acceptedFirewall Security Technical Implementation GuideFirewall Security Technical Implementation GuideDISASTIG.DOD.MILRelease: 25 Benchmark Date: 26 Jan 20188I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>Interface ACL deny statements are not logged.<GroupDescription></GroupDescription>NET1020The network device must log all interface access control lists (ACL) deny statements.<VulnDiscussion>Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, attempted to be done, and by whom in order to compile an accurate risk assessment. Auditing the actions on network devices provides a means to recreate an attack, or identify a configuration mistake on the device.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure interface ACLs to log all deny statements.Review the network device interface ACLs to verify all deny statements are logged.
If deny statements are not logged, this is a finding.IPSec VPN is not configured as a tunnel type VPN.<GroupDescription></GroupDescription>NET1800The IAO will ensure IPSec VPNs are established as tunnel type VPNs when transporting management traffic across an ip backbone network.<VulnDiscussion>Using dedicated paths, the OOBM backbone connects the OOBM gateway routers located at the premise of the managed networks and at the NOC. Dedicated links can be deployed using provisioned circuits (ATM, Frame Relay, SONET, T-carrier, and others or VPN technologies such as subscribing to MPLS Layer 2 and Layer 3 VPN services) or implementing a secured path with gateway-to-gateway IPsec tunnel. The tunnel mode ensures that the management traffic will be logically separated from any other traffic traversing the same path.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Establish the VPN as a tunneled VPN.
Terminate the tunneled VPN outside of the firewall.
Ensure all host-to-host VPN are established between trusted known hosts.
Have the SA display the configuration settings that enable this feature.
Review the network topology diagram, and review VPN concentrators. Determine if tunnel mode is being used by reviewing the configuration. Examples:
In CISCO
Router(config)# crypto ipsec transform-set transform-set-name transform1
Router(cfg-crypto-tran)# mode tunnel
OR in Junos
edit security ipsec security-association sa-name] mode tunnelNetwork element is not password protected.<GroupDescription></GroupDescription>NET0230Network devices must be password protected.<VulnDiscussion>Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Access to the network must be categorized as administrator, user, or guest so the appropriate authorization can be assigned to the user requesting access to the network or a network device. Authorization requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multi-factor authentication, some combination thereof. Lack of authentication enables anyone to gain access to the network or possibly a network device providing opportunity for intruders to compromise resources within the network infrastructure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the network devices so it will require a password to gain administrative access to the device.Review the network devices configuration to determine if administrative access to the device requires some form of authentication--at a minimum a password is required.
If passwords aren't used to administrative access to the device, this is a finding.Login banner is non-existent or not DOD-approved.<GroupDescription></GroupDescription>NET0340Network devices must display the DoD-approved logon banner warning.<VulnDiscussion>All network devices must present a DoD-approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear and unequivocal notice to both authorized and unauthorized personnel that access to the device is subject to monitoring to detect unauthorized usage. Failure to display the required logon warning banner prior to logon attempts will limit DoD's ability to prosecute unauthorized access and also presents the potential to give rise to criminal and civil liability for systems administrators and information systems managers. In addition, DISA's ability to monitor the device's usage is limited unless a proper warning banner is displayed.
DoD CIO has issued new, mandatory policy standardizing the wording of "notice and consent" banners and matching user agreements for all Secret and below DoD information systems, including stand-alone systems by releasing DoD CIO Memo, "Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement", dated 9 May 2008. The banner is mandatory and deviations are not permitted except as authorized in writing by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. Implementation of this banner verbiage is further directed to all DoD components for all DoD assets via USCYBERCOM CTO 08-008A.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure all management interfaces to the network device to display the DoD-mandated warning banner verbiage at logon regardless of the means of connection or communication. The required banner verbiage that must be displayed verbatim is as follows:
Option A
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Option B
If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: "I've read & consent to terms in IS user agreem't."Review the device configuration or request that the administrator logon to the device and observe the terminal. Verify either Option A or Option B (for systems with character limitations) of the Standard Mandatory DoD Notice and Consent Banner is displayed at logon. The required banner verbiage follows and must be displayed verbatim:
Option A
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Option B
If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: "I've read & consent to terms in IS user agreem't."
If the device configuration does not have a logon banner as stated above, this is a finding.Management connection does not timeout.<GroupDescription></GroupDescription>NET1639The network devices must timeout management connections for administrative access after 10 minutes or less of inactivity.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled between the managed network device and a PC or terminal server when the later has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed network device as well as reduce the risk of a management session from being hijacked. Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the network devices to ensure the timeout for unattended administrative access connections is no longer than 10 minutes.Review the management connection for administrative access and verify the network device is configured to time-out the connection at 10 minutes or less of inactivity.
If the device does not terminate inactive management connections at 10 minutes or less, this is a finding.DNS servers must be defined for client resolver. <GroupDescription></GroupDescription>NET0820Network devices must have DNS servers defined if it is configured as a client resolver.<VulnDiscussion>The susceptibility of IP addresses to spoofing translates to DNS host name and IP address mapping vulnerabilities. For example, suppose a source host wishes to establish a connection with a destination host and queries a DNS server for the IP address of the destination host name. If the response to this query is the IP address of a host operated by an attacker, the source host will establish a connection with the attacker's host, rather than the intended target. The user on the source host might then provide logon, authentication, and other sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the device to include DNS servers or disable domain lookup.Review the device configuration to ensure DNS servers have been defined if it has been configured as a client resolver (name lookup).
If the device is configured as a client resolver and DNS servers are not defined, this is a finding.SNMP access is not restricted by IP address.<GroupDescription></GroupDescription>NET0890Network devices must only allow SNMP access from addresses belonging to the management network.<VulnDiscussion>Detailed information about the network is sent across the network via SNMP. If this information is discovered by attackers it could be used to trace the network, show the networks topology, and possibly gain access to network devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the network devices to only allow SNMP access from only addresses belonging to the management network.Review the device configuration and verify it is configured to only allow SNMP access from addresses belonging to the management network.
If the device is not configured to filter SNMP from the management network only, this is a finding.SNMP privileged and non-privileged access.<GroupDescription></GroupDescription>NET1675The network device must use different SNMP community names or groups for various levels of read and write access.<VulnDiscussion>Numerous vulnerabilities exist with SNMP; therefore, without unique SNMP community names, the risk of compromise is dramatically increased. This is especially true with vendors default community names which are widely known by hackers and other networking experts. If a hacker gains access to these devices and can easily guess the name, this could result in denial of service, interception of sensitive information, or other destructive actions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the SNMP community strings on the network device and change them from the default values. SNMP community strings and user passwords must be unique and not match any other network device passwords. Different community strings (V1/2) or groups (V3) must be configured for various levels of read and write access.Review the SNMP configuration of all managed nodes to ensure different community names (V1/2) or groups/users (V3) are configured for read-only and read-write access.
If unique community strings or accounts are not used for SNMP peers, this is a finding.Firewall has unnecessary services enabled.<GroupDescription></GroupDescription>NET0377The firewall must not utilize any services or capabilities that are not necessary for the administration of the firewall.<VulnDiscussion>The risk of an attack increases with more services enabled on the firewall, since the firewall will listen for these services. If non-firewall services (e.g., DNS servers, e-mail client servers, ftp servers, web servers, etc.) are part of the standard firewall suite and are not necessary for administration of the firewall, they will be uninstalled or disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516The Firewall Administrator will only utilize services related to the operation of the firewall. Any unnecessary services, even if they are part of the firewall standard suite, must be uninstalled or disabled.Have the Firewall Administrator display the services running on the firewall appliance or underlying OS. CAVEAT: Anti-virus software running on the firewall's OS would be an exception to the above requirement. It is recommended that anti-virus software be implemented on any non-appliance firewall if supported. However, it is not a finding if anti-virus software has not been implemented.
If services that are not necessary for the administration of the firewall are found to be running on the firewall, this is a finding.
Group accounts are defined.<GroupDescription></GroupDescription>NET0460Group accounts must not be configured for use on the network device.<VulnDiscussion>Group accounts configured for use on a network device do not allow for accountability or repudiation of individuals using the shared account. If group accounts are not changed when someone leaves the group, that person could possibly gain control of the network device. Having group accounts does not allow for proper auditing of who is accessing or changing the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure individual user accounts for each authorized person then remove any group accounts.Review the network device configuration and validate there are no group accounts configured for access.
If a group account is configured on the device, this is a finding.Accounts assigned least privileges necessary to perform duties.<GroupDescription></GroupDescription>NET0465Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.<VulnDiscussion>By not restricting authorized accounts to their proper privilege level, access to restricted functions may be allowed before authorized personnel are trained or experienced enough to use those functions. Network disruptions or outages may occur due to mistakes made by inexperienced persons using accounts with greater privileges than necessary.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure authorized accounts with the least privilege rule. Each user will have access to only the privileges they require to perform their assigned duties.Review the accounts authorized for access to the network device. Determine if the accounts are assigned the lowest privilege level necessary to perform assigned duties. User accounts must be set to a specific privilege level which can be mapped to specific commands or a group of commands. Authorized accounts should have the greatest privilege level unless deemed necessary for assigned duties.
