An effective network device control program (e.g., routers, switches, firewalls) is implemented and includes: instructions for restart and recovery procedures; restrictions on source code access, system utility access, and system documentation; protection from deletion of system and application files, and a structured process for implementation of directed solutions (e.g., IAVA). Audit or other technical measures are in place to ensure that the network device controls are not compromised. Change controls are periodically tested.
MAC / CONF | Impact | Subject Area |
---|---|---|
MACI MACII | Medium | Enclave Computing Environment |
Threat |
---|
Without an adequate network device control program, perimeter protection devices could not be protected from unauthorized access, resulting in denial of service, malicious code attacks, and unauthorized modification of network device data. This implementation guide is aimed to help network administrators implement proper access controls, maintain network control devices effectively, and monitor unauthorized compromise of the network devices. |
Guidance |
---|
1 The project management shall ensure that an effective network device program shall be developed for the network control devices (e.g., firewalls, routers, switches) in accordance with DOD policy and organization specific guidelines. The program must include, but are not limited to, the following information: · Roles and responsibilities for personnel involved in installing, operating, and managing the network control devices · Instructions for restart and recovery procedures in accordance with DISA STIGs and vendor system administration guides related to firewalls, routers, and switches · Restrictions on source code access, system utility access, and system documentation in accordance with DISA STIGs and vendor security administration guides · Protection from deletion of system and application file through proper file permissions in accordance with DISA STIGs and vendor security administration guides; · A structured process for the implementation of directed solutions (e.g., IAVA). 2. The network administrator shall configure the network control devices in accordance with DISA STIGs and NSA security guides to prevent unauthorized access to the network control devices. 3. The network administrator shall enable the auditing capabilities of individual network control devices so that access to the devices is monitored and recorded in audit trails. 4. If feasible, the project management shall ensure that network-based IDSs are implemented to detect security events occurred to the network control devices. (refer to ECID-1) 5. The network administrator shall test changes and updates made to the network control devices periodically to ensure their integrity in accordance with the system Configuration Management Plan. |