Network Infrastructure Policy Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
NET0160
Group -
Written mission justification approval must be obtained from the Office of the DoD CIO prior to establishing a direct connection to the Internet via commercial service provider outside DoD CIO approved Internet access points (e.g. DISA IAP, Cloud Access Point, NIPRnet Federated Gateway, DREN IAP, etc.).
Analysis of DoD reported incidents reveal current protective measures at the NIPRNet boundary points are insufficient. Documented ISPs and validated architectures for DMZs are necessary to protect ...Rule High Severity -
An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor the network segment hosting web, application, and database servers.
Attacks can originate within the enclave boundary. Hence, deploying an IDPS on the network segment hosting web, application, and database servers is imperative. The servers are critical resource an...Rule Medium Severity -
An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor network segments that house network security management servers.
The initial step in IDPS deployment is determining where sensors should be placed. Because attacks originate at the enclave perimeter and within the enclave boundary an IDPS implementation at the e...Rule Medium Severity -
An Intrusion Detection and Prevention System (IDPS) must be deployed to monitor all unencrypted traffic entering and leaving the enclave.
Per CJCSI 6510.01F, Enclosure A-5, Paragraph 8, "DOD ISs (e.g., enclaves, applications, outsourced IT-based process, and platform IT interconnections) shall be monitored to detect and react to inc...Rule Medium Severity -
Products collecting baselines for anomaly-based detection must have their baselines rebuilt based on changes to mission requirements such as Information Operations Conditions (INFOCON) levels and when the traffic patterns are expected to change significantly.
Administrators should ensure that any products collecting baselines for anomaly-based detection have their baselines rebuilt periodically as needed to support accurate detection. The ISSM is requ...Rule Low Severity -
If a Secure File Transfer Protocol (SFTP) server is used to provide updates to the sensors, the server must be configured to allow read-only access to the files within the directory on which the signature packs are placed.
In a large scale IDPS deployment, it is common to have an automated update process implemented. This is accomplished by having the updates downloaded on a dedicated SFTP server within the managemen...Rule Medium Severity -
Tunneling of classified traffic across an unclassified IP transport network or service provider backbone must be documented in the enclaves security authorization package and an Approval to Connect (ATC), or an Interim ATC must be issued by DISA prior to implementation.
CJCSI 6211.02D instruction establishes policy and responsibilities for the connection of any information systems to the Defense Information Systems Network (DISN) provided transport. Enclosure E ma...Rule High Severity -
Tunneling of classified traffic across an unclassified IP transport network must employ cryptographic algorithms in accordance with CNSS Policy No. 15.
When transporting classified data over an unclassified IP network, it is imperative that traffic from the classified enclave or community of interest is encrypted prior reaching the point of presen...Rule High Severity -
All external connections must be validated and approved by the Authorizing Official (AO) and the Connection Approval Office (CAO) and meeting Connection Approval Process (CAP) requirements.
Every site must have a security policy to address filtering of the traffic to and from those connections. This documentation along with diagrams of the network topology is required to be submitted...Rule Medium Severity -
External connections to the network must be reviewed and the documentation updated semi-annually.
A network is only as secure as its weakest link. It is imperative that all external connections be reviewed and kept to a minimum needed for operations. All external connections should be treated a...Rule Medium Severity -
External network connections must not bypass the enclaves perimeter security.
Without taking the proper safeguards, external networks connected to the organization will impose security risks unless properly routed through the perimeter security devices. Since external networ...Rule Medium Severity -
All global address ranges used on unclassified and classified networks must be properly registered with the DoD Network Information Center (NIC).
If network address space is not properly configured, managed, and controlled, the network could be accessed by unauthorized personnel resulting in security compromise of site information and resour...Rule Medium Severity -
Network Address Translation (NAT) and private IP address space must not be deployed within the SIPRNet enclave.
The DoD has an enterprise level security-focused configuration management (SecCM) requirement to support end-to-end monitoring of SIPRNet, as a National Security System (NSS). The use of NAT and pr...Rule Medium Severity -
All network infrastructure devices must be located in a secure room with limited access.
If all communications devices are not installed within controlled access areas, risk of unauthorized access and equipment failure exists, which could result in denial of service or security comprom...Rule Medium Severity -
Two Network Time Protocol (NTP) servers must be deployed in the management network.
NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time i...Rule Low Severity -
A minimum of two syslog servers must be deployed in the management network.
Maintaining an audit trail of system activity logs can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network.Rule Low Severity -
Current and previous network element configurations must be stored in a secured location.
If the network element's non-volatile memory is lost without a recent configuration stored in an offline location, it may take time to recover that segment of the network. Users connected directly...Rule Low Severity -
The organization must encrypt all network device configurations while stored offline.
If a network device's non-volatile memory is lost without a recent configuration stored in an offline location, it may take time to recover that segment of the network. Users connected directly to...Rule Medium Severity -
Command and Control (C2) and non-C2 exceptions of SIPRNet must be documented in the enclaves accreditation package and an Authority to Connect (ATC) or Interim ATC amending the connection approval received prior to implementation.