If it is determined that authorized accounts are assigned to greater privileges than necessary, this is a finding.Unauthorized accounts are configured to access device.<GroupDescription></GroupDescription>NET0470Unauthorized accounts must not be configured for access to the network device.<VulnDiscussion>A malicious user attempting to gain access to the network device may compromise an account that may be unauthorized for use. The unauthorized account may be a temporary or inactive account that is no longer needed to access the device. Denial of Service, interception of sensitive information, or other destructive actions could potentially take place if an unauthorized account is configured to access the network device.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Remove any account configured for access to the network device that is not defined in the organization's responsibilities list.Review the organization's responsibilities list and reconcile the list of authorized accounts with those accounts defined for access to the network device.
If an unauthorized account is configured for access to the device, this is a finding.Passwords are viewable when displaying the config.<GroupDescription></GroupDescription>NET0600Network devices must be configured to ensure passwords are not viewable when displaying configuration information.<VulnDiscussion>Many attacks on information systems and network devices are launched from within the network. Hence, it is imperative that all passwords are encrypted so they cannot be intercepted by viewing the console or printout of the configuration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the network devices to ensure passwords are not viewable when displaying configuration information.Review the network devices configuration to determine if passwords are viewable.
If passwords are viewable in plaintext, this is a finding.Management connections must be secured by FIPS 140-2. <GroupDescription></GroupDescription>NET1638Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.<VulnDiscussion>Administration and management connections performed across a network are inherently dangerous because anyone with a packet sniffer and access to the right LAN segment can acquire the network device account and password information. With this intercepted information they could gain access to the router and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the network device to use secure protocols with FIPS 140-2 validated cryptographic modules.Review the network device configuration to verify only secure protocols using FIPS 140-2 validated cryptographic modules are used for any administrative access. Some of the secure protocols used for administrative and management access are listed below. This list is not all inclusive and represents a sample selection of secure protocols.
-SSHv2
-SCP
-HTTPS using TLS
If management connections are established using protocols without FIPS 140-2 validated cryptographic modules, this is a finding.Management connections must be logged.<GroupDescription></GroupDescription>NET1640Network devices must log all attempts to establish a management connection for administrative access.<VulnDiscussion>Audit logs are necessary to provide a trail of evidence in case the network is compromised. Without an audit trail that provides a when, where, who and how set of information, repeat offenders could continue attacks against the network indefinitely. With this information, the network administrator can devise ways to block the attack and possibly identify and prosecute the attacker.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the device to log all access attempts to the device to establish a management connection for administrative access.Review the configuration to verify all attempts to access the device via management connection are logged.
If management connection attempts are not logged, this is a finding.HTTP server is not disabled <GroupDescription></GroupDescription>NET0740Network devices must have HTTP service for administrative access disabled.<VulnDiscussion>The additional services the router is enabled for increases the risk for an attack since the router will listen for these services. In addition, these services provide an unsecured method for an attacker to gain access to the router. Most recent software versions support remote configuration and monitoring using the World Wide Web's HTTP protocol. In general, HTTP access is equivalent to interactive access to the router. The authentication protocol used for HTTP is equivalent to sending a clear-text password across the network, and, unfortunately, there is no effective provision in HTTP for challenge-based or one-time passwords. This makes HTTP a relatively risky choice for use across the public Internet. Any additional services that are enabled increase the risk for an attack since the router will listen for these services. The HTTPS server may be enabled for administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the device to disable using HTTP (port 80) for administrative access.Review the device configuration to determine that HTTP is not enabled for administrative access. The HTTPS server may be enabled for administrative access.
If the device allows the use of HTTP for administrative access, this is a finding.Devices exist with standard default passwords.<GroupDescription></GroupDescription>NET0240Network devices must not have any default manufacturer passwords.<VulnDiscussion>Network devices not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing network outage or denial of service. Many default vendor passwords are well-known; hence, not removing them prior to deploying the network devices into production provides an opportunity for a malicious user to gain unauthorized access to the device.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Remove any vendor default passwords from the network devices configuration.Review the network devices configuration to determine if the vendor default password is active.
If any vendor default passwords are used on the device, this is a finding.Firewall is not configured to protect the network.<GroupDescription></GroupDescription>NET0375The device must be configured to protect the network against denial of service attacks such as Ping of Death, TCP SYN floods, etc.<VulnDiscussion>A SYN-flood attack is a denial-of-service attack where the attacker sends a huge amount of please-start-a-connection packets and then nothing else. This causes the device being attacked to be overloaded with the open sessions and eventually crash.
A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to determine which of a range of IP addresses map to live hosts (computers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>EBBD-1, EBBD-2, EBBD-3, ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516If the firewall support SYN-flood or ping sweep protection then enable these features. If the firewall does not support these features, enable the security features on the router to protect the network from these attacks.Review the device configurations to determine if denial of service attacks guarded against.
If the device is not configured to mitigate denial of service attacks, this is a finding.Operating system is not at a current release level.<GroupDescription></GroupDescription>NET0700Network devices must be running a current and supported operating system with all IAVMs addressed.<VulnDiscussion>Network devices not running the latest tested and approved versions of software are vulnerable to network attacks. Running the most current, approved version of system and device software helps the site maintain a stable base of security fixes and patches, as well as enhancements to IP security. Viruses, denial of service attacks, system weaknesses, back doors and other potentially harmful situations could render a system vulnerable, allowing unauthorized access to DoD assets.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Update operating system to a supported version that addresses all related IAVMs.Have the administrator display the OS version in operation. The OS must be current with related IAVMs addressed.
If the device is using an OS that does not meet all IAVMs or currently not supported by the vendor, this is a finding.Management connections must require passwords.<GroupDescription></GroupDescription>NET1636The network device must require authentication prior to establishing a management connection for administrative access.<VulnDiscussion>Network devices with no password for administrative access via a management connection provide the opportunity for anyone with network access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure authentication for all management connections.Review the network device configuration to verify all management connections for administrative access require authentication.
If authentication isn't configured for management access, this is a finding.The IDS or FW is not configured to alarm the admin<GroupDescription></GroupDescription>NET0390The network devices must be configured to alert the administrator of a potential attack or system failure.<VulnDiscussion>The IDS or firewall is the first device that is under the sites control that has the possibility to alarm the local staff of an ongoing attack. An alert from either of these devices can be the first indication of an attack or system failure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the IDS or firewall to alarm the SA of potential attacks or system failure.The SA shall define clipping levels / thresholds as a baseline to display alert messages on specific attacks identifying the potential security violation or attack. Review the IDS or firewall configuration to determine what alerts have been defined and how the notifications are performed.
If the device is not configured to alert the administrator of potential failures, this is a finding.Admins will be logged.<GroupDescription></GroupDescription>NET1300Administrator logons, changes to the administrator group, and account lockouts must be logged.<VulnDiscussion>The network device and the associated logging functions allows for forensic investigations if properly configured and protected. The administrators account is the most sought after account so extra protection must be taken to protect this account and log its activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECAR-1, ECAR-2, ECAR-3, ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the network device to log all administrative actions performed on the device.Review the device configuration to determine if all administrative actions are being logged.
If administrative actions are not being logged, this is a finding.An insecure version of SNMP is being used.<GroupDescription></GroupDescription>NET1660The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.<VulnDiscussion>SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain access to network management information used to launch an attack against the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516If SNMP is enabled, configure the network device to use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography (i.e., SHA authentication and AES encryption).Review the device configuration to verify it is configured to use SNMPv3 with both SHA authentication and privacy using AES encryption.
Downgrades:
If the site is using Version 1 or Version 2 with all of the appropriate patches and has developed a migration plan to implement the Version 3 Security Model, this finding can be downgraded to a Category II.
If the targeted asset is running SNMPv3 and does not support SHA or AES, but the device is configured to use MD5 authentication and DES or 3DES encryption, then the finding can be downgraded to a Category III.
If the site is using Version 1 or Version 2 and has installed all of the appropriate patches or upgrades to mitigate any known security vulnerabilities, this finding can be downgraded to a Category II. In addition, if the device does not support SNMPv3, this finding can be downgraded to a Category III provided all of the appropriate patches to mitigate any known security vulnerabilities have been applied and has developed a migration plan that includes the device upgrade to support Version 3 and the implementation of the Version 3 Security Model.
