EBRU-1

EBRU-1 Remote Access for User Functions

Overview

All remote access to DoD information systems, to include telework access, is mediated through a managed access control point, such as a remote access server in a DMZ. Remote access always uses encryption to protect the confidentiality of the session. The session-level encryption equals or exceeds the robustness established in ECCT. Authenticators are restricted to those that offer strong protection against spoofing. Information regarding remote access mechanisms (e.g., Internet address, dial-up connection telephone number) is protected.

MAC / CONF	Impact	Subject Area
CLASSIFIED SENSITIVE	High	Enclave Boundary Defense

Details

Threat
Remote access allows users to interact with enclave resources from afar. This convenience introduces inherent risks such as spoofing and brute force attacks. Proper security precautions such as a properly configured remote access server in a DMZ along with approved encryption techniques minimize the chance of network compromise and attack.

Guidance
1. All remote access connections shall authentic network users and encrypt transmitted data by using approved access controls and cryptographic means. 2. Components shall establish a process for managing remote access user accounts to include prompt account removal or disablement as warranted. 3. Components shall take steps to ensure remote access numbers or Internet addresses are secure. 4. Refer to DoD or other applicable guidance for proper connection requirements and procedures.

Guidance

1. All remote access connections shall authentic network users and encrypt transmitted data by using approved access controls and cryptographic means.
2. Components shall establish a process for managing remote access user accounts to include prompt account removal or disablement as warranted.
3. Components shall take steps to ensure remote access numbers or Internet addresses are secure.
4. Refer to DoD or other applicable guidance for proper connection requirements and procedures.

References

CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004
DISA Network Infrastructure STIG, Version 6 Draft, 29 October 2004
DISA Secure Remote Computing STIG, Version 1, Release 1, 14 February 2003
Public Law 106-346, Section 359, Attachment 1, Memorandum to Executive Departments and Agencies, Congressional Federal Telework Mandate 2001, 23 October 2000
DISA Enclave Security STIG, Version 2, Release 1, 01 July 2004
UNIX STIG, Version 4, Release 4, 15 September 2003