EBBD-2

EBBD-2 Boundary Defense

Overview

Boundary defense mechanisms, to include firewalls and network intrusion detection systems (IDS) are deployed at the enclave boundary to the wide area network, at layered or internal enclave boundaries, or at key points in the network, as required. All Internet access is proxied through Internet access points that are under the management and control of the enclave and are isolated from other DoD information systems by physical or technical means.

MAC / CONF	Impact	Subject Area
SENSITIVE	Medium	Enclave Boundary Defense

Details

Threat
Systems processing sensitive information require layered defensive mechanisms to control access to the information from outside the enclave, as well as prevent inadvertent disclosure by allowing connections to untrusted public (Internet) resources. This protection is achieved by implementing boundary defense mechanisms such as firewalls and IDSes, as well as securely configuring enclave routers, to ensure that access to sensitive information is restricted to authorized users and trusted sources. Additionally, uncontrolled access to public (Internet) resources by a system processing sensitive information elevates the risk of inadvertent disclosure through unauthorized access. For this reason access to external (Internet) systems is proxied to ensure that connections are made to trusted sources only.

Threat

Systems processing sensitive information require layered defensive mechanisms to control access to the information from outside the enclave, as well as prevent inadvertent disclosure by allowing connections to untrusted public (Internet) resources. This protection is achieved by implementing boundary defense mechanisms such as firewalls and IDSes, as well as securely configuring enclave routers, to ensure that access to sensitive information is restricted to authorized users and trusted sources. Additionally, uncontrolled access to public (Internet) resources by a system processing sensitive information elevates the risk of inadvertent disclosure through unauthorized access. For this reason access to external (Internet) systems is proxied to ensure that connections are made to trusted sources only.

Guidance
This guidance is designed for IAMs, PMs, SMEs, System Administrators, and all personnel involved in the design and implementation of boundary defense: 1. As part of the system design process, identify the specific boundary defense mechanisms to be incorporated into the system security architecture. When making the decision to select specific hardware and software applications for these devices (e.g., firewalls, IDS), refer to the list of devices that have been evaluated by the NIAP program under Common Criteria and meet the fundamental requirements outlined in NSTISSP 1. This list is available online at: http://niap.nist.gov/cc-scheme/vpl/vpl_type.html. 2. Review the NIAP evaluation summary for each product, focusing on the Evaluation Assurance Level (EAL) for each product. For information systems processing sensitive information, a minimum evaluation level of EAL-3 is required. 3. Once boundary defense mechanisms for the system have been identified, ensure that each mechanism is incorporated into a system security architecture documentation that details physical and logical placement of the mechanism within the system, data flows, ports, protocols, and services used; and interconnections between related systems or network segments. 4. Ensure that all boundary defense devices for sensitive systems (i.e., firewalls, IDS, and boundary routers) are configured in accordance with approved DoD secure configuration standards, preferably the most current DISA STIGs for each specific mechanism. If STIGs are unavailable for specific mechanisms, refer to other approved DoD guidance such as NSA configuration guidelines, DoD guidelines created by and adopted from other organizations, or the vendor’s own configuration guidance. 5. Ensure that access lists and rule bases for boundary routers and firewalls for the classified system are configured such that access to or from any network segment or node to the public Internet must be proxied through a dedicated node, such as a remote access server, set up at the enclave level and that is under the strict administration of the enclave. For additional details on proxy configurations for Internet access, refer to the DISA Network Infrastructure STIG. 6. Ensure that boundary defense mechanisms adhere to the DoD ports, protocols, and services implementation process.

Guidance

This guidance is designed for IAMs, PMs, SMEs, System Administrators, and all personnel involved in the design and implementation of boundary defense:

1. As part of the system design process, identify the specific boundary defense mechanisms to be incorporated into the system security architecture. When making the decision to select specific hardware and software applications for these devices (e.g., firewalls, IDS), refer to the list of devices that have been evaluated by the NIAP program under Common Criteria and meet the fundamental requirements outlined in NSTISSP 1. This list is available online at: http://niap.nist.gov/cc-scheme/vpl/vpl_type.html.
2. Review the NIAP evaluation summary for each product, focusing on the Evaluation Assurance Level (EAL) for each product. For information systems processing sensitive information, a minimum evaluation level of EAL-3 is required.
3. Once boundary defense mechanisms for the system have been identified, ensure that each mechanism is incorporated into a system security architecture documentation that details physical and logical placement of the mechanism within the system, data flows, ports, protocols, and services used; and interconnections between related systems or network segments.
4. Ensure that all boundary defense devices for sensitive systems (i.e., firewalls, IDS, and boundary routers) are configured in accordance with approved DoD secure configuration standards, preferably the most current DISA STIGs for each specific mechanism. If STIGs are unavailable for specific mechanisms, refer to other approved DoD guidance such as NSA configuration guidelines, DoD guidelines created by and adopted from other organizations, or the vendor’s own configuration guidance.
5. Ensure that access lists and rule bases for boundary routers and firewalls for the classified system are configured such that access to or from any network segment or node to the public Internet must be proxied through a dedicated node, such as a remote access server, set up at the enclave level and that is under the strict administration of the enclave. For additional details on proxy configurations for Internet access, refer to the DISA Network Infrastructure STIG.
6. Ensure that boundary defense mechanisms adhere to the DoD ports, protocols, and services implementation process.

References

DISA Network Infrastructure STIG, Version 6, 29 October 2003
DISA Enclave Security STIG, Version 2, Release 1, 01 July 2004
DISA Enterprise Security Management STIG, Version 1, Section 3, paragraph 3.5, 29 October 2004
Cisco IOS Router Checklist Procedure Guide (Supp. to Network Infrastructure Checklist Version 5, Release 2.1, 01 June 2004)
Juniper JUNOS Router Checklist Procedure Guide (Supp. to Network Infrastructure Checklist Version 5, Release 2.1, 17 June 2004)
DISA Secure Remote Computing STIG, Version 1, Release 1, Sections 5 and 6, 04 February 2003
CJCSI - Information Assurance (IA) and Computer Network Defense (CND)
DoDI 8551.1 “Ports, Protocols, and Services Management”, Enclosure 3, 13 August 2004