If the device is configured to use to anything other than SNMPv3 with at least SHA-1 and AES, this is a finding. Downgrades can be determined based on the criteria above.Using default SNMP community names.<GroupDescription></GroupDescription>NET1665The network device must not use the default or well-known SNMP community strings public and private.<VulnDiscussion>Network devices may be distributed by the vendor pre-configured with an SNMP agent using the well-known SNMP community strings public for read only and private for read and write authorization. An attacker can obtain information about a network device using the read community string "public". In addition, an attacker can change a system configuration using the write community string "private".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure unique SNMP community strings replacing the default community strings.Review the network devices configuration and verify if either of the SNMP community strings "public" or "private" is being used.
If default or well-known community strings are used for SNMP, this is a finding.More than one local account is defined.<GroupDescription></GroupDescription>NET0440In the event the authentication server is unavailable, the network device must have a single local account of last resort defined.<VulnDiscussion>Authentication for administrative access to the device is required at all times. A single account of last resort can be created on the device's local database for use in an emergency such as when the authentication server is down or connectivity between the device and the authentication server is not operable. The console or local account of last resort logon credentials must be stored in a sealed envelope and kept in a safe.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the device to only allow one local account of last resort for emergency access and store the credentials in a secure manner.Review the network device configuration to determine if an authentication server is defined for gaining administrative access. If so, there must be only one account of last resort configured locally for an emergency.
Verify the username and password for the local account of last resort is contained within a sealed envelope kept in a safe.
If an authentication server is used and more than one local account exists, this is a finding.The console port does not timeout after 10 minutes.<GroupDescription></GroupDescription>NET1624The network devices must time out access to the console port at 10 minutes or less of inactivity.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed network device. Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the timeout for idle console connection to 10 minutes or less.Review the configuration and verify a session using the console port will time out after 10 minutes or less of inactivity.
If console access is not configured to timeout at 10 minutes or less, this is a finding.Network element must only allow SNMP read access.<GroupDescription></GroupDescription>NET0894Network devices must only allow SNMP read-only access.<VulnDiscussion>Enabling write access to the device via SNMP provides a mechanism that can be exploited by an attacker to set configuration variables that can disrupt network operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the network device to allow for read-only SNMP access when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3.Review the network device configuration and verify SNMP community strings are read-only when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3.
If write-access is used for SNMP versions 1, 2c, or 3-noAuthNoPriv mode and there is no documented approval by the ISSO, this is a finding.L2TP is terminated in the private network.<GroupDescription></GroupDescription>NET-TUNL-013L2TP must not pass into the private network of an enclave.<VulnDiscussion>Unlike GRE (a simple encapsulating header) L2TP is a full-fledged communications protocol with control channel, data channels, and a robust command structure. In addition to PPP, other link layer types (called pseudowires) can be and are defined for delivery in L2TP by separate RFC documents. Further complexity is created by the capability to define vender-specific parameters beyond those defined in the L2TP specifications.
The endpoint devices of an L2TP connection can be an L2TP Access Concentrator (LAC) in which case it inputs/outputs the layer 2 protocol to/from the L2TP tunnel. Otherwise it is an L2TP Network Server (LNS), in which case it inputs/outputs the layer 3 (IP) protocol to/from the L2TP tunnel. The specifications describe three reference models: LAC-LNS, LAC-LAC, and LNS-LNS, the first of which is the most common case. The LAC-LNS model allows a remote access user to reach his home network or ISP from a remote location. The remote access user either dials (or otherwise connects via layer 2) to a LAC device which tunnels his connection home to an awaiting LNS. The LAC could also be located on the remote user's laptop which connects to an LNS at home using some generic internet connection. The other reference models may be used for more obscure scenarios.
Although the L2TP protocol does not contain encryption capability, it can be operated over IPSEC which would provide authentication and confidentiality. A remote user in the LAC-LNS model would most likely obtain a dynamically assigned IP address from the home network to ultimately use through the tunnel back to the home network. Secondly, the outer IP source address used to send the L2TP tunnel packet to the home network is likely to be unknown or highly variable. Thirdly, since the LNS provides the remote user with a dynamic IP address to use, the firewall at the home network would have to be dynamically updated to accept this address in conjunction with the outer tunnel address. Finally, there is also the issue of authentication of the remote user prior to divulging an acceptable IP address. As a result of all of these complications, the strict filtering rules applied to the IP-in-IP and GRE tunneling cases will likely not be possible in the L2TP scenario.
In addition to the difficulty of enforcing addresses and endpoints (as explained above), the L2TP protocol itself is a security concern if allowed through a security boundary. In particular:
1) L2TP potentially allows link layer protocols to be delivered from afar. These protocols were intended for link-local scope only, are less defended, and not as well-known
2) The L2TP tunnels can carry IP packets that are very difficult to see and filter because of the additional layer 2 overhead
3) L2TP is highly complex and variable (vender-specific variability) and therefore would be a viable target that is difficult to defend. It is better left outside of the main firewall where less damage occurs if the L2TP-processing node is compromised.
4) Filtering cannot be used to detect and prevent other unintended layer 2 protocols from being tunneled. The strength of the application layer code would have to be relied on to achieve this task.
5) Regardless of whether the L2TP is handled inside or outside of the main network, a secondary layer of IP filtering is required, therefore bringing it inside doesn't save resources.
Therefore, it is not recommended to allow unencrypted L2TP packets across the security boundary into the network's protected areas. Reference the Backbone Transport STIG for additional L2TP guidance and use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Terminate L2TP tunnels at the enclave perimeter, either in the DMZ or a service network for filtering and content inspection before passing traffic to the enclave's private network.Review the network topology diagram, and review VPN concentrators.
Verify that L2TP is not permitted into the enclave's private network. L2TP uses TCP and UDP ports 1701. See the PPS Vulnerability Assessment for additional protocol guidance and reference the Backbone Transport STIG for exceptions.
If L2TP is not filtered outbound, this is a finding.Authentication required for console access.<GroupDescription></GroupDescription>NET1623The network device must require authentication for console access.<VulnDiscussion>Network devices with no password for administrative access via the console provide the opportunity for anyone with physical access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure authentication for console access on the network device.Review the network device's configuration and verify authentication is required for console access.
If authentication is not configured for console access, this is a finding.Firewall is not operating on a STIG'd OS<GroupDescription></GroupDescription>NET0379The FA will ensure that if the firewall product operates on an OS platform, the host must be STIG compliant prior to the installation of the firewall product.<VulnDiscussion>If the host that a firewall engine is operating on is not secured, the firewall itself is exposed to greater risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516The firewall administrator will install all patches that address IAVA.Review documentation that the OS was STIG compliant prior to firewall installation and that the appropriate patches have been applied that address all IAVAs.Management connections are not restricted.<GroupDescription></GroupDescription>NET1637The network devices must only allow management connections for administrative access from hosts residing in the management network.<VulnDiscussion>Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment could acquire the device account and password information. With this intercepted information they could gain access to the infrastructure and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure an ACL or filter to restrict management access to the device from only the management network.Review the configuration and verify management access to the device is allowed only from hosts within the management network.
If management access can be gained from outside of the authorized management network, this is a finding.SSH session timeout is not 60 seconds or less.<GroupDescription></GroupDescription>NET1645The network devices must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.<VulnDiscussion>An attacker may attempt to connect to the device using SSH by guessing the authentication method, encryption algorithm, and keys. Limiting the amount of time allowed for authenticating and negotiating the SSH session reduces the window of opportunity for the malicious user attempting to make a connection to the network device.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the network devices so it will require a secure shell timeout of 60 seconds or less.Review the configuration and verify the timeout is set for 60 seconds or less. The SSH service terminates the connection if protocol negotiation (that includes user authentication) is not complete within this timeout period.
If the device is not configured to drop broken SSH sessions after 60 seconds, this is a finding.SSH login attempts value is greater than 3.<GroupDescription></GroupDescription>NET1646The network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface.<VulnDiscussion>An attacker may attempt to connect to the device using SSH by guessing the authentication method and authentication key or shared secret. Setting the authentication retry to 3 or less strengthens against a Brute Force attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the network device to require a maximum number of unsuccessful SSH logon attempts at 3.Review the configuration and verify the number of unsuccessful SSH logon attempts is set at 3.
If the device is not configured to reset unsuccessful SSH logon attempts at 3, this is a finding.Devices not configured to filter and drop half-open connections.<GroupDescription></GroupDescription>NET0965The network device must drop half-open TCP connections through filtering thresholds or timeout periods.<VulnDiscussion>A TCP connection consists of a three-way handshake message sequence. A connection request is transmitted by the originator, an acknowledgement is returned from the receiver, and then an acceptance of that acknowledgement is sent by the originator.
