The network device must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000189-NDM-000146	SRG-NET-000189-NDM-000146	SRG-NET-000189-NDM-000146_rule		Medium

Description
The network device must be designed and configured to implement security functions as a layered structure. An isolation boundary, using separate partitions and domains, must be used to minimize interactions between layers of the design. The lower layers of the design should not depend upon the upper layers. If one layer experiences an error in functionality or security, this should not impact the function of the remaining layers. This layered design minimizes the risk of leakage or corruption of privileged information. This control is normally a function of the network device application design and is usually not a configurable setting; however, in some applications, there may be settings that must be configured to optimize function isolation.

Description

The network device must be designed and configured to implement security functions as a layered structure. An isolation boundary, using separate partitions and domains, must be used to minimize interactions between layers of the design. The lower layers of the design should not depend upon the upper layers. If one layer experiences an error in functionality or security, this should not impact the function of the remaining layers. This layered design minimizes the risk of leakage or corruption of privileged information. This control is normally a function of the network device application design and is usually not a configurable setting; however, in some applications, there may be settings that must be configured to optimize function isolation.

STIG	Date
Network Device Management Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000189-NDM-000146_chk )
Verify the network device implements security functions as a layered structure minimizing interactions between layers of the design and avoiding and dependence by lower layers on the functionality or correctness of higher layers. If the network device does not implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers, this is a finding.

Check Text ( C-SRG-NET-000189-NDM-000146_chk )

Verify the network device implements security functions as a layered structure minimizing interactions between layers of the design and avoiding and dependence by lower layers on the functionality or correctness of higher layers. If the network device does not implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers, this is a finding.

Fix Text (F-SRG-NET-000189-NDM-000146_fix)
Configure the network device to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality of correctness of higher layers.