews are performed annually.</VulnDiscussion><FalseP...Rule Medium Severity -
NET1826
<GroupDescription></GroupDescription>Group -
Enabling a connection that extends DISN IP network connectivity (e.g., NIPRNet and SIPRNet) to any DoD Vendor, Foreign, or Federal Mission Partner enclave or network without a signed DoD CIO approved sponsorship memo is prohibited. For classified connectivity it must be to a DSS approved contractor facility or DoD Component approved foreign government facility.
<VulnDiscussion>Having a circuit provisioned that connects the SIPRNet enclave to a non-DoD, foreign, or contractor network puts the enclave ...Rule High Severity -
NET1827
<GroupDescription></GroupDescription>Group -
Command and Control (C2) and non-C2 exceptions of SIPRNet must be documented in the enclaves accreditation package and an Authority to Connect (ATC) or Interim ATC amending the connection approval received prior to implementation.
<VulnDiscussion>Any exception to use SIPRNet must be documented in an update to the enclave's accreditation package and an Authority to Conne...Rule Medium Severity -
NET1832
<GroupDescription></GroupDescription>Group -
VPN gateways used to create IP tunnels to transport classified traffic across an unclassified IP network must comply with appropriate physical security protection standards for processing classified information.
<VulnDiscussion>When transporting classified data over an unclassified IP network, it is imperative that the network elements deployed to pro...Rule Medium Severity -
NET2000
<GroupDescription></GroupDescription>Group -
Multi-Protocol Labeled Switching (MPLS) protocols deployed to build Label-Switch Path (LSP) tunnels must authenticate all messages with a hash function using the most secured cryptographic algorithm available.
<VulnDiscussion>Spoofed TCP segments could be introduced into the connection streams for LDP sessions used to build LSPs. By configuring stri...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.