EBBD-3

EBBD-3 Boundary Defense

Overview

Boundary defense mechanisms to include firewalls and network intrusion detection systems (IDS) are deployed at the enclave boundary to the wide area network, and at layered or internal enclave boundaries and key points in the network as required. All Internet access is prohibited.

MAC / CONF	Impact	Subject Area
CLASSIFIED	High	Enclave Boundary Defense

Details

Threat
Systems processing classified information require layered defensive mechanisms to control access to the information from outside the enclave, as well as prevent inadvertent disclosure by allowing connections to the public Internet. This protection is achieved by implementing boundary defense mechanisms such as firewalls and Intrusion Detection Systems (IDS), as well as securely configuring enclave routers, to ensure that access to classified information is restricted to authorized users and trusted sources. Access to the public Internet from a classified system enclave would result in almost certain compromise of classified data. For this reason access to external (Internet) systems is prohibited by the boundary defense mechanisms.

Threat

Systems processing classified information require layered defensive mechanisms to control access to the information from outside the enclave, as well as prevent inadvertent disclosure by allowing connections to the public Internet. This protection is achieved by implementing boundary defense mechanisms such as firewalls and Intrusion Detection Systems (IDS), as well as securely configuring enclave routers, to ensure that access to classified information is restricted to authorized users and trusted sources. Access to the public Internet from a classified system enclave would result in almost certain compromise of classified data. For this reason access to external (Internet) systems is prohibited by the boundary defense mechanisms.

Guidance
This guidance is designed for IAMs, PMs, SMEs, System Administrators, and all personnel involved in the design and implementation of boundary defense: 1. As part of the system design process, identify the specific boundary defense mechanisms to be incorporated into the system security architecture. When making the decision to select specific hardware and software applications for these devices (e.g., firewalls, IDS), refer to the list of devices that have been evaluated by the NIAP program under Common Criteria and meet the fundamental requirements outlined in NSTISSP 1. This list is available online at: http://niap.nist.gov/cc-scheme/vpl/vpl_type.html. 2. Review the NIAP evaluation summary for each product, focusing on the Evaluation Assurance Level (EAL) for each product. For information systems processing classified information as national security systems, a minimum evaluation level of EAL-3 is required. 3. Once boundary defense mechanisms for the system have been identified, ensure that each mechanism is incorporated into a system security architecture documentation that details physical and logical placement of the mechanism within the system, data flows, ports, protocols, and services used; and interconnections between related systems or network segments. 4. Ensure that all boundary defense devices for classified systems (i.e., firewalls, IDS, and boundary routers) are configured in accordance with approved DoD secure configuration standards, preferably the most current DISA STIGs for each specific mechanism. If STIGs are unavailable for specific mechanisms, refer to other approved DoD guidance such as NSA configuration guidelines, DoD guidelines created by or adopted from other organizations, or the vendor’s own configuration guidance. 5. Ensure that access lists and rule bases for boundary routers and firewalls for the classified system are configured to prohibit access to or from any network segment enabling access to the public Internet. 6. Ensure that boundary defense mechanisms adhere to the DoD ports, protocols, and services implementation process. 7. Ensure that enclave boundary defenses include the following: · Capability to monitor higher layer protocols (commonly called “deep-content scans”). · Active monitoring of event logs on a continual basis and prompt response to threats.

Guidance

This guidance is designed for IAMs, PMs, SMEs, System Administrators, and all personnel involved in the design and implementation of boundary defense:

1. As part of the system design process, identify the specific boundary defense mechanisms to be incorporated into the system security architecture. When making the decision to select specific hardware and software applications for these devices (e.g., firewalls, IDS), refer to the list of devices that have been evaluated by the NIAP program under Common Criteria and meet the fundamental requirements outlined in NSTISSP 1. This list is available online at: http://niap.nist.gov/cc-scheme/vpl/vpl_type.html.
2. Review the NIAP evaluation summary for each product, focusing on the Evaluation Assurance Level (EAL) for each product. For information systems processing classified information as national security systems, a minimum evaluation level of EAL-3 is required.
3. Once boundary defense mechanisms for the system have been identified, ensure that each mechanism is incorporated into a system security architecture documentation that details physical and logical placement of the mechanism within the system, data flows, ports, protocols, and services used; and interconnections between related systems or network segments.
4. Ensure that all boundary defense devices for classified systems (i.e., firewalls, IDS, and boundary routers) are configured in accordance with approved DoD secure configuration standards, preferably the most current DISA STIGs for each specific mechanism. If STIGs are unavailable for specific mechanisms, refer to other approved DoD guidance such as NSA configuration guidelines, DoD guidelines created by or adopted from other organizations, or the vendor’s own configuration guidance.
5. Ensure that access lists and rule bases for boundary routers and firewalls for the classified system are configured to prohibit access to or from any network segment enabling access to the public Internet.
6. Ensure that boundary defense mechanisms adhere to the DoD ports, protocols, and services implementation process.
7. Ensure that enclave boundary defenses include the following:
· Capability to monitor higher layer protocols (commonly called “deep-content scans”).
· Active monitoring of event logs on a continual basis and prompt response to threats.

References

DISA Network Infrastructure STIG, Version 6, 29 October 2003
DISA Enclave Security STIG, Version 2, Release 1, 01 July 2004
DISA Enterprise Security Management STIG, Version 1, Section 3, paragraph 3.5, 29 October 2004
Cisco IOS Router Checklist Procedure Guide (Supp. to Network Infrastructure Checklist Version 5, Release 2.1, 01 June 2004)
Juniper JUNOS Router Checklist Procedure Guide (Supp. to Network Infrastructure ChecklistVersion 5, Release 2.1, 17 June 2004)
DISA Secure Remote Computing STIG, Version 1, Release 1, Sections 5 and 6, 04 February 2003
CJCSI - Information Assurance (IA) and Computer Network Defense (CND)
DoDI 8551.1 “Ports, Protocols, and Services Management”, Enclosure 3, 13 August 2004