ECND-1

ECND-1 Network Device Controls

Overview

An effective network device control program (e.g., routers, switches, firewalls) is implemented and includes: instructions for restart and recovery procedures; restrictions on source code access, system utility access, and system documentation; protection from deletion of system and application files, and a structured process for implementation of directed solutions (e.g., IAVA).

MAC / CONF	Impact	Subject Area
MACIII	Low	Enclave Computing Environment

Details

Threat
Without an adequate network device control program, effective perimeter protection devices could not be protected from unauthorized access, resulting in denial of service, malicious code attacks, and unauthorized modification of network device data. This implementation guide is aimed to help network administrators implement proper access controls and maintain network control devices effectively.

Guidance
1. The project management shall ensure that an effective network device program shall be developed for the network control devices (e.g., firewalls, routers, switches) in accordance with DOD policy and organization specific guidelines. The program must include the following information, but are not limited to: · Roles and responsibilities for personnel involved in installing, operating, and managing the network control devices · Instructions for restart and recovery procedures in accordance with DISA STIGs and vendor system administration guides related to firewalls, routers, and switches · Restrictions on source code access, system utility access, and system documentation in accordance with DISA STIGs and vendor security administration guides · Protection from deletion of system and application file through proper file permissions in accordance with DISA STIGs and vendor security administration guides; · A structured process for the implementation of directed solutions (e.g., IAVA). 2. The network administrator shall configure the network control devices in accordance with DISA STIGs and NSA security guides to protect the network control devices from unauthorized access. 3. If feasible, the project management shall ensure that network-based IDSs are implemented to detect security events occurred to the network control devices. (refer to ECID-1) 4. The network administrator shall test changes and updates made to the network control devices periodically to ensure their integrity in accordance with the system Configuration Management Plan.

Guidance

1. The project management shall ensure that an effective network device program shall be developed for the network control devices (e.g., firewalls, routers, switches) in accordance with DOD policy and organization specific guidelines. The program must include the following information, but are not limited to:
  · Roles and responsibilities for personnel involved in installing, operating, and managing the network control devices
  · Instructions for restart and recovery procedures in accordance with DISA STIGs and vendor system administration guides related to firewalls, routers, and switches
  · Restrictions on source code access, system utility access, and system documentation in accordance with DISA STIGs and vendor security administration guides
  · Protection from deletion of system and application file through proper file permissions in accordance with DISA STIGs and vendor security administration guides;
  · A structured process for the implementation of directed solutions (e.g., IAVA).
2. The network administrator shall configure the network control devices in accordance with DISA STIGs and NSA security guides to protect the network control devices from unauthorized access.
3. If feasible, the project management shall ensure that network-based IDSs are implemented to detect security events occurred to the network control devices. (refer to ECID-1)
4. The network administrator shall test changes and updates made to the network control devices periodically to ensure their integrity in accordance with the system Configuration Management Plan.

References

CJCSI - Information Assurance (IA) and Computer Network Defense (CND)
CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004
DOD Information Security Program, 13 December 1993
DISA Network STIG, 29 October 2004
DISA Network Infrastructure STIG, 29 September 2003
DISA Cisco IOS Router Checklist, Version 5, Release 2.1, 01 June 2004
DISA Jupiter Router Checklist, Version 5, Release 2.1, 17 June 2004
NSA Router Security Configuration Guide, 08 April 2004
DISA IAVA Process Handbook Version 2.1, 11 June 2002
NIST SP 800-41, Guidelines on Firewalls and Firewall Policy, January 2002