Identify and control all network access points.

UCF ID: 00529

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Technical security [UCF Control ID 00508]

This control has the following supporting controls:

Establish and maintain documentation for controlling the network configuration. [UCF Control ID 00530]

Establish and maintain a documented list of protocols, ports, applications, and services for essential operations. [UCF Control ID 00537]

Secure the Domain Name Server (DNS) system. [UCF Control ID 00540]

Establish and maintain a standard and procedure for firewall design and configuration practices. [UCF Control ID 00544]

Establish and maintain Voice over Internet Protocol design and configuration criteria. [UCF Control ID 01449]

Establish and maintain Wireless LAN design and configuration criteria. [UCF Control ID 01646]

Authority documents complied with:

FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj D.1; FFIEC IT Examination Handbook – Information Security, Pg 38, Exam Tier I Obj 4.1; FFIEC IT Examination Handbook – Operations, July 2004, Pg 23; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 33; System Security Plan (SSP) Procedure, Version 1.0, App A § 4.4; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP 005-1 R1.1 thru CIP 005-1 R1.3, CIP 005-1 R5.2; Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives, § 8; FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security, § 2.1.1; Federal Information System Controls Audit Manual (FISCAM), February 2009, AC-3.2(B); GAO/PCIE Financial Audit Manual (FAM), § 260.17(e); The National Strategy to Secure Cyberspace, February 2003, Pg 47; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.15, Exhibit 4 SC-7; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § AC-3(5), App F § AC-19, App F § AC-22, App F § SC-7, App F § SC-7(1); Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, SC-7, SC-7(1); CobiT, Version 4.1, AI3.2; The Standard of Good Practice for Information Security, SM6.5.4(a), CB6.4.2(d), NW1.2.2(f), NW2.4.3, NW2.4.5, NW2.4.6, NW3.4.4(b), SD4.6.3(d); DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2, § 4.2.3; DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2, § 2.2 (WIR1250), § 3.2; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 11.4.3; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.11.4.6; ISO/IEC 27002 Code of practice for information security management, 2005, § 11.4.3; OGC ITIL: Security Management, § 4.2.4.2; OECD / World Bank Technology Risk Checklist, Version 7.3, § I.16; Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009, §4.4.1.D, § 4.6.1.A, § 4.6.1.B, § 4.6.1.C; DoD Instruction 8500.2 Information Assurance (IA) Implementation, EBBD-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, EBBD-1; DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3, § 3.2, § 3.15; DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4, § 3.3; DISA Secure Remote Computing Security Technical Implementation Guide, Version 2, Release 1, § 2.3, § 2.4, § 2.5, § 3.1, § 3.2, § 4.2, § 4.3; ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001, ¶ 7.2, ¶ 9.2, ¶ 10 Table 1 Clause 10.1, ¶ 10 Table 1 Clause 10.2, ¶ 10 Table 1 Clause 10.3, ¶ 10 Table 1 Clause 10.4, ¶ 10 Table 1 Clause 10.5, ¶ 10 Table 1 Clause 10.6, ¶ 13.2, ¶ 13.2.1, ¶ 13.3.4, ¶ 13.5, ¶ 13.12

Banking and Finance Guidance

[Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Audit, August 2003]

The organization should map the network to identify and control all access points. [Pg 38, Exam Tier I Obj 4.1, FFIEC IT Examination Handbook – Information Security]

All remote access points should be identified and controlled by periodically reviewing the network diagram and hardware inventory. [Pg 23, FFIEC IT Examination Handbook – Operations, July 2004]

The implemented logical access controls should also protect network access. [Pg 33, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

Healthcare and Life Science Guidance

Calls for a description of the WAN security controls for organizational systems. The controls should also discuss any additional hardware or technical controls that have been installed on systems and implemented to provide protection against unauthorized system penetration and other known internet threats and vulnerabilities. [App A § 4.4, System Security Plan (SSP) Procedure, Version 1.0]

Energy Guidance

Access points to the Electronic Security Perimeter(s) shall include any externally connected communication end point (for example, dial-up modems) terminating at any device within the Electronic Security Perimeter(s). For a dial-up accessible Critical Cyber Asset that uses a non-routable protocol, the Responsible Entity shall define an Electronic Security Perimeter for that single access point at the dial-up device. Communication links connecting discrete Electronic Security Perimeters shall not be considered part of the Electronic Security Perimeter. However, end points of these communication links within the Electronic Security Perimeter(s) shall be considered access points to the Electronic Security Perimeter(s). The Responsible Entity shall update the documentation to reflect the modification of the network or controls within ninety calendar days of the change. [CIP 005-1 R1.1 thru CIP 005-1 R1.3, CIP 005-1 R5.2, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