An attacker's goal in this scenario is to cause a denial of service to the network or device by initiating a high volume of TCP packets, then never sending an acknowledgement, leaving connections in a half-opened state. Without the device having a connection or time threshold for these half-opened sessions, the device risks being a victim of a denial of service attack. Setting a TCP timeout threshold will instruct the device to shut down any incomplete connections. Services such as SSH, BGP, SNMP, LDP, etc. are some services that may be prone to these types of denial of service attacks. If the router does not have any BGP connections with BGP neighbors across WAN links, values could be set to even tighter constraints.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the device to drop half-open TCP connections through threshold filtering or timeout periods.Review the device configuration to determine if threshold filters or timeout periods are set for dropping excessive half-open TCP connections.
For timeout periods, the time should be set to 10 seconds or less. If the device cannot be configured for 10 seconds or less, it should be set to the least amount of time allowable in the configuration. Threshold filters will need to be determined by the organization for optimal filtering.
If the device is not configured in a way to drop half-open TCP connections using filtering or timeout periods, this is a finding.Perimeter is not compliant with DOD Instr. 8551.1<GroupDescription></GroupDescription>NET0910The SA will utilize ingress and egress ACLs to restrict traffic destined to the enclave perimeter in accordance with the guidelines contained in DoD Instruction 8551.1 for all ports and protocols required for operational commitments. <VulnDiscussion>Vulnerability assessments must be reviewed by the SA and protocols must be approved by the IA staff before entering the enclave.
Access Control Lists (ACLs) are the first line of defense in a layered security approach. They permit authorized packets and deny unauthorized packets based on port or service type. They enhance the posture of the network by not allowing packets to even reach a potential target within the security domain. The list provided are highly susceptible ports and services that should be blocked or limited as much as possible without adversely affecting customer requirements. Auditing packets attempting to penetrate the network but are stopped by an ACL will allow network administrators to broaden their protective ring and more tightly define the scope of operation.
If the perimeter is in a Deny-by-Default posture and what is allowed through the filter is IAW DoD Instruction 8551.1, and if the permit rule is explicitly defined with explicit ports and protocols allowed, then all requirements related to PPS being blocked would be satisfied.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516The SA will utilize ingress and egress ACLs to restrict traffic in accordance with the guidelines contained in DOD Instruction 8551.1 for all services and protocols required for operational commitments.Identify the device or devices that make up the perimeter defense. Review the configuration of the premise routers and firewalls and verify that the filters are IAW DoD 8551.
SA will review PPS Vulnerability Assessment of every port allowed into the enclave and apply all appropriate mitigations defined in the VA report. All ports and protocols allowed into the enclave must be registered in the PPSM database.
Note: It is the responsibility of the enclave owner to have the applications the enclave uses registered in the PPSM database.
The auxiliary port is not disabled.<GroupDescription></GroupDescription>NET1629The auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.<VulnDiscussion>The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. Additional war dial attacks on the device could degrade the device and the production network.
Secured modem devices must be able to authenticate users and must negotiate a key exchange before full encryption takes place. The modem will provide full encryption capability (Triple DES) or stronger. The technician who manages these devices will be authenticated using a key fob and granted access to the appropriate maintenance port, thus the technician will gain access to the managed device (router, switch, etc.). The token provides a method of strong (two-factor) user authentication. The token works in conjunction with a server to generate one-time user passwords that will change values at second intervals. The user must know a personal identification number (PIN) and possess the token to be allowed access to the device.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Disable the auxiliary port. If used for out-of-band administrative access, the port must be connected to a secured modem providing encryption and authentication.Review the configuration and verify the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected.
If the auxiliary port is enabled without the use of a secured modem, this is a finding.IPv6 Router Advertisements must be suppressed.<GroupDescription></GroupDescription>NET-IPV6-004Router advertisements must be suppressed on all external-facing IPv6-enabled interfaces.<VulnDiscussion>Many of the known attacks in stateless autoconfiguration are defined in RFC 3756 were present in IPv4 ARP attacks. IPSec AH was originally suggested as mitigation for the link local attacks, but has since been found to have bootstrapping problems and to be very administrative intensive. Due to first requiring an IP address in order to set up the IPSec security association creates the chicken-before-the-egg dilemma. There are solutions being developed (Secure Neighbor Discovery and Cryptographic Generated Addressing) to secure these threats but are not currently available at the time of this writing.
To mitigate these vulnerabilities, links that have no hosts connected such as the interface connecting to external gateways will be configured to suppress router advertisements.
Disable (or do not configure) all IPv6 Neighbor Discovery functions across tunnels including the Neighbor Unreachability Detection (NUD) function. Note: this is applicable only when the inner IP layer is IPv6 since IPv4 does not have the Neighbor Discovery functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>DCBP-1, ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the network device to enable route advertisement suppression on all external facing have IPv6 enabled on the interface.Inspect the device configuration to validate IPv6 router advertisement suppression is enabled on all external-facing interfaces. This is applicable to all IPv6-enabled interfaces connected to an IP backbone (i.e. NIPRNet, SIPRNet, etc.), backdoor link, or an alternate gateway (AG).
If router advertisements are not suppressed on external facing IPv6 interfaces, this is a finding.Firewall inspection is not performed adequately<GroupDescription></GroupDescription>NET0366The SA must configure the firewall for the minimum content and protocol inspection requirements.<VulnDiscussion>Creating a filter to allow a port or service through the firewall without content or protocol inspection creates a direct connection between the host in the private network and a host on the outside; thereby, bypassing additional security measures that could be provided. This places the internal host at a greater risk of exploitation that could make the entire network vulnerable to an attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Ensure the firewall has content and protocol inspection implemented for all ingress and egress traffic. Review the firewall configuration and verify both ingress and egress traffic is being inspected. If any traffic is able to leave or enter the enclave without being inspected by the firewall, this is a finding.Firewall must block loopback address <GroupDescription></GroupDescription>NET0380The firewall must reject requests for access or services where the source address received by the firewall specifies a loopback address.<VulnDiscussion>The loopback address is used by an Inter-Processor Control (IPC) mechanism that enables the client and server portion of an application running on the same machine to communicate, and so it is trusted. It should never be used as the source IP address of an inbound or outbound transmission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Establish filters to block any attempt from the firewall or any network to pass any packets claiming to be from a loopback address.Review the device configuration to determine if filters are in place to block loopback addresses.
If loopback addresses are not being filtered by the firewall, this is a finding.Alerts generated at 75% log storage capacity.<GroupDescription></GroupDescription>NET0386Alerts must be automatically generated to notify the administrator when log storage reaches seventy-five percent or more of its maximum capacity.<VulnDiscussion>Configuring the network device or syslog server to provide alerts to the administrator in the event of modification or audit log capacity being exceeded ensures administrative staff is aware of critical alerts. Without this type of notification setup, logged audits and events could potentially fill to capacity, causing subsequent records to not be recorded and dropped without any knowledge by the administrative staff. Other unintended consequences of filling the log storage to capacity may include a denial of service of the device itself without proper notification.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the network device or syslog server to automatically generate and notify the administrator when seventy-five percent or more of the storage capacity has been reached with log data.Review the network device or syslog server to determine whether alerts are configured to automatically generate and notify the administrator when seventy-five percent or more of the storage capacity has been reached with log data.
If alerts are not configured for notification when exceeding storage capacity, this is a finding.No FW log dump procedures <GroupDescription></GroupDescription>NET0388The network device must dump logs when they reach 75% capacity to a syslog server.<VulnDiscussion>Having a procedure tested and verified will prevent the logs from filling when they reach 75% capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the device to dump logs to a syslog server when reaching a storage capacity of 75%.Review the device configuration to determine if logs are being dumped to a syslog when meeting the 75% storage capacity.
If logs aren't being dumped at 75% capacity, this is a finding.FA is not informed of critical alerts. <GroupDescription></GroupDescription>NET0391Critical alerts must be generated and notifications sent to authorized personnel regardless if the person is logged in.<VulnDiscussion>By immediately displaying an alarm message, identifying the potential security violation and making it accessible with the audit record contents associated with the event(s) that generated the alarm provides the administration staff prompt alert messages, regardless if the person is logged into the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECAR-1, ECAR-2, ECAR-3, ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the firewall to immediately notify authorized personnel of critical alerts.Review the firewall configuration to determine what alerts have been defined and how the notifications are performed.
If the firewall doesn't have the proper alerts defined, this is a finding.FW alert not written to remote console. <GroupDescription></GroupDescription>NET0392The ISSO must ensure the message is displayed at the remote console if an administrator is already logged in, or when an administrator logs in if the alarm message has not been acknowledged.<VulnDiscussion>By immediately displaying an alarm message, identifying the potential security violation and making it accessible with the audit record contents associated with the auditable event(s) that generated the alarm provides the administration staff prompt alert messages at their work areas.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECAR-1, ECAR-2, ECAR-3, ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the firewall to immediately write an alarm message to the remote consoles.Review the firewall configuration to determine what alerts have been defined and how the notifications are performed. The message must be displayed at the remote console if an administrator is already logged in, or when an administrator logs in if the alarm message has not been acknowledged. The firewall shall immediately display an alarm message, identifying the potential security violation and make accessible the audit record contents associated with the auditable event(s) that generated the alarm. This can also be accomplished by sending email alerts using an Exchange receipt.
