EBBD-1

EBBD-1 Boundary Defense

Overview

Boundary defense mechanisms to include firewalls and network intrusion detection systems (IDS) are deployed at the enclave boundary to the wide area network, and Internet access is permitted from a demilitarized zone (DMZ) that meets the DoD requirement that such contacts are isolated from other DoD systems by physical or technical means. All Internet access points are under the management and control of the enclave. Internet access is permitted from a demilitarized zone (DMZ) that meets the DoD requirement that such contacts are isolated from other DoD systems by physical or technical means. All Internet access points are under the management and control of the enclave.

MAC / CONF	Impact	Subject Area
PUBLIC	Low	Enclave Boundary Defense

Details

Threat
DoD systems processing public information, while not bound by stringent classification or sensitivity concerns, nonetheless require layered defensive mechanisms to prevent malicious actions against system resources. This protection is achieved by implementing boundary defense mechanisms such as firewalls and IDSes, as well as securely configuring enclave routers, to ensure that access to system resources is confined to authorized users. While access to public (Internet) resources is permitted, such access must be set up through a demilitarized zone (DMZ), the purpose of which is to isolate network segments with access to public resources.

Threat

DoD systems processing public information, while not bound by stringent classification or sensitivity concerns, nonetheless require layered defensive mechanisms to prevent malicious actions against system resources. This protection is achieved by implementing boundary defense mechanisms such as firewalls and IDSes, as well as securely configuring enclave routers, to ensure that access to system resources is confined to authorized users. While access to public (Internet) resources is permitted, such access must be set up through a demilitarized zone (DMZ), the purpose of which is to isolate network segments with access to public resources.

Guidance
This guidance is designed for IAMs, PMs, SMEs, System Administrators, and all personnel involved in the design and implementation of boundary defense: 1. As part of the system design process, identify the specific boundary defense mechanisms to be incorporated into the system security architecture. When making the decision to select specific hardware and software applications for these devices (e.g., firewalls, IDS), refer to the list of devices that have been evaluated by the NIAP program under Common Criteria and meet the fundamental requirements outlined in NSTISSP 1. This list is available online at: http://niap.nist.gov/cc-scheme/vpl/vpl_type.html. 2. Review the NIAP evaluation summary for each product, focusing on the Evaluation Assurance Level (EAL) for each product. For information systems processing public information, a minimum evaluation level of EAL-3 is required. 3. Once boundary defense mechanisms for the system have been identified, ensure that each mechanism is incorporated into a system security architecture documentation that details physical and logical placement of the mechanism within the system, data flows, ports, protocols, and services used; and interconnections between related systems or network segments. 4. Ensure that all boundary defense devices for public systems (i.e., firewalls, IDS, and boundary routers) are configured in accordance with approved DoD secure configuration standards, preferably the most current DISA STIGs for each specific mechanism. If STIGs are unavailable for specific mechanisms, refer to other approved DoD guidance such as NSA configuration guidelines, DoD guidelines created by and adopted from other organizations, or the vendor’s own configuration guidance. 5. Ensure that access lists and rule bases for boundary routers and firewalls for the classified system are configured such that access to or from any network segment or node to the public Internet must is done only from a DMZ. 6. Ensure that boundary defense mechanisms adhere to the DoD ports, protocols, and services implementation process. 7. Ensure that wireless networks terminate in DMZs and are segregated from back office LAN traffic unless they pass through a secure gateway or VLAN.

Guidance

This guidance is designed for IAMs, PMs, SMEs, System Administrators, and all personnel involved in the design and implementation of boundary defense:

1. As part of the system design process, identify the specific boundary defense mechanisms to be incorporated into the system security architecture. When making the decision to select specific hardware and software applications for these devices (e.g., firewalls, IDS), refer to the list of devices that have been evaluated by the NIAP program under Common Criteria and meet the fundamental requirements outlined in NSTISSP 1. This list is available online at: http://niap.nist.gov/cc-scheme/vpl/vpl_type.html.
2. Review the NIAP evaluation summary for each product, focusing on the Evaluation Assurance Level (EAL) for each product. For information systems processing public information, a minimum evaluation level of EAL-3 is required.
3. Once boundary defense mechanisms for the system have been identified, ensure that each mechanism is incorporated into a system security architecture documentation that details physical and logical placement of the mechanism within the system, data flows, ports, protocols, and services used; and interconnections between related systems or network segments.
4. Ensure that all boundary defense devices for public systems (i.e., firewalls, IDS, and boundary routers) are configured in accordance with approved DoD secure configuration standards, preferably the most current DISA STIGs for each specific mechanism. If STIGs are unavailable for specific mechanisms, refer to other approved DoD guidance such as NSA configuration guidelines, DoD guidelines created by and adopted from other organizations, or the vendor’s own configuration guidance.
5. Ensure that access lists and rule bases for boundary routers and firewalls for the classified system are configured such that access to or from any network segment or node to the public Internet must is done only from a DMZ.
6. Ensure that boundary defense mechanisms adhere to the DoD ports, protocols, and services implementation process.
7. Ensure that wireless networks terminate in DMZs and are segregated from back office LAN traffic unless they pass through a secure gateway or VLAN.

References

DISA Network Infrastructure STIG, Version 6, 29 October 2004
DISA Enclave Security STIG, Version 2, Release 1, 01 July 2004
DISA Enterprise Security Management STIG, Version 1, Section 3, paragraph 3.5, 29 October 2004
Cisco IOS Router Checklist Procedure Guide (Supp. to Network Infrastructure Checklist Version 5, Release 2.1, 01 June 2004)
Juniper JUNOS Router Checklist Procedure Guide (Supp. to Network Infrastructure Checklist Version 5, Release 2.1, 17 June 2004)
DISA Secure Remote Computing STIG, Version 1, Release 1, Sections 5 and 6, 04 February 2003
CJCSI - Information Assurance (IA) and Computer Network Defense (CND)
DoDI 8551.1 “Ports, Protocols, and Services Management”, Enclosure 3, 13 August 2004