Payment Card Guidance

§ 4.4.1.D Centralized management systems that can control and configure distributed wireless networks are recommended.
§ 4.6.1.A An organization must require explicit management approval to use wireless networks in the Cardholder Data Environment (CDE). Any unsanctioned wireless must be removed from CDE.
§ 4.6.1.B An organization must require that wireless access is authenticated with user ID and password or other authentication item (for example, token). Wi-Fi Protected Access (WPA) Enterprise supports this requirement. If Pre-Shared Keys (PSKs) are used, then they must be rotated whenever employees that have access to wireless devices leave the organization. In Enterprise mode, individual user access can be enabled/disabled centrally.
§ 4.6.1.C Ensure that the organization maintains a list of all wireless devices and personnel authorized to use the devices. [§4.4.1.D, § 4.6.1.A, § 4.6.1.B, § 4.6.1.C, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009]

US Federal Security Guidance

The organization must ensure that the network architecture has been properly approved. [§ 8, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives]

This document calls for strong network configuration to defend against unauthorized LAN access. It describes in 2.1.1 a variety of vulnerabilities to which a LAN may fall prey. These include inappropriate identification schemes, poor password management, unprotected modems, poor physical control of network devices, lack of disconnect for multiple login failures, no logging of activities or time outs when an account is left inactive for an extended period of time. [§ 2.1.1, FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security]

Careful analysis is needed to identify all of the systems entry points and paths to sensitive files. FISCAM calls for the creation of an access path diagram identifying: the users of the system; the type of device from which they can access the system; the software used in the system; the resources they may access; the system on which these resources reside; and the modes of operation and telecommunication. The access path diagram should be reviewed and updated to include network changes. [AC-3.2(B), Federal Information System Controls Audit Manual (FISCAM), February 2009]

Different types of computer processing present different levels of risk which must be taken into account. Peripheral access devices or system interfaces can take existing risk levels and increase them. Distributed networks also increase risk levels. Finally, application software developed in-house presents higher inherent risk as well. Thus when determining network configuration, be aware of how each of these things increases risk and implement controls to reduce risk. [§ 260.17(e), GAO/PCIE Financial Audit Manual (FAM)]

Asks federal agencies to consider installing systems that continuously check for unauthorized connections to their networks. [Pg 47, The National Strategy to Secure Cyberspace, February 2003]

Are all of the network access points accounted for in the network inventory? [EBBD-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

All Internet access points are under the management and control of the enclave. [EBBD-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

US Internal Revenue Guidance

The system must monitor and control all communications at key internal boundaries and at all external boundaries. [§ 5.6.15, Exhibit 4 SC-7, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

App F § AC-3(5) The organization security policy must prevent access to system security rules and configuration data unless the system is off-line and secure.
App F § AC-19 The organization must establish and maintain access control policies and procedures for mobile devices, restrict usage and provide guidance, monitor for unauthorized access, requires prior authorization, enforce policies, disable automatic code execution, issue configured devices when traveling, manage returning devices.
App F § AC-22 The organization must establish and maintain policies and procedures for publicly accessible content that designate authorized individuals to post information onto a publicly accessible system; trains authorized individuals to ensure publicly accessible information does not contain nonpublic information; reviews proposed content for nonpublic information prior to posting; reviews the content of the publicly accessible systems for nonpublic information; and removes any nonpublic information from publicly accessible systems as located.
App F § SC-7 The organization protect the information system by monitoring and controlling communications at the external boundary and key internal boundaries of the system. Connections to external networks and information systems should be managed by boundary protection devices which comply with organizational security architecture policy.
App F § SC-7(1) The organization should physically isolate publicly accessible information systems to separate sub-networks with dedicated network interfaces. [App F § AC-3(5), App F § AC-19, App F § AC-22, App F § SC-7, App F § SC-7(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records and documents should be examined to ensure communications are monitored and controlled at external and key internal boundaries of the system; the information boundaries are protected with appropriate tools and techniques; publicly accessible information is located on a physically separate subnetwork; public access into internal networks is prohibited, except for when approved; and specific responsibilities and actions are defined for the implementation of the boundary protection control. Any problems discovered during the implementation of the boundary protection control should be documented and used to improve the controls.
Interviews should be conducted with personnel involved in controlling and monitoring the internal and external boundaries of the system and with personnel involved in maintaining publicly accessible networks and information. [SC-7, SC-7(1), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