If alerts are not configured for notification to remote consoles, this is a finding.Audit record must display violation<GroupDescription></GroupDescription>NET0395The ISSO must ensure the alarm message identifying the potential security violation makes accessible the audit record contents associated with the event(s).<VulnDiscussion>The relevant audit information must be available to administrators. The firewall shall immediately display an alarm message, identifying the potential security violation and make accessible the audit record contents associated with the event(s) that generated the alarm.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECAR-1, ECAR-2, ECAR-3, ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the firewall to write violations to the console and make accessible the audit record contents.Review the firewall configuration to determine what alerts have been defined and how the notifications are performed. The relevant audit information must be available to administrators. The message will not be scrolled off the screen due to other activities taking place (e.g., the Audit Administrator is running an audit report).
If the device does not write violations to the console and make accessible the audit record contents, this is a finding.Alerts must remain until acknowledged.<GroupDescription></GroupDescription>NET0396The ISSO must ensure an alert will remain written on the consoles until acknowledged by an administrator.<VulnDiscussion>Critical alerts require immediate response. Critical alerts must not roll off the screens. The requirements are necessary to ensure an administrator will be aware of the alerts or alarm. The intent is to ensure that if an administrator is physically at the remote workstation the message will remain displayed until they have acknowledged it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECAR-1, ECAR-2, ECAR-3, ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the firewall to send an alarm or retain an alert message until acknowledged.Review the firewall configuration to determine what alerts have been defined and how the notifications are performed.
Verify alerts generated will remain until acknowledged.
If the device is not configured to send or retain notifications until acknowledgement, this is a finding.FW acknowledge messages must be recorded <GroupDescription></GroupDescription>NET0398The ISSO must ensure an acknowledgement message identifying a reference to the potential security violation is logged and it contains a notice that it has been acknowledged, the time of the acknowledgement and the user identifier that acknowledged the alarm, at the remote administrator session that received the alarm.<VulnDiscussion>Acknowledging the alert could be a single event, or different events. In addition, assurance is required that each administrator that received the alarm message also receives the acknowledgement message, which includes some form of reference to the alarm message, who acknowledged the message and when.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECAR-1, ECAR-2, ECAR-3, ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the firewall to send acknowledge messages to administrators, referencing the alarm, who acknowledged the alarm, and timestamps.The firewall shall display an acknowledgement message identifying a reference to the potential security violation, a notice that it has been acknowledged, the time of the acknowledgement and the user identifier that acknowledged the alarm at the remote administrator sessions that received the alarm.
Have the administrator verify these capabilities.
If the notifications do not include the proper references, this is a finding.Key expiration exceeds 180 days.<GroupDescription></GroupDescription>NET0422Network devices must be configured with rotating keys used for authenticating IGP peers that have a duration of 180 days or less.<VulnDiscussion>If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect routes and redirecting traffic. Changing the keys frequently reduces the risk of them eventually being guessed. When configuring authentication for routing protocols that provide key chains, configure two rotating keys with overlapping expiration dates, both with 180-day or less expirations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the device so rotating keys expire at 180 days or less.Review device configuration for key expirations of 180 days or less.
If rotating keys are not configured to expire at 180 days or less, this is a finding.NTP messages are not authenticated.<GroupDescription></GroupDescription>NET0813Network devices must authenticate all NTP messages received from NTP servers and peers.<VulnDiscussion>Since NTP is used to ensure accurate log file time stamp information, NTP could pose a security risk if a malicious user were able to falsify NTP information. To launch an attack on the NTP infrastructure, a hacker could inject time that would be accepted by NTP clients by spoofing the IP address of a valid NTP server. To mitigate this risk, the time messages must be authenticated by the client before accepting them as a time source.
Two NTP-enabled devices can communicate in either client-server mode or peer-to-peer mode (aka "symmetric mode"). The peering mode is configured manually on the device and indicated in the outgoing NTP packets. The fundamental difference is the synchronization behavior: an NTP server can synchronize to a peer with better stratum, whereas it will never synchronize to its client regardless of the client's stratum. From a protocol perspective, NTP clients are no different from the NTP servers. The NTP client can synchronize to multiple NTP servers, select the best server and synchronize with it, or synchronize to the averaged value returned by the servers.
A hierarchical model can be used to improve scalability. With this implementation, an NTP client can also become an NTP server providing time to downstream clients at a higher stratum level and of decreasing accuracy than that of its upstream server. To increase availability, NTP peering can be used between NTP servers. In the event the device loses connectivity to its upstream NTP server, it will be able to choose time from one of its peers.
The NTP authentication model is opposite of the typical client-server authentication model. NTP authentication enables an NTP client or peer to authenticate time received from their servers and peers. It is not used to authenticate NTP clients because NTP servers do not care about the authenticity of their clients, as they never accept any time from them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the device to authenticate all received NTP messages using a FIPS-approved message authentication code algorithm.Review the network element configuration and verify that it is authenticating NTP messages received from the NTP server or peer using a FIPS-approved message authentication code algorithm. FIPS-approved algorithms for authentication are the cipher-based message authentication code (CMAC) and the keyed-hash message authentication code (HMAC). AES and 3DES are NIST-approved CMAC algorithms. The following are NIST-approved HMAC algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.
Downgrade:
If the network device is not capable of authenticating the NTP server or peer using a FIPS-approved message authentication code algorithm, then MD5 can be utilized for NTP message authentication and the finding can be downgraded to a CAT III.
If the network element is not configured to authenticate received NTP messages using a FIPS-approved message authentication code algorithm, this is a finding. A downgrade can be determined based on the criteria above.IPv6 Site Local Unicast ADDR must not be defined<GroupDescription></GroupDescription>NET-IPV6-025The network device must be configured to ensure IPv6 Site Local Unicast addresses are not defined in the enclave, (FEC0::/10). Note that this consist of all addresses that begin with FEC, FED, FEE and FEF.<VulnDiscussion>As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity and potential misrouting, as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6 site-local unicast prefix defined in RFC3513, i.e., 1111111011 binary or FEC0::/10.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the device using authorized IP addresses.Review the device configuration to ensure FEC0::/10 IP addresses are not defined.
If FEC0::/10 IP addresses are defined, this is a finding.The network element must not allow SSH Version 1.<GroupDescription></GroupDescription>NET1647The network device must not allow SSH Version 1 to be used for administrative access.<VulnDiscussion>SSH Version 1 is a protocol that has never been defined in a standard. Since SSH-1 has inherent design flaws which make it vulnerable to attacks, e.g., man-in-the-middle attacks, it is now generally considered obsolete and should be avoided by explicitly disabling fallback to SSH-1.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the network device to use SSH version 2.Review the configuration and verify SSH Version 1 is not being used for administrative access.
If the device is using an SSHv1 session, this is a finding.Teredo is not blocked by filtering UDP port 3544<GroupDescription></GroupDescription>NET-TUNL-020Teredo packets must be blocked inbound to the enclave and outbound from the enclave.<VulnDiscussion>Teredo (RFC 4380) is a tunneling mechanism that allows computers to encapsulate IPv6 packets inside IPv4 to traverse IPv4-only networks. It relies on UDP to allow the tunnel to traverse NAT devices. Teredo uses UDP port 3544 to communicate with Teredo relays which access the packet, decapsulated the packet, and route it to the appropriate IPv6 network. While Teredo was proposed by Microsoft, Linux versions do exist.
By allowing Teredo tunneling mechanism to be uncontrolled, it can pass malicious IPv6 packets over IPv4 without further inspection of the packet by router and firewall ACLs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure either the perimeter router or firewall to block UDP port 3544 traffic inbound and outbound.Inspect the network device configuration to validate Teredo packets, UDP port 3544 is blocked both inbound to the enclave and outbound from the enclave.
This requirement must be administered on either the perimeter router or firewall.
If Teredo is not blocked one of these devices, this is a finding.IPv4 Interfaces in NAT-PT receive IPv6<GroupDescription></GroupDescription>NET-IPV6-047Interfaces supporting IPv4 in NAT-PT Architecture must not receive IPv6 traffic.<VulnDiscussion>Network Address Translation with Protocol Translation (NAT-PT), defined in [RFC2766], is a service that can be used to translate data sent between IP-heterogeneous nodes. NAT-PT translates IPv4 datagrams into a semantically equivalent IPv6 datagram or vice versa. For this service to work it has to be located in the connection point between the IPv4 network and the IPv6 network. The PT-part of the NAT-PT handles the interpretation and translation of the semantically equivalent IP header, either from IPv4 to IPv6 or from IPv6 to IPv4. Like NAT, NATPT also uses a pool of addresses which it dynamically assigns to the translated datagrams.
