The organization will ensure that network standards and procedures specify methods of controlling the technical aspects of the network (eg network design, traffic management, network monitoring). [UCF ID 00530]
Supporting and supported controls
This control directly supports:
• Ensure network access points are identified and controlled [UCF Common Control ID 00529]
This control has the following supporting controls:
• Maintain up to date network diagrams [UCF Common Control ID 00531]
• Segregate security restricted servers into their own domain [UCF Common Control ID 00533]
• Plan for, and have approved, all network changes [UCF Common Control ID 00534]
• Scan for unknown workstations and other network devices and default deny access [UCF Common Control ID 00536]
• Place intrusion detection and intrusion response systems in network locations where they will be the most effective [UCF Common Control ID 04589]
• If the network can be accessed through outside WLAN services, ensure that the service is configured for information assurance [UCF Common Control ID 00751]
Authority documents complied with:
Australian Government ICT Security Manual (ACSI 33) § 3.10.5, 3.10.8; FFIEC IT Examination Handbook – Information Security Pg 38, Pg 82; FFIEC IT Examination Handbook – Audit Exam Tier II Obj D.1; FFIEC IT Examination Handbook – Operations Pg 9, Pg 10, Pg 28; FFIEC IT Examination Handbook – Retail Payment Systems Pg 33; FFIEC IT Examination Handbook – E-Banking Obj 1.7; The Standard of Good Practice for Information Security SM6.5.3(a), NW1.2.2, NW1.3.3(d), NW2.1.2(e), NW2.1.2(f), NW2.1.5, NW2.3.1(b); ISO 17799:2005 Code of Practice for Information Security Management § 10.9.1; ISO 27001:2005, Information Security Management Systems - Requirements § A.10.9.1; ISO/IEC 27002-2005 Code of practice for information security management § 10.9.1; OGC ITIL: Security Management 4.2.4.2; Guidelines on Firewalls and Firewall Policy, NIST SP 800-41 3.9; Computer Security Incident Handling Guide, NIST SP 800-61 § 4.2.2; Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST Special Publication 800-48 Revision 1 § 6.3.1; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97 ?; Guidelines on Cell Phone and PDA Security, NIST Special Publication 800-124 ?; The Center for Internet Security Wireless Networking Benchmark version 1.0 § 2.3.1 (2.3.1.020); The Center for Internet Security Wireless Networking Benchmark, Apple Addendum, version 1.0 § 1.2 (2.3.1.020); The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, version 1.0 § 1.2 (2.3.1.020); The Center for Internet Security Wireless Networking Benchmark, Linksys Addendum, version 1.0 § 1.2 (2.3.1.020); DISA Wireless STIG Windows Mobile Messaging Checklist Version 5,Release 2.3 ?; DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.1 ?; DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.1 ?; DISA Secure Remote Computing Security Technical Implementation Guide version 1.2 2.1, 3, 6; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 § 2.2(b); Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 § 2.2(b); Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68 § 3.1.1; FIPS 191, Guideline for the Analysis of LAN Security 2.1.3, 2.1.7; Army Regulation 380-19: Information Systems Security § 2-23.c
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Retail Payment Systems Pg 33 states that the network should be configured to protect the retail payment system from unauthorized access.
Credit Card Guidance
§ 2.2 of Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 states that the organization must develop standards that address all known vulnerabilities and use any of the industry accepted hardening standards.
§ 2.2(b) of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 states that the organization must develop standards that address all known vulnerabilities and use any of the industry accepted hardening standards.
US Federal Security Guidance
FIPS Publication 191 2.1.3 talks about problems that may be encountered when a LAN needs to protect sensitive data. Potential vulnerabilities mentioned include improper access control settings, data or application source code stored in unencrypted form, viewable monitors in high traffic areas, printer stations in high traffic areas and data and software backup copies stored in open areas.
2.1.7 describes ways in which LAN functions may be disrupted. Disruptions may come from inability to detect unusual traffic patterns, inability to reroute traffic, single point failure configurations, unauthorized changes to hardware components, improper maintenance and poor physical security. It is implied that good network configuration will defend against or avoid most if not all of these problems.