Other Configuration Guidance

Remote access servers must be configured to prevent remote users from having access to the control, management, and configuration functions. [§ 4.2.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2]

§ 2.2 (WIR1250) Implement wireless e-mail servers and handheld configuration settings.
§ 3.2 The Apriva Sensa secure mobile e-mail system and network components should be implemented according to organization’s recommended Sensa Systems Architecture [§ 2.2 (WIR1250), § 3.2, DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2]

§ 3.2 Good Mobile Messaging (GMM) wireless email system and network components should be implemented according to organization’s recommended GMM Systems Architecture.
§ 3.15 The Good Mobile Internet Server (GMI) provides the following services:
− Forces all Internet browsing via a secure connection to the DoD enclave Internet proxy.
− Provides the Good Internet browser.
− Provides the capability to black list applications, including Pocket IE and other browsers.
− Provides a secure connection to back-office applications. This feature cannot be used in DoD because GMI does not support CAC authentication. The Good Mobile Connect server, released in 2008, does support CAC authentication to back-office applications and content servers.
− Provides the capability for the system administrator to push alerts and content to site managed Windows Mobile devices. [§ 3.2, § 3.15, DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3]

The Windows Mobile Messaging e-mail system and network components should be implemented according to organization’s recommended Windows Mobile Messaging System Architecture [§ 3.3, DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4]

§ 2.3 Remote access, mobile access, and telework may use a number of different communications methods. These connections primarily use a virtual private network (VPN) client to create an encrypted "tunnel" into the DoD network. Methods include:
• Broadband networks (such as cable modem, digital subscriber line (DSL), satellite, and wireless broadband)
• Dial-up connection using a modem and telephone line
• Guest access using a DoD host network
• Guest access using a non-DoD network (such as an authorized telework center, home network, or contractor network)
• Public wireless hotspots in hotels, restaurants, or airports.
It is imperative that any broadband connection be as secure as possible prior to connecting to a DoD network or resource. Dial-up connection is normally not active for long periods, therefore, provides an inherent security advantage over broadband connectivity due to its short-lived connection as well as dynamic IP addressing. When remote users dial into a device, they are usually provided a dynamic IP address as opposed to static IP addresses, making them a less attractive target for an attacker. In addition, they are not connected as long as a broadband remote user and are, therefore, not exposed to security threats for extended periods.
§ 2.4 The need for remote administration, contractor, inter-agency access, and an ever broadening wireless/mobile world, increases the need for more dynamic access control models. These diverse endpoints and multi-level access needs also demand an increase in security controls at the network perimeter and application levels. Because the public network infrastructure is used to deliver remote access services to DoD users, these users and endpoints seeking access must be treated as untrusted. With the increasing use of these same endpoints for access over both secure and non-secure networks, both internal and external clients must be treated as untrusted. This method actually serves to simplify access control and endpoint management. Access to restricted servers/databases is logically separated from wired endpoints and from publicly accessed hosts. Both remote and hard-wired users must provide stringent access credentials prior to traversing this internal “resource perimeter”. Using this paradigm, it is now possible to separate network access from resource access with two implications: Physical locations can become increasingly transparent and the Federally-mandated goal for DoD networks to provide emergency and guest access is also increasingly achievable.
§ 2.5 Regardless of the remote access method, connection method, or telework environment, enclave protection mechanisms must be in place to ensure security within specific security domains and across the DoD network backbone. The Enclave Security STIG and the Network Infrastructure STIG give details regarding the architectural components that must be in place to secure the infrastructure. Remote access network infrastructure should be implemented according to the organization’s recommended Remote Access Architecture.
§ 3.1 Network Access Control (NAC) systems integrate several different technologies to achieve security policy definition, authentication, authorization, and physical or logical network access enforcement. Depending on the network architecture and vendor, these services may be provided by different components of the NAC systems. In general, NAC systems include three major components: Network access point device (e.g., VPN, RAS, or Point-to-Point Protocol (PPP) gateway), NAC policy server, and the endpoint. The network layer or network access point consists of wired ports on a switch, wireless access points, or remote access systems (such as VPN or RAS devices).
§ 3.2 NAC appliances can be deployed using either an in-band (inline) or out-of-band (offline) architecture. An in-band NAC appliance acts as a gateway between the VPN gateway and the rest of the network. While installing the policy server out-of-band places the NAC so that the VPN or the RAS can direct the device seeking remote access to the NAC appliance.
§ 4.2 Use of thin clients, depending on the implementation methodology, presents an opportunity for increased control of the security environment of the remote access devices connecting to the enclave. Thin client devices and appliances are specifically designed machines used primarily for accessing server-based computing environments, including web browsing, terminal emulation, and terminal server sessions. There are two types of thin client devices, stateful and stateless. Stateful thin clients have a small OS, or thin OS, and are most easily categorized by their local OS. Stateless thin clients, sometimes referred to as Ultra Thin Client technology, run the connection client software such as Citrix, Windows Terminal Services, etc., directly from the appliance's hardware.
§ 4.3 Virtual Desktop Infrastructure (VDI) is a new method for delivering desktops to users. Users have been using local desktops for years and have recently began accessing remote server-based computing (SBC) desktops running on Microsoft Terminal Servers or Citrix Presentation Servers. A virtual desktop allows users to run Windows or UNIX in the data center. Users would remotely connect to and control their own instance of the desktop in a one-to-one manner from the thin client device. The virtual desktop that is assigned to users is a virtual machine in the data center running the OS. The desktop virtualization solution is a multi-tiered architecture. Each tier comprises functional components that enable a thin client implementation. The four tiers are as follows:
- Client Tier: The client tier is the access points, or thin client devices, used by end users for accessing their desktop instance with the virtual desktop tier.
- Access Tier: The access tier is the infrastructure that enables and brokers thin client connections between the client tier and the virtual desktop tier.
- Virtual Desktop Tier: The virtual desktop tier is where users’ desktop images are consolidated into a centralized farm of VDI servers.
- Client Application Tier: The client application tier is the application farms of applications traditionally delivered to the desktop via application publishing products or display protocols (such as Independent Computing Architecture (ICA), Remote Desktop Protocol (RDP), etc.). [§ 2.3, § 2.4, § 2.5, § 3.1, § 3.2, § 4.2, § 4.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 2, Release 1]