The NAT-PT architecture is not one of the preferred DoD IPv6 transition paradigms due to the deprecation of NAT-PT within the DoD community. However, as described in the "DoD IPv6 Guidance for Information Assurance (IA) Milestone Objective 3 (MO3) Requirements, some services/agencies may choose to implement this transition mechanism within an enclave. The following sub-sections provide guidelines for the use of NAT-PT within a controlled enclave.
In addition to the single point of failure, the reduced performance of an application level gateway, coupled with limitations on the kinds of applications that work, decreases the overall value and utility of the network. NAT-PT also inhibits the ability to deploy security at the IP layer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516This can be accomplished by not having IPv6 enabled on the interface supporting the IPv4 network. In addition a filter can be added to deny IPv6 at the interface.Review network diagram in the STIG and ensure the architecture is designed correctly. The interface facing the IPv4 LAN network must not receive IPv6 traffic. This can be accomplished by not having IPv6 on the interface supporting the IPv4 network.
In addition a filter can be added to deny IPv6 at this interface.
If interfaces supporting IPv4 in NAT-PT receive IPv6 traffic, this is a finding.The device is not authenticated using a AAA server.<GroupDescription></GroupDescription>NET0433Network devices must use two or more authentication servers for the purpose of granting administrative access.<VulnDiscussion>The use of Authentication, Authorization, and Accounting (AAA) affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the routers in conjunction with an authentication server such as TACACS+ or RADIUS, the administrators can easily add or remove user accounts, add or remove command authorizations, and maintain a log of user activity.
The use of an authentication server provides the capability to assign router administrators to tiered groups that contain their privilege level that is used for authorization of specific commands. For example, user mode would be authorized for all authenticated administrators while configuration or edit mode should only be granted to those administrators that are permitted to implement router configuration changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the device to use two separate authentication servers.Verify an authentication server is required to access the device and that there are two or more authentication servers defined.
If the device is not configured for two separate authentication servers, this is a finding.Emergency administration account privilege level is not set.<GroupDescription></GroupDescription>NET0441The emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.<VulnDiscussion>The emergency administration account is to be configured as a local account on the network devices. It is to be used only when the authentication server is offline or not reachable via the network. The emergency account must be set to an appropriate authorization level to perform necessary administrative functions during this time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Assign a privilege level to the emergency administration account to allow the administrator to perform necessary administrative functions when the authentication server is not online.Review the emergency administration account configured on the network devices and verify that it has been assigned to a privilege level that will enable the administrator to perform necessary administrative functions when the authentication server is not online.
If the emergency administration account is configured for more access than needed to troubleshoot issues, this is a finding.Management traffic is not restricted<GroupDescription></GroupDescription>NET1807Management traffic is not restricted to only the authorized management packets based on destination and source IP address. <VulnDiscussion>The Out-of-Band Management (OOBM) network is an IP network used exclusively for the transport of OAM&P data from the network being managed to the OSS components located at the NOC. Its design provides connectivity to each managed network element enabling network management traffic to flow between the managed NEs and the NOC. This allows the use of paths separate from those used by the network being managed. Traffic from the managed network to the management network and vice-versa must be secured via IPSec encapsulation. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure filters based on source and destination IP address to restrict only authorized management traffic into IPSec tunnels used for transiting management data.Where IPSec technology is deployed to connect the OOBM gateway routers or firewall, the traffic entering the tunnels must be restricted to only the authorized management packets based on destination and source IP address from the address block used for the management network. Verify that all traffic from the managed network to the management network and vice-versa is secured via IPSec encapsulation. In the configuration examples, 10.2.2.0/24 is the management network at the NOC and 10.1.1.0/24 is the management address block used at the network being managed (i.e., the enclave).
When the AS PIC receives traffic on the inside interface associated with a service set, the AS PIC applies the configured Layer 3 services and then forwards the packet back to the router through the outside interface. Likewise, when the AS PIC receives traffic on the outside interface associated with a service set, it forwards the packet back to the router through the inside interface after applying the configured Layer 3 services.
hostname VPN-Gateway1
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 19.16.1.254 255.255.255.252
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map ipsec-isakmp
crypto map Outside_map 20 match address 101
crypto map Outside_map 20 set peer 19.16.2.254
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
!
isakmp key ***** 19.16.2.254 netmask 255.255.255.255
isakmp enable Outside
!
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
sysopt connection permit-ipsec
Note: Access lists can be defined for PIX/ASA using the familiar IOS software ACL format. However, one important difference exists between the PIX/ASA and IOS ACL formats: PIXs use real subnet masks (a 1 bit matches, and a 0 bit ignores), whereas IOS platforms use a wildcard mask (a 0 bit matches, and a 1 bit ignores).
Remote VPN end-point not a mirror of local gateway<GroupDescription></GroupDescription>NET1808Gateway configuration at the remote VPN end-point is a not a mirror of the local gateway <VulnDiscussion>The IPSec tunnel end points may be configured on the OOBM gateway routers connecting the managed network and the NOC. They may also be configured on a firewall or VPN concentrator located behind the gateway router. In either case, the crypto access-list used to identify the traffic to be protected must be a mirror (both IP source and destination address) of the crypto access list configured at the remote VPN peer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure he crypto access-list used to identify the traffic to be protected so that it is a mirror (both IP source and destination address) of the crypto access list configured at the remote VPN peer.Verify the configuration at the remote VPN end-point is a mirror configuration as that reviewed for the local end-point.The OOBM interface not configured correctly.<GroupDescription></GroupDescription>NET0991The network devices OOBM interface must be configured with an OOBM network address.<VulnDiscussion>The OOBM access switch will connect to the management interface of the managed network device. The management interface of the managed network device will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the OOBM interface does not have an IP address from the managed network address space, it will not have reachability from the NOC using scalable and normal control plane and forwarding mechanisms.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the OOB management interface with an IP address from the address space belonging to the OOBM network.Review the device configuration to determine if the OOB management interface is assigned an appropriate IP address from the authorized OOB management network.
If an IP address assigned to the interface is not from an authorized OOB management network, this is a finding.The management interface does not have an ACL.<GroupDescription></GroupDescription>NET0992The network devices management interface must be configured with both an ingress and egress ACL.<VulnDiscussion>The OOBM access switch will connect to the management interface of the managed network device. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network device will be directly connected to the OOBM network.
An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic does not leak into the managed network and that production traffic does not leak into the management network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516If the management interface is a routed interface, it must be configured with both an ingress and egress ACL. The ingress ACL should block any transit traffic, while the egress ACL should block any traffic that was not originated by the managed network device.Step 1: Verify the managed interface has an inbound and outbound ACL or filter.
Step 2: Verify the ingress ACL blocks all transit traffic--that is, any traffic not destined to the router itself. In addition, traffic accessing the managed elements should be originated at the NOC.
Step 3: Verify the egress ACL blocks any traffic not originated by the managed element.
If management interface does not have an ingress and egress filter configured and applied, this is a finding.The management interface is not IGP passive.<GroupDescription></GroupDescription>NET0993The management interface must be configured as passive for the IGP instance deployed in the managed network.<VulnDiscussion>The OOBM access switch will connect to the management interface of the managed network devices. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network devices will be directly connected to the OOBM network.
An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic, both data plane and control plane, does not leak into the managed network and that production traffic does not leak into the management network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the management interface as passive for the IGP instance configured for the managed network. Depending on the platform and routing protocol, this may simply require that the interface or its IP address is not included in the IGP configuration.Review the configuration to verify the management interface is configured as passive for the IGP instance for the managed network. Depending on the platform and routing protocol, this may simply require that the interface or its IP address is not included in the IGP configuration.
If the management interface is not configured to be passive for IGP instances, this is a finding.The firewall does not block outbound mgmt traffic<GroupDescription></GroupDescription>NET1001The firewall located behind the premise router must be configured to block all outbound management traffic.<VulnDiscussion>The management network must still have its own subnet in order to enforce control and access boundaries provided by Layer 3 network nodes such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic. Safeguards must be implemented to ensure that the management traffic does not leak past the managed network's premise equipment. If there is a firewall located behind the premise router, then all management traffic must be blocked at that point--with the exception of management traffic destined to premise equipment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516With the exception of management traffic destined to perimeter equipment, a firewall located behind the premise router must be configured to block all outbound management traffic.Review the firewall configuration to verify that it is blocking all outbound management traffic.
