UCF STIG Viewer Logo

ECND-1 Network Device Controls


Overview

An effective network device control program (e.g., routers, switches, firewalls) is implemented and includes: instructions for restart and recovery procedures; restrictions on source code access, system utility access, and system documentation; protection from deletion of system and application files, and a structured process for implementation of directed solutions (e.g., IAVA).

MAC / CONF Impact Subject Area
MACIII Low Enclave Computing Environment

Details

Threat
Without an adequate network device control program, effective perimeter protection devices could not be protected from unauthorized access, resulting in denial of service, malicious code attacks, and unauthorized modification of network device data.  This implementation guide is aimed to help network administrators implement proper access controls and maintain network control devices effectively.

Guidance
1. The project management shall ensure that an effective network device program shall be developed for the network control devices (e.g., firewalls, routers, switches) in accordance with DOD policy and organization specific guidelines.  The program must include the following information, but are not limited to:
  · Roles and responsibilities for personnel involved in installing, operating, and managing the network control devices
  · Instructions for restart and recovery procedures in accordance with DISA STIGs and vendor system administration guides related to firewalls, routers, and switches
  · Restrictions on source code access, system utility access, and system documentation in accordance with DISA STIGs and vendor security administration guides
  · Protection from deletion of system and application file through proper file permissions in accordance with DISA STIGs and vendor security administration guides;
  · A structured process for the implementation of directed solutions (e.g., IAVA).
2. The network administrator shall configure the network control devices in accordance with DISA STIGs and NSA security guides to protect the network control devices from unauthorized access.
3. If feasible, the project management shall ensure that network-based IDSs are implemented to detect security events occurred to the network control devices. (refer to ECID-1)
4. The network administrator shall test changes and updates made to the network control devices periodically to ensure their integrity in accordance with the system Configuration Management Plan.

References

  • CJCSI - Information Assurance (IA) and Computer Network Defense (CND)
  • CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004
  • DOD Information Security Program, 13 December 1993
  • DISA Network STIG, 29 October 2004
  • DISA Network Infrastructure STIG, 29 September 2003
  • DISA Cisco IOS Router Checklist, Version 5, Release 2.1, 01 June 2004
  • DISA Jupiter Router Checklist, Version 5, Release 2.1, 17 June 2004
  • NSA Router Security Configuration Guide, 08 April 2004
  • DISA IAVA Process Handbook Version 2.1, 11 June 2002
  • NIST SP 800-41, Guidelines on Firewalls and Firewall Policy, January 2002