ISO Guidance

Equipment identification can be used to authenticate connections from specific equipment and locations. An identifier can be placed in or on the equipment to indicate if the computer can connect to the network. [§ 11.4.3, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

The ability of users to connect across shared networks should be restricted. User access should be based on business requirements and the access control policy. [Annex A.11.4.6, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Equipment identification can be used to authenticate connections from specific equipment and locations. An identifier can be placed in or on the equipment to indicate if the computer can connect to the network. [§ 11.4.3, ISO/IEC 27002 Code of practice for information security management, 2005]

¶ 7.2 Identification Process. A recommended process for the identification and analysis of the communications related factors that should be taken into account to establish network security requirements, and the provision of an indication of the potential safeguard areas.
When considering network connections, all those persons in the organization who have responsibilities associated with the connections should be clear about the business requirements and benefits. In addition, they and all other users of the connections should be aware of the security risks to, and related safeguard areas for, such network connections. The business requirements and benefits are likely to influence many decisions and actions taken in the process of considering network connections, identifying potential safeguard areas, and then eventually selecting, designing, implementing and maintaining security safeguards. Thus, these business requirements and benefits need to be kept in mind throughout the process. In order to identify the appropriate network related security requirements and safeguard areas, the following tasks will need to be completed:
• review the general security requirements for network connections as set out in the organizations corporate IT security policy (see clause 8),
• review the network architectures and applications that relate to the network connections, to provide the necessary background to conduct subsequent tasks (see clause 9),
• identify the type or types of network connection that should be considered (see clause 10),
• review the characteristics of the networking proposed (aided as necessary by the information available on network and application architectures), and the associated trust relationships (see clause 11),
• determine the related types of security risk, where possible with the help of risk analysis and management review results - including consideration of the value to business operations of the information to be transferred via the connections, and any other information potentially accessible in an unauthorized way through these connections (see clause 12),
• identify the references to the potential safeguard areas that may be appropriate, on the basis of the type(s) of network connection, the networking characteristics and associated trust relationships, and the types of security risk, determined (see clause 13),
• document and review security architecture options (see clause 14),
• prepare to allocate tasks for the detailed safeguard selection, design, implementation and maintenance, using the identified references to potential safeguard areas and the agreed security architecture (see clause 15).
¶ 9.2 Types of Networks. Depending on the area they cover, networks can be categorized as:
• Local Area Networks (LAN), which are used to interconnect systems locally,
• Metropolitan Area Networks (MAN), which are used to interconnect systems in a metropolitan range,
• Wide Area Networks (WAN), which are used to interconnect systems in wider areas than MANs, up to a world wide coverage.
¶ 10 Table 1 Clause 10.1 Type of Network Connection is a Connection within a single controlled location of an organization. A Descriptive Example is Interconnection between different parts of the same organization within the same controlled location, i.e. a single controlled building or site.
¶ 10 Table 1 Clause 10.2 Type of Network Connection is a Connection between different geographically disparate parts of the same organization. A Descriptive Example is an Interconnection between regional offices (and/or regional offices with a headquarters site) within a single organization across a wide area network. In this type of network connection, most if not all users are able to access the IT systems available via the network, but not all users within the organization would have authorization for access to all applications or information (i.e. each user's access would only be in accordance with privileges granted).
One type of access from another part of the organization could be for remote maintenance purposes. There might be more access privileges assigned to this type of user and connection.