If the firewall is not blocking management network from leaking to outside networks, this is a finding.IPSec traffic is not restricted<GroupDescription></GroupDescription>NET1006Traffic entering the tunnels is not restricted to only the authorized management packets based on destination address. <VulnDiscussion>Similar to the OOBM model, when the production network is managed in-band, the management network could also be housed at a NOC that is located locally or remotely at a single or multiple interconnected sites. NOC interconnectivity as well as connectivity between the NOC and the managed networks’ premise routers would be enabled using either provisioned circuits or VPN technologies such as IPSec tunnels or MPLS VPN services. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Where IPSec technology is deployed to connect the managed network to the NOC, it is imperative that the traffic entering the tunnels is restricted to only the authorized management packets based on destination address. For both the NOC and the managed network, the IPSec tunnel end points may be configured on the premise or gateway router, a VPN gateway firewall or VPN concentrator. Verify that all traffic from the managed network to the management network and vice-versa is secured via IPSec encapsulation. ACLs must restrict access to server VLANs.<GroupDescription></GroupDescription>NET-SRVFRM-003Server VLAN interfaces must be protected by restrictive ACLs using a deny-by-default security posture.<VulnDiscussion>Protecting data sitting in a server VLAN is necessary and can be accomplished using access control lists on VLANs provisioned for servers. Without proper access control of traffic entering or leaving the server VLAN, potential threats such as a denial of service, data corruption, or theft could occur, resulting in the inability to complete mission requirements by authorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure an ACL to protect the server VLAN interface. The ACL must be in a deny-by-default security posture.Review the device configuration to validate an ACL with a deny-by-default security posture has been implemented on the server VLAN interface.ACLs do not protect against compromised servers<GroupDescription></GroupDescription>NET-SRVFRM-004The IAO will ensure the Server Farm infrastructure is secured by ACLs on VLAN interfaces that restrict data originating from one server farm segment destined to another server farm segment.<VulnDiscussion>ACLs on VLAN interfaces do not protect against compromised servers. The Server farm vlans need to protect the servers located on one subnet from servers located on another subnet. Protecting a client’s data from other clients is necessary and can be accomplished using VLAN provisioning, layer 3 filtering and content filtering at the Server Farm entry point. Restricting protocol, source and destination traffic via filters is an option; however additional security practices such as content filtering are required.
The Server farm private vlans need to protect the servers located on one subnet from servers located on another subnet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Review the filter and ensure access from other server segments is denied unless necessary for application operation. The intent of the policy should be to protect servers from a server that has been compromised by an intruder.Review the firewall protecting the server farm. Vlan configurations should have a filter that secures the servers located on the vlan segment. Identify the source ip addresses that have access to the servers and verify the privilege intended with the SA. The filter should be in a deny by default posture.
If the filter is not defined on the firewall and the architecture contains a layer 3 switch between the firewall and the server, than review the VLAN definition on the L3 switch.
Server Farm without firewall content inspection<GroupDescription></GroupDescription>NET-SRVFRM-005The IAO will ensure the Server Farm VLANs are protected by severely restricting the actions the hosts can perform on the servers by firewall content filtering.<VulnDiscussion>Most current applications are deployed as a multi-tier architecture. The multi-tier model uses separate server machines to provide the different functions of presentation, business logic, and database.
Multi-tier server farms provide added security because a compromised web server does not provide direct access to the application itself or to the database.
The multi-tier separation is accomplished in several architectures, by a layer 2 switch, by a layer3 switch/router or by a firewall located at the server farm. Using the firewall implementation is the most secure method and is the only approved DoD architecture.
Firewalls get packets from VLAN-supporting switches complete with 802.1Q tags in their headers. What the VLAN-aware firewall can do is extract the tags and use the information within the tags to make policy-based security decisions.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the firewall to inspect traffic content to and from the server farm.Identify the VLAN IP subnet and determine if the subnet passes content inspect by a firewall capable on content inspection.IPv6 6-to-4 addresses are not filtered<GroupDescription></GroupDescription>NET-IPV6-024IPv6 6-to-4 addresses with a prefix of 2002::/16 must be filtered at the perimeter.<VulnDiscussion>"6-to-4" is a tunneling IPv6 transition mechanism [RFC 3056]. The guidance is the default case, which assumes that 6-to-4 is not being used as an IPv6 transition mechanism. If 6-to-4 is implemented, reference addition 6-to-4 guidance defined in the STIG.
Drop all inbound IPv6 packets containing a source address of type 2002::/16. This assumes the 6-to-4 transition mechanism is not being used.
Drop all inbound IPv6 packets containing a destination address of type 2002::/16. This assumes the 6-to-4 transition mechanism is not being used.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the device using filters to restrict IP addresses that contain any 6-to-4 addresses.Review the device configuration to ensure filters are in place to restrict the IP addresses explicitly or implicitly. Verify that ingress and egress ACLs for IPv6 have been defined to deny 6-to-4 tunnel addresses and log all violations.
source type: 2002::/16
If filters are not in place to deny 6-to-4 tunnel addresses, this is a finding.IPV6 Jumbo payload hop by hop is not dropped<GroupDescription></GroupDescription>NET-IPV6-035IPv6 Jumbo Payload hop by hop header must be blocked.<VulnDiscussion>The IPv6 Jumbo Payload allows IP packets to be larger than 65,535 bytes. This feature is only useful on very specialized high performance systems (e.g. super computers). Common place link layer technologies do not support these payload sizes and special link layer designs would be necessary. This header should be dropped unless the system is specifically designed to use very large payloads, since it only serves as an opportunity to break implementations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the firewall to drop all inbound and/or outbound IPv6 packets containing a hop-by-hop option of option type 0xC2.Review the device configuration to determine filters drop all inbound and/or outbound IPv6 packets containing a hop-by-hop option of option type 0xC2.
If IPv6 Jumbo Payloads are not dropped, this is a finding.
Alternatively, if the system is specifically designed to use very large payloads and its use is documented in architecture design documents, than this is not a finding.Two NTP servers are not used to synchronize time.<GroupDescription></GroupDescription>NET0812Network devices must use at least two NTP servers to synchronize time.<VulnDiscussion>Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. If logs cannot be successfully compared between each of the routers, switches, and firewalls, it will be very difficult to determine the exact events that resulted in a network breach incident. NTP provides an efficient and scalable method for network devices to synchronize to an accurate time source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the device to use two separate NTP servers.Review the configuration and verify two NTP servers have been defined.
If the device is not configured to use two separate NTP servers, this is a finding.PAT is vulnerable to DNS cache poisoning<GroupDescription></GroupDescription>NET1970The IAO will ensure that the router or firewall software has been upgraded to mitigate the risk of DNS cache poisoning attack caused by a flawed PAT implementation using a predictable source port allocation method for DNS query traffic.<VulnDiscussion>DNS cache poisoning is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching name server. There are inherent deficiencies in the DNS protocol and defects in implementations that facilitate DNS cache poisoning.
Name servers vulnerable to cache poisoning attacks are due to their use of insufficiently randomized transaction IDs and UDP source ports in the DNS queries that they produce, which may allow an attacker to more easily forge DNS answers that can poison DNS caches. To exploit these vulnerabilities an attacker must be able to cause a vulnerable DNS server to perform recursive DNS queries. Therefore, DNS servers that are only authoritative, or servers where recursion is not allowed, are not affected.
The DNS protocol specification includes a transaction ID field of 16 bits. If the specification is correctly implemented and the transaction ID is randomly selected with a strong random number generator, an attacker will require, on average, 32,768 attempts to successfully predict the ID. Some flawed implementations may use a smaller number of bits for this transaction ID, meaning that fewer attempts will be needed. Furthermore, there are known errors with the randomness of transaction IDs that are generated by a number of implementations.
Some current implementations allocate an arbitrary source port at startup (and sometimes selected at random) and reuse this source port for all outgoing queries. With other implementations, the source port for outgoing queries is fixed at the traditional assigned DNS server UDP port number 53. Because attacks against these vulnerabilities all rely on an attacker's ability to predict, the implementation of per-query source port randomization in the server presents a practical mitigation against these attacks within the boundaries of the current protocol specification. Randomized source ports can be used to gain approximately 16 additional bits of randomness in the data that an attacker must guess. Randomizing the ports adds a significant amount of attack resiliency.
Routers, firewalls, proxies, and other gateway devices that perform NAT—more specifically Port Address Translation (PAT)—often rewrite source ports in order to track connection state. A flawed implementation of a PAT device using a predictiable source port allocation method can reduce any effectiveness of source port randomization implemented by name servers and stub resolvers. Henceforth, it is imperative that the router or firewall software has been upgraded or patched to reduce an attacker’s opportunity for launching a DNS cache poisoning attack.
Note: Regular NAT (allocating one public IP address for each private IP address) is not affected by this problem because it only rewrites layer 3 information and does not modify layer 4 header information of packets traversing the NAT device.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Update the OS to the release that mitigates the risk of a DNS cache poisoning attackVerify that the software implemented on the router or firewall has been updated to a release that mitigates the risk of a DNS cache poisoning attack. A number of vendors have released patches to implement source port randomization. This change significantly reduces the practicality of cache poisoning attacks. See the Systems Affected section at http://www.kb.cert.org/vuls/id/800113 for additional details for specific products not listed below.
