| This guidance is designed for IAMs, PMs, SMEs, System Administrators, and all personnel involved in the design and implementation of boundary defense: |
1. As part of the system design process, identify the specific boundary defense mechanisms to be incorporated into the system security architecture. When making the decision to select specific hardware and software applications for these devices (e.g., firewalls, IDS), refer to the list of devices that have been evaluated by the NIAP program under Common Criteria and meet the fundamental requirements outlined in NSTISSP 1. This list is available online at: http://niap.nist.gov/cc-scheme/vpl/vpl_type.html.
2. Review the NIAP evaluation summary for each product, focusing on the Evaluation Assurance Level (EAL) for each product. For information systems processing public information, a minimum evaluation level of EAL-3 is required.
3. Once boundary defense mechanisms for the system have been identified, ensure that each mechanism is incorporated into a system security architecture documentation that details physical and logical placement of the mechanism within the system, data flows, ports, protocols, and services used; and interconnections between related systems or network segments.
4. Ensure that all boundary defense devices for public systems (i.e., firewalls, IDS, and boundary routers) are configured in accordance with approved DoD secure configuration standards, preferably the most current DISA STIGs for each specific mechanism. If STIGs are unavailable for specific mechanisms, refer to other approved DoD guidance such as NSA configuration guidelines, DoD guidelines created by and adopted from other organizations, or the vendor’s own configuration guidance.
5. Ensure that access lists and rule bases for boundary routers and firewalls for the classified system are configured such that access to or from any network segment or node to the public Internet must is done only from a DMZ.
6. Ensure that boundary defense mechanisms adhere to the DoD ports, protocols, and services implementation process.
7. Ensure that wireless networks terminate in DMZs and are segregated from back office LAN traffic unless they pass through a secure gateway or VLAN.