¶ 10 Table 1 Clause 10.3 Type of Network Connection is Connections between an organization site and personnel working in locations away from the organization. A Descriptive Example is Use of mobile data terminals by employees (e.g. a salesperson verifying stock availability from a customer site) or the establishment of remote links to an organizations computing systems by employees working from home or other remote sites not linked via a network maintained by the organization. In this type of network connection, the user is authorized as a system user on his local system.
¶ 10 Table 1 Clause 10.4 Type of Network Connection is Connections between different organizations within a closed community, e.g. because of contractual or other legally binding situations, or of similar business interests, e.g. banking or insurance.
A Descriptive Example is Interconnection between two or more organizations where there is a business need to facilitate inter-organizational electronic transactions (e.g. electronic funds transfer in the banking industry). This type of network connection is similar to 10.2 above, except that the sites being interconnected belong to two or more organizations, and the connection is not intended to provide access to the full range of applications utilized by each of the participating organizations.
¶ 10 Table 1 Clause 10.5 Type of Network Connection is Connections with other organizations.
A Descriptive Example is access to remote databases held by other organizations (e.g. through service providers). In this type of network connection, all users, including those of the connecting organization, are individually pre-authorized by the external organization whose information is being accessed. However, although all users are pre-authorized, there may be no screening of potential users other than in relation to their ability to pay for the services being offered.
There could also be access to applications on the organization's systems that store or process the organizational information that may be provided to users from external organizations. In this circumstance, the external users would be known and authorized.
One type of access from another organization could be for remote maintenance purposes. There might be more access privileges assigned to this type of user and connection.
¶ 10 Table 1 Clause 10.6 Type of Network Connection is Connections with the general public domain.
A Descriptive Example is users to public access databases, Web sites, and/or electronic mail facilities (e.g. via the Internet), where the access is initiated for purposes such as the retrieval of information or the sending of information from/to persons and/or sites which have not been specifically pre-authorized by the organization. In this type of connection, the organization's users may be utilizing this facility for organizational (possibly even private) purposes; however, the organization may have little, if any, control over the information being transmitted.
Access could be initiated by external users to the organization's facilities (e.g. via the Internet). In this type of network connection, access by the individual external users has not been specifically pre-authorized by the organization.
¶ 13.2 Secure Service Management should be implemented for network security.
¶ 13.2.1 Introduction to Secure Service Management. A key security requirement for any network is that it is supported by secure service management activities, which will initiate and control the implementation, and operation, of security. These activities should take place to ensure the security of all of an organization's IT. With regard to network connections, management activities should include:
• definition of all responsibilities related to the security of network connections, and designation of a security manager with overall responsibility,
• documented system security policy, and accompanying documented technical security architecture,
• documented security operating procedures (SecOPs),
• the conduct of security compliance checking, to ensure security is maintained at the required level,
• documented security conditions for connection to be adhered to before connection to an organization or community is permitted,
• documented security conditions for users of network services,
• a security incident handling scheme,
• documented and tested business continuity/disaster recovery plans.
¶ 13.3.4 Remote System Identification. As implied in clause 13.3.3 above, where relevant authentication should be enhanced by verification of the system (and its location/access point) from which external access is made.
It should be recognized that different network architectures can offer differing identification capabilities. Thus the organization may achieve enhanced identification by choosing an appropriate network architecture. All security safeguard capabilities of the chosen network architecture should be considered.
¶ 13.5 Intrusion Detection. As network connections increase, it will become easier for intruders to:
• find multiple ways to penetrate an organization's IT systems and networks,
