UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

External network connections must not bypass the enclaves perimeter security.


Overview

Finding ID Version Rule ID IA Controls Severity
V-8052 NET0170 SV-8538r4_rule Medium
Description
Without taking the proper safeguards, external networks connected to the organization will impose security risks unless properly routed through the perimeter security devices. Since external networks to the organization are considered to be untrusted, this could prove detrimental since there is no way to verify traffic inbound or outbound on this backdoor connection. An attacker could carry out attacks or steal data from the organization without any notification. An external connection is considered to be any link from the organization's perimeter to the NIPRNet, SIPRNet, Commercial ISP, or other untrusted network outside the organization's defined security policy. The DREN and SREN are DoD's Research & Engineering Network. A DoD Network that is the official DoD long-haul network for computational scientific research, engineering, and testing in support of DoD's S&T and T&E communities. It has also been designated as a DoD IPv6 pilot network by the Assistant Secretary of Defense (Networks & Information Integration)/DoD Chief Information Officer ASD (NII)/DoD CIO. A DISN enclave should not have connectivity to the DREN unless approved by the AO and the requirements have been met for all external connections described in NET0130.
STIG Date
Network Infrastructure Policy Security Technical Implementation Guide 2019-09-30

Details

Check Text ( C-7433r5_chk )
Review the network topology diagram and verify that ingress and egress traffic via external connections to the enclave do not bypass the enclave’s perimeter security.

If there are external connections to the enclave that bypass the enclaves’ perimeter security, this is a finding.
Fix Text (F-7627r5_fix)
Disconnect any external network connections not routed through the organization's perimeter security or validated and approved by the AO.