The following BlueCoat products are vulnerable:
Proxy SG: Fixed in 4.2.8.6 or 5.2.4.3 and later.
Director: Fixed in: 4.2.2.4 or 5.2.2.5 and later.
Proxy RA: Fixed in 2.3.2.1 and later.
The following Secure Computing products are vulnerable:
Sidewinder G2 6.1 .0.01
Sidewinder G2 6.1 .0.02
Sidewinder 5.0
Sidewinder 5.0 .0.01
Sidewinder 5.0 .0.02
Sidewinder 5.0 .0.03
Sidewinder 5.0 .0.04
Sidewinder 5.1
Sidewinder 5.1 .0.01
Sidewinder 5.1 .0.02
Sidewinder 5.1 .1
Sidewinder 5.1 .1.01
Sidewinder 5.2
Sidewinder 5.2 .0.01
Sidewinder 5.2 .0.02
Sidewinder 5.2 .0.03
Sidewinder 5.2 .0.04
Sidewinder 5.2 .1
Sidewinder 5.2 .1.02
Sidewinder 5.2.1 .10
Sidewinder Software 5.0
Sidewinder Software 5.0 .0.01
Sidewinder Software 5.0 .0.02
Sidewinder Software 5.0 .0.03
Sidewinder Software 5.0 .0.04
Sidewinder Software 5.1
Sidewinder Software 5.1 .0.01
Sidewinder Software 5.1 .0.02
Sidewinder Software 5.1 .1
Sidewinder Software 5.1 .1.01
Sidewinder Software 5.2
Sidewinder Software 5.2 .0.01
Sidewinder Software 5.2 .0.02
Sidewinder Software 5.2 .0.03
Sidewinder Software 5.2 .0.04
Sidewinder Software 5.2 .1
Sidewinder Software 5.2 .1.02
CyberGuard Classic
CyberGuard TSP
See Secure Computing Knowledgebase article 11446 for the resolution to updates to these vulnerable products.
The following Juniper Networks ScreenOS firewall versions are vulnerable.
ScreenOS 5.1
ScreenOS 5.2
The following Cisco PIX/ASA releases are vulnerable:
6.3(5) and earlier. Fixed with 6.3(5.144) and later
7.0 Fixed with 7.0(8.1)
7.1 Fixed with 7.1(2.74)
7.2 Fixed with 7.2(4.9)
8.0 Fixed with 8.0(3.32)
8.1 Fixed with 8.1(1.8) , 8.1(1.100), and 8.1(101.4)
8.2 Fixed with 8.2(0.140)
Device logs are not timestamped.<GroupDescription></GroupDescription>NET1288Network device logs must be timestamped.<VulnDiscussion>Device logs can be used for forensic analysis in support of incident as well as to aid with normal traffic analysis. It can take numerous days to recover from a firewall outage when a proper backup scheme is not used.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1, ECTB-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the network device to include timestamps on all device logs.Review the device configuration to validate timestamps are configured for logging.
If timestamps are not configured for logging purposes, this is a finding.Event records do not include required fields.<GroupDescription></GroupDescription>NET1289Network device logs must include source IP, destination IP, port, protocol used and action taken.<VulnDiscussion>The network device logs can be used for forensic analysis in support of incident as well as to aid with normal traffic analysis.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1, ECTB-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Ensure the firewall logs are receiving source IP, destination IP, port, protocol used and action taken.Review the active logs and verify the source IP, destination IP, port, protocol used and action taken are recorded fields in the event record.
If logs do not include the source IP, destination IP, port, or protocol, this is a finding.Call home service is disabled.<GroupDescription></GroupDescription>NET0405A service or feature that calls home to the vendor must be disabled.<VulnDiscussion>Call home services or features will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. The risk that transmission of sensitive data sent to unauthorized persons could result in data loss or downtime due to an attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><Responsibility>Network Security Officer</Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Configure the network device to disable the call home service or feature.Review the device configuration to determine if the call home service or feature is disabled on the device. If the call home service is enabled on the device, this is a finding.IPV6 firewall does not meet DITO requirements<GroupDescription></GroupDescription>NET-IPV6-005The IAO must ensure firewalls deployed in an IPv6 enclave meet the requirements defined by DITO and NSA milestone objective 3 guidance.<VulnDiscussion>1) Drop IPv6 Undetectable protocol/port (May be an intrinsic FW feature.) - IPv6 allows an unlimited number of extension headers to be applied to a packet. A FW may not be able to locate the layer 4 protocol and port values if too many extension headers exhaust its resources. As a minimum, a FW must be able to drop any packet for which it cannot identify the layer 4 protocol and ports (if applicable). The security policy would be subverted if these packets were allowed to pass through a FW. If the FW cannot traverse through extension headers at all, it must drop packets using any extension header. This measure will disable a large amount of IPv6’s functionality and should only be used if the Primary guidance cannot be implemented.
2) Drop IPv6 Type 0 Routing Header - The IPv6 Type 0 Routing Header (extension header) is functionally equivalent to the IPv4 loose source routing header option, which is typically blocked for security reasons. The Type 0 Routing Header is dangerous because it allows attackers to spoof source addresses and get traffic in response (rather than to the real owner of the address). Secondly, a packet with an allowed destination address could be sent through a FW only to bounce to a different (disallowed) node once inside using the Routing Header functionality. If the Type 0 Routing Header must be used, it must be used in conjunction with either the IPSec AH or the IPSec Encapsulation Security Payload (ESP) headers. If the FW cannot distinguish the type field of a routing header, it should be configured to drop all routing headers. Note that Mobile IP is disabled without the Type 2 Routing Header. Although deprecated by a recent RFC, there may be existing implementations that still recognize this header.
3) Drop Undefined IPv6 Header Extensions/Protocol Values (May be an intrinsic FW feature.) - Undefined IPv6 header extensions means that the Next Header type is not registered with Internet Assigned Numbers Authority (IANA). The header extension is the same as the protocol value, and should be dropped. Drop all undefined extension headers/protocol values.
4) Drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering to include protocol/port values cannot be determined.(May be an intrinsic FW feature) - A FW must be able to properly enforce its filtering policy upon fragmented packets. This requires that the FW be able to find the complete set of header data including extension headers and the upper layer protocol/port values. It also requires that the packet not be susceptible to fragment overlap attacks. Fragment overlaps are a more serious problem in IPv6 than in IPv4 because the presence of extension headers can push the upper layer protocol/port information outward (toward packet boundaries) making it much harder to protect. How a FW achieves these requirements is not important as long as both aspects are met. The wording “drop at least one fragment” used in the actions below is a statement of the bare minimum action to secure a packet, and is chosen to allow FW venders flexibility in achieving it. Refer to Firewall Design Considerations for IPv6 section 3.6 for extensive detail on this topic. https://www.us.army.mil/suite/doc/10209656
5) Drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain. (May be an intrinsic FW feature) - Nested fragmentation is an unnecessary and unwanted IPv6 condition that is not forbidden by the specifications. It occurs when an IP header chain contains more than one Fragmentation Header implying that a fragment has been fragmented. In the specification, the phrase “IP header chain” rather than “packet” is used, because a tunneled packet has more than one IP header chain and each chain can have a Fragment Header (this case is not nested fragmentation). Nested fragmentation is a new phenomenon with IPv6. It is not possible in IPv4, because the fragmentation fields are part of the main header and are modified in the event of a secondary fragmentation event. Nested fragmentation in IPv6 should be dropped by FWs since internal nodes that process the fragmentation may or may not be equipped to handle this unexpected case. These nodes may crash or behave in some unpredictable manner.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>DCDS-1, EBBD-1</IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Identify the firewall capabilities to ensure they support the DITO requirements prior to procurement. Review current alternatives defined in the MO3 guidance for mitigation.Drop all inbound IPv6 packets for which the layer 4 protocol and ports (if applicable) cannot be located. Drop all inbound IPv6 packets with a Type 0 Routing Header unless those packets also contain an IPSec AH or IPSec ESP header. Drop all inbound IPv6 packets containing undefined header extensions/protocol values. Drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering to include protocol/port values cannot be determined. Drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain.Firewall is listening for telnet service.<GroupDescription></GroupDescription>NET0378The firewall must not be listening for telnet service.<VulnDiscussion>Telnet is an unencrypted service which can be easily exploited, especially when used over a public network such as the internet. With telnet enabled on the firewall, an attacker may be able to send spoofed packets through the firewall and consume the firewall’s memory, causing a denial of service on the device. Telnet service is vulnerable to many exploits which can compromise the network device if enabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Firewall - Data NetworkDISADPMS TargetFirewall - Data Network516Disable telnet and verify the firewall is not listening to port 23.Have the firewall admin verify telnet is not enabled on the firewall and is not listening on port 23.
If telnet is enabled on the firewall or the firewall is listening on port 23, this is a finding.