• disguise their initial point of access, and
• access through networks and target internal IT systems.
Further, intruders are becoming more sophisticated, and more advanced methods of attack and tools are easily available on the Internet or in the open literature. Indeed, many of these tools are automated, can be very effective, and easy to use - including by persons with limited experience.
For most organizations it is economically impossible to prevent all potential penetrations. Consequently, some intrusions are likely to occur. The risks associated with most of these penetrations can be addressed through the implementation of good identification and authentication, logical access control and accounting and audit safeguards, together with an intrusion detection capability. Such a capability provides the means by which to predict intrusions, and identify intrusions in real-time and raise appropriate alarms. It also enables local collection of information on intrusions, and subsequent consolidation and analysis, as well as analysis of an organization's normal IT patterns of behavior/usage.
In many situations it may be clear that some unauthorized or unwanted event is happening. It could be a slight degradation in services for apparently unknown reasons, or it could be an unexpected number of accesses at unusual times, or it could be the denial of specific services. In most situations it is important to know the cause, severity and scope of the intrusion as soon as possible.
It should be noted that this capability is more sophisticated than the audit trail analysis tools and methods that are implied in clause 13.4 above and the related clause of Part 4 of TR 13335. The more effective intrusion detection capabilities use special post-processors that are designed to use rules to automatically analyze past activities recorded in audit trails and other logs to predict intrusions, and to analyze audit trails for known patterns of malicious behavior or behavior which is not typical of normal usage.
¶ 13.12 Virtual Private Networks. A Virtual Private Network (VPN) is a private network which is implemented by using the infrastructure of already existing networks. From a user perspective a VPN behaves like a private network, and offers similar functionality and services.
In VPNs, cryptographic techniques are used to implement security functionality and services, especially if the network on which the VPN is built on is a public network (for example, the Internet). In most implementations the communications links between the participants are encrypted to ensure confidentiality, and authentication protocols are used to verify the identity of the systems connected to the VPN. Typically, the encrypted information travels through a secure ’tunnel’ that connects to an organization's gateway, with the confidentiality and integrity of the information maintained. The gateway then identifies the remote user and lets the user access only the information they are authorized to receive.
As for all private networks, it is very important to implement adequate security measures on all systems connected to a VPN, for example to ensure that only authorized links to other networks are possible.
A VPN may be used in various situations, such as to:
• implement remote access to an organization from mobile or off-site employees,
• link different locations of an organization together, including redundant links to implement a fall-back infrastructure,
• set up connections to an organization's network for other organizations/business partners. [¶ 7.2, ¶ 9.2, ¶ 10 Table 1 Clause 10.1, ¶ 10 Table 1 Clause 10.2, ¶ 10 Table 1 Clause 10.3, ¶ 10 Table 1 Clause 10.4, ¶ 10 Table 1 Clause 10.5, ¶ 10 Table 1 Clause 10.6, ¶ 13.2, ¶ 13.2.1, ¶ 13.3.4, ¶ 13.5, ¶ 13.12, ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001]

ITIL Guidance

[§ 4.2.4.2, OGC ITIL: Security Management]

General Guidance

The organization should implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defined and understood by those who develop and integrate infrastructure components. Their use should be monitored and evaluated. [AI3.2, CobiT, Version 4.1]

Wireless access points should be configured for low power, located to minimize interference, assigned a unique Service Set Identifier (SSID), and managed and configured from a central location. Wireless access should be protected by access control mechanisms, device authentication, user authentication, and encryption between the wireless device and the wireless access point. The encryption key should be changed regularly. Network access points should be disabled on network devices until they are required. Web servers used to support applications should be prevented from initiating connections to the Internet. The connection method for third party connections should be restricted. [SM6.5.4(a), CB6.4.2(d), NW1.2.2(f), NW2.4.3, NW2.4.5, NW2.4.6, NW3.4.4(b), SD4.6.3(d), The Standard of Good Practice for Information Security]

EU Guidance

[§ I.16, OECD / World Bank Technology Risk Checklist, Version 7.3]