Any exception to use SIPRNet must be documented in an update to the enclave's accreditation package and an Authority to Connect (ATC) or Interim ATC amending the connection approval received prior...Rule Medium Severity -
Multi-Protocol Labeled Switching (MPLS) protocols deployed to build Label-Switch Path (LSP) tunnels must authenticate all messages with a hash function using the most secured cryptographic algorithm available.
Spoofed TCP segments could be introduced into the connection streams for LDP sessions used to build LSPs. By configuring strict authentication between LSR peers, LDP TCP sessions can be restricted ...Rule Medium Severity -
Rapid Spanning Tree Protocol (STP) must be implemented at the access and distribution layers where Virtual Local Area Networks (VLANs) span multiple switches.
Spanning Tree Protocol (STP) is implemented on bridges and switches to prevent Layer 2 loops when a broadcast domain spans multiple bridges and switches and when redundant links are provisioned to ...Rule Low Severity -
A Quality of Service (QoS) policy must be implemented to provide preferred treatment for Command and Control (C2) real-time services and control plane traffic.
Different applications have unique requirements and toleration levels for delay, jitter, packet loss, and availability. To manage the multitude of applications and services, a network requires a Qu...Rule Low Severity -
The multicast domain must block inbound and outbound Auto-RP discovery and announcement messages at the edge.
With static RP, the RP address for any multicast group must be consistent across all routers in a multicast domain. A static configuration is simple and convenient. However, if the statically defin...Rule Low Severity -
The number of mroute states resulting from Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) membership reports must be limited.
The current multicast paradigm can let any host join any multicast group at any time by sending an Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) membership report ...Rule Medium Severity -
The number of source-group (SG) states must be limited within the multicast topology where Any Source Multicast (ASM) is deployed.
Any Source Multicast (ASM) can have many sources for the same groups (many-to-many). For many receivers, the path via the Rendezvous Point (RP) may not be ideal compared with the shortest path from...Rule Medium Severity -
NET0140
Group -
The connection between the Channel Service Unit/Data Service Unit (CSU/DSU) and the Local Exchange Carriers (LEC) data service jack (i.e., demarc) as well as any service provider premise equipment must be located in a secure environment.
DOD leased lines carry an aggregate of sensitive and non-sensitive data; therefore unauthorized access must be restricted. Inadequate cable protection can lead to damage and denial of service attac...Rule Low Severity -
NET-IDPS-016
Group -
An Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor all Demilitarized Zone (DMZ) segments housing public servers.
The initial step in IDPS deployment is determining where sensors should be placed. Because attacks originate at the enclave perimeter and within the enclave boundary an IDPS implementation at the e...Rule Medium Severity -
NET-IDPS-018
Group -
NET-IDPS-019
Group -
NET-IDPS-021
Group -
NET-IDPS-024
Group -
Sensor traffic in transit must be protected at all times via an Out-of-Band (OOB) network or an encrypted tunnel between site locations.
User interface services must be physically or logically separated from data storage and management services. Data from IDS sensors must be protected by confidentiality controls; from being lost and...Rule Medium Severity -
NET-IDPS-025
Group -
Intrusion Detection and Prevention System (IDPS) traffic between the sensor and the security management or sensor data collection servers must traverse a dedicated Virtual Local Area Network (VLAN) logically separating IDPS traffic from all other enclave traffic.
All IDPS data collected by agents in the enclave at required locations must also be protected by logical separation when in transit from the agent to the management or database servers located on t...Rule Medium Severity -
NET-IDPS-027
Group -
NET-IDPS-029
Group -
NET-IDPS-030
Group -
If an automated scheduler is used to provide updates to the sensors, an account on the file server must be defined that will provide access to the signatures only to the sensors.
In a large scale IDPS deployment, it is common to have an automated update process implemented. This is accomplished by having the updates downloaded on a dedicated secure file server within the ma...Rule Medium Severity -
NET-IDPS-031
Group -
The Intrusion Detection and Prevention System (IDPS) configuration must be backed up before applying software or signature updates, or when making changes to the configuration.
There are two types of IDPS updates: software updates and signature updates. Software updates fix bugs in the IDPS software or add new functionality, while signature updates add new detection capab...Rule Low Severity -
NET-IDPS-032
Group -
The Intrusion Detection and Prevention System (IDPS) file checksums provided by the vendor must be compared and verified with checksums computed from CD or downloaded files.
There are two types of IDPS updates: software updates and signature updates. Software updates fix bugs in the IDPS software or add new functionality, while signature updates add new detection capab...Rule Low Severity -
NET-IDPS-033
Group -
The organization must establish weekly data backup procedures for the network Intrusion Detection and Prevention System (IDPS) data.
IDPS data needs to be backed up to ensure preservation in the case a loss of data due to hardware failure or malicious activity.Rule Medium Severity -
NET-IDPS-035
Group -
The Intrusion Detection and Prevention System (IDPS) software and signatures must be updated when updates are provided by the vendor.
Keeping the IDPS software updated with the latest engine and attack signatures will allow for the IDPS to detect all forms of known attacks. Not maintaining the IDPS properly could allow for attac...Rule Low Severity -
NET-TUNL-026
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.