Network configuration

Status: Live

The organization will ensure that network standards and procedures specify methods of controlling the technical aspects of the network (e.g. network design, traffic management, network monitoring). [UCF ID 00530]

Supporting and supported controls

This control directly supports:

Ensure network access points are identified and controlled [UCF Control ID 00529]

This control has the following supporting controls:

Maintain up to date network diagrams [UCF Control ID 00531]

Segregate security restricted servers into their own domain [UCF Control ID 00533]

Plan for, and have approved, all network changes [UCF Control ID 00534]

Scan for unknown workstations and other network devices and default deny access [UCF Control ID 00536]

Place intrusion detection and intrusion response systems in network locations where they will be the most effective [UCF Control ID 04589]

If the network can be accessed through outside WLAN services, ensure that the service is configured for information assurance [UCF Control ID 00751]

Authority documents complied with:

FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj D.1; FFIEC IT Examination Handbook – E-Banking, August 2003, Obj 1.7; FFIEC IT Examination Handbook – Information Security, Pg 38, Pg 82; FFIEC IT Examination Handbook – Operations, July 2004, Pg 9, Pg 10, Pg 28; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 33; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 2.2.b; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-23.c; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-700.a; FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security, § 2.1.3, § 2.1.7; Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002, § 3.9; Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1, § 4.2.2; The Standard of Good Practice for Information Security, SM6.5.3(a), NW1.2.2, NW1.3.3(d), NW2.1.2(e), NW2.1.2(f), NW2.1.5, NW2.3.1(b); Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1, § 3.1.1; The Center for Internet Security Wireless Networking Benchmark version 1.0, v1.0 April 2005, § 2.3.1 (2.3.1.020); The Center for Internet Security Wireless Networking Benchmark, Apple Addendum, version 1.0, v1.0 April 2005, § 1.2 (2.3.1.020); The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, version 1.0, April 2005, § 1.2 (2.3.1.020); The Center for Internet Security Wireless Networking Benchmark, Linksys Addendum, version 1.0, April 2005, § 1.2 (2.3.1.020); DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2, § 2.1, § 3, § 6; ISO 17799:2005 Code of Practice for Information Security Management, § 10.9.1; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.10.9.1; ISO/IEC 27002-2005 Code of practice for information security management, § 10.9.1; OGC ITIL: Security Management, § 4.2.4.2; Australian Government ICT Security Manual (ACSI 33), § 3.10.5, § 3.10.8; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 2.2(b); Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1, § 6.3.1; Archer Control Table, ATCS-166, ATCS-188, ATCS-353, ATCS-356, ATCS-358, ATCS-382, ATCS-766

Banking and Finance Guidance

[Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Audit, August 2003]

[Obj 1.7, FFIEC IT Examination Handbook – E-Banking, August 2003]

The network configuration should include identifying the applications and systems that are accessed by the network and all access points; mapping the connectivity between the network segments; defining the minimum network access requirements; and determining the best configuration for security and performance. The network should be designed to effectively monitor the network by using security domains; using sensors to identify anomalous traffic and policy violations; implementing logging; listing what communications are allowed between computers; protecting the logs; and being able to add more sensors when there is a need. [Pg 38, Pg 82, FFIEC IT Examination Handbook – Information Security]

The organization should maintain an up-to-date network configuration. The network configuration documentation should have enough detail for the organization to troubleshoot any problems, help the organization recover after a disruption, and aid in planning for any expansions to the network. The network configuration document should include all internal and external connections; the types of network connectivity; the bandwidth of the connections; all secure communications channels; installed network security systems (firewalls, intrusion detection systems); telecommunications service providers; and what information is available and where it is stored. Administrators should review the installed network devices on a regular basis to identify any that are acting as packet sniffers. [Pg 9, Pg 10, Pg 28, FFIEC IT Examination Handbook – Operations, July 2004]

The network should be configured to protect the retail payment system from unauthorized access. [Pg 33, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

Payment Card Guidance

The organization must develop standards that address all known vulnerabilities and use any of the industry accepted hardening standards.
Examine the network configuration standard to verify it is consistent with industry accepted hardening standards, such as NIST, SANS, and/or CIS. Verify that new systems are configured according to the organizational configuration standards. [§ 2.2.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

The organization must develop standards that address all known vulnerabilities and use any of the industry accepted hardening standards. [§ 2.2(b), Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

Accreditation of multiple networks by a single individual should include communications integrity (authentication and nonrepudiation), compromise protection (data and traffic flow confidentiality and selectively route transmissions over the network), and denial of service characteristics (continuity of operations and network management). [§ 2-23.c, Army Regulation 380-19: Information Systems Security, February 27, 1998]

The cognizant security authority must review the security attributes of each network being connected to ensure the combination of data and/or users does not require a higher protection level. [§ 8-700.a, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

