UCF STIG Viewer Logo

ECND-2 Network Device Controls


Overview

An effective network device control program (e.g., routers, switches, firewalls) is implemented and includes: instructions for restart and recovery procedures; restrictions on source code access, system utility access, and system documentation; protection from deletion of system and application files, and a structured process for implementation of directed solutions (e.g., IAVA). Audit or other technical measures are in place to ensure that the network device controls are not compromised. Change controls are periodically tested.

MAC / CONF Impact Subject Area
MACI
MACII
Medium Enclave Computing Environment

Details

Threat
Without an adequate network device control program, perimeter protection devices could not be protected from unauthorized access, resulting in denial of service, malicious code attacks, and unauthorized modification of network device data.  This implementation guide is aimed to help network administrators implement proper access controls, maintain network control devices effectively, and monitor unauthorized compromise of the network devices.

Guidance
1  The project management shall ensure that an effective network device program shall be developed for the network control devices (e.g., firewalls, routers, switches) in accordance with DOD policy and organization specific guidelines.  The program must include, but are not limited to, the following information:
  · Roles and responsibilities for personnel involved in installing, operating, and managing the network control devices
  · Instructions for restart and recovery procedures in accordance with DISA STIGs and vendor system administration guides related to firewalls, routers, and switches
  · Restrictions on source code access, system utility access, and system documentation in accordance with DISA STIGs and vendor security administration guides
  · Protection from deletion of system and application file through proper file permissions in accordance with DISA STIGs and vendor security administration guides;
  · A structured process for the implementation of directed solutions (e.g., IAVA).
2. The network administrator shall configure the network control devices in accordance with DISA STIGs and NSA security guides to prevent unauthorized access to the network control devices.
3. The network administrator shall enable the auditing capabilities of individual network control devices so that access to the devices is monitored and recorded in audit trails.
4. If feasible, the project management shall ensure that network-based IDSs are implemented to detect security events occurred to the network control devices. (refer to ECID-1)
5. The network administrator shall test changes and updates made to the network control devices periodically to ensure their integrity in accordance with the system Configuration Management Plan.

References

  • CJCSI - Information Assurance (IA) and Computer Network Defense (CND)
  • CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004
  • DOD Information Security Program, 13 December 1993
  • DISA Network STIG, 29 October 2004
  • DISA Network Infrastructure STIG, 29 September 2003
  • DISA Cisco IOS Router Checklist, Version 5, Release 2.1, 01 June 2004
  • DISA Jupiter Router Checklist, Version 5, Release 2.1, 17 June 2004
  • NSA Router Security Configuration Guide, 08 April 2004
  • NIST SP 800-41, Guidelines on Firewalls and Firewall Policy, January 2002
  • Individual System Configuration Management Plans