This document discusses problems that may be encountered when a LAN needs to protect sensitive data. Potential vulnerabilities mentioned include improper access control settings, data or application source code stored in unencrypted form, viewable monitors in high traffic areas, printer stations in high traffic areas and data and software backup copies stored in open areas.
Disruptions to LAN functions may come from inability to detect unusual traffic patterns, inability to reroute traffic, single point failure configurations, unauthorized changes to hardware components, improper maintenance and poor physical security. It is implied that good network configuration will defend against or avoid most if not all of these problems. [§ 2.1.3, § 2.1.7, FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security]

NIST Guidance

When placing servers in firewall environments, where to place them is dependent on the number of DMZs, external and internal access required for the servers located on the DMZ, the amount of traffic and the sensitivity of the data served. Placement should be done in a way that protects external servers with a Boundary Router/Packet Filter. Servers that are externally accessible should not be placed on the protected network. Internal servers when placed, should be behind internal firewalls with the firewalls configured to the appropriate level of sensitivity and finally, servers should be isolated in a way that attacks on them will not have a negative impact on the rest of the network. [§ 3.9, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002]

When working to prevent denial of service attacks, network perimeters should be configured to deny all incoming and outgoing traffic that is not expressly permitted. [§ 4.2.2, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1]

Virtual private networks (VPNs) that are being used to protect the confidentiality of WLAN communications should be configured to use FIPS-validated algorithms. [§ 6.3.1, Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1]

System Configuration Guidance

A network bridge allows two dissimilar networks to be joined. The connection is transparent, but the address of the network is visible on the other network. A bridge should not be implemented because it can expose the network to additional threats. [§ 3.1.1, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1]

Other Configuration Guidance

Traffic over the WLAN should be monitored by an intrusion detection system or intrusion protection system. If this is not possible, ensure Remote Management has been disabled. [§ 2.3.1 (2.3.1.020), The Center for Internet Security Wireless Networking Benchmark version 1.0, v1.0 April 2005]

The organization should choose products that support security management solutions on a network level. [§ 1.2 (2.3.1.020), The Center for Internet Security Wireless Networking Benchmark, Apple Addendum, version 1.0, v1.0 April 2005]

The organization should choose products that support security management solutions on a network level. [§ 1.2 (2.3.1.020), The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, version 1.0, April 2005]

The organization should choose products that support security management solutions on a network level. [§ 1.2 (2.3.1.020), The Center for Internet Security Wireless Networking Benchmark, Linksys Addendum, version 1.0, April 2005]

Webmail application servers must be configured according to the Web Services STIG and the appropriate operating system STIG. The Network Infrastructure STIG and Enclave STIG must be followed for all network, device security, remote access, and architectural requirements. [§ 2.1, § 3, § 6, DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2]

ISO Guidance

Electronic commerce traffic passing over public networks should be protected from fraudulent activity, modification, disclosure, or dispute. Security considerations for electronic commerce are as follows: the level of confidence for each party; determining and meeting requirements for confidentiality, integrity, and receipt of documents; the level of confidence for various sensitive documents; verification for payment; keeping confidentiality and integrity of orders; avoiding loss or duplication of transactions; liability due to fraudulent transactions; and insurance requirements. [§ 10.9.1, ISO 17799:2005 Code of Practice for Information Security Management]

Procedures should be in place to protect all electronic commerce information transmitted over public networks. These procedures should cover the following situations: fraudulent activity and unauthorized disclosure and modification, as well as contract disputes. [Annex A.10.9.1, ISO 27001:2005, Information Security Management Systems - Requirements]

Electronic commerce traffic passing over public networks should be protected from fraudulent activity, modification, disclosure, or dispute. Security considerations for electronic commerce are as follows: the level of confidence for each party; determining and meeting requirements for confidentiality, integrity, and receipt of documents; the level of confidence for various sensitive documents; verification for payment; keeping confidentiality and integrity of orders; avoiding loss or duplication of transactions; liability due to fraudulent transactions; and insurance requirements. [§ 10.9.1, ISO/IEC 27002-2005 Code of practice for information security management]

ITIL Guidance

[§ 4.2.4.2, OGC ITIL: Security Management]

General Guidance

Networks should be designed and configured to incorporate an understandable set of technical standards, comply with regulations, minimize points of failure, support naming conventions, employ firewalls, enable audit trails and network reports, use security domains, prevent unauthorized devices from connecting, restrict the number of entry points, enable the network to be remotely configured, allow end-to-end network management, restrict access, integrate the network with other access-control mechanisms, and use a secure setup configuration upon boot. Equipment and software versions should be consistent across the network. Network devices should be reviewed regularly in order to verify that the network configurations are correct. [SM6.5.3(a), NW1.2.2, NW1.3.3(d), NW2.1.2(e), NW2.1.2(f), NW2.1.5, NW2.3.1(b), The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

The network configuration should be kept under the control of a central network management authority. The network should be configured to minimize the opportunity for information to be accessed without authorization while in transit. This should be accomplished by use of firewalls, routers, switches, and/or encryption. [§ 3.10.5, § 3.10.8, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of systems for which approved configuration settings have been implemented as required by policy [UCF Control ID 02097]

Report on the percentage of systems with configurations that do not deviate from approved standards [UCF Control ID 02098]

Establish and maintain a networks and firewalls metrics management program [UCF Control ID 02082]