§ 2-23.c of Army Regulation 380-19: Information Systems Security states that accreditation of multiple networks by a single individual should include communications integrity (authentication and nonrepudiation), compromise protection (data and traffic flow confidentiality and selectively route transmissions over the network), and denial of service characteristics (continuity of operations and network management).
NIST Guidance
NIST 800-41 § 3.9 says that when placing servers in firewall environments, where to place them is dependent on the number of DMZs, external and internal access required for the servers located on the DMZ, the amount of traffic and the sensitivity of the data served. Placement should be done in a way that protects external servers with a Boundary Router/Packet Filter. Servers that are externally accessible should not be placed on the protected network. Internal servers when placed, should be behind internal firewalls with the firewalls configured to the appropriate level of sensitivity and finally, servers should be isolated in a way that attacks on them will not have a negative impact on the rest of the network.
NIST 800-61 § 4.2.2 mentions that when working to prevent denial of service attacks, network perimeters should be configured to deny all incoming and outgoing traffic that is not expressly permitted.
§ 6.3.1 of Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST Special Publication 800-48 Revision 1 states that virtual private networks (VPNs) that are being used to protect the confidentiality of WLAN communications should be configured to use FIPS-validated algorithms.
Systems security checklist guidance
The Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68 § 3.1.1 states that a network bridge allows two dissimilar networks to be joined. The connection is transparent, but the address of the network is visible on the other network. A bridge should not be implemented because it can expose the network to additional threats.
General security checklist guidance
§ 2.3.1 (2.3.1.020) of The Center for Internet Security Wireless Networking Benchmark version 1.0 states that traffic over the WLAN should be monitored by an intrusion detection system or intrusion protection system. If this is not possible, ensure Remote Management has been disabled.
§ 1.2 (2.3.1.020) of The Center for Internet Security Wireless Networking Benchmark, Apple Addendum, version 1.0 states that the organization should choose products that support security management solutions on a network level.
§ 1.2 (2.3.1.020) of The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, version 1.0 states that the organization should choose products that support security management solutions on a network level.
§ 1.2 (2.3.1.020) of The Center for Internet Security Wireless Networking Benchmark, Linksys Addendum, version 1.0 states that the organization should choose products that support security management solutions on a network level.
2.1, 3, 6 of DISA Secure Remote Computing Security Technical Implementation Guide version 1.2 states that webmail application servers must be configured according to the Web Services STIG and the appropriate operating system STIG. The Network Infrastructure STIG and Enclave STIG must be followed for all network, device security, remote access, and architectural requirements.
International Standards Organization Guidance
The ISO/IEC 27002-2005 Code of practice for information security management § 10.9.1 states that electronic commerce traffic passing over public networks should be protected from fraudulent activity, modification, disclosure, or dispute. Security considerations for electronic commerce are as follows: the level of confidence for each party; determining and meeting requirements for confidentiality, integrity, and receipt of documents; the level of confidence for various sensitive documents; verification for payment; keeping confidentiality and integrity of orders; avoiding loss or duplication of transactions; liability due to fraudulent transactions; and insurance requirements.
The ISO 27001:2005 Information Security Management Systems - Requirements § A.10.9.1 states that procedures should be in place to protect all electronic commerce information transmitted over public networks. These procedures should cover the following situations: fraudulent activity and unauthorized disclosure and modification, as well as contract disputes.
The ISO 17799:2005 Code of Practice for Information Security Management § 10.9.1 states that electronic commerce traffic passing over public networks should be protected from fraudulent activity, modification, disclosure, or dispute. Security considerations for electronic commerce are as follows: the level of confidence for each party; determining and meeting requirements for confidentiality, integrity, and receipt of documents; the level of confidence for various sensitive documents; verification for payment; keeping confidentiality and integrity of orders; avoiding loss or duplication of transactions; liability due to fraudulent transactions; and insurance requirements.
Asia and Pacific Rim Guidance
The Australian Government ICT Security Manual (ACSI 33) § 3.10.5, 3.10.8 states that the network configuration should be kept under the control of a central network management authority. The network should be configured to minimize the opportunity for information to be accessed without authorization while in transit. This should be accomplished by use of firewalls, routers, switches, and/or encryption..
Metrics
The metrics associated with this control are as follows:
• Report on the percentage of systems for which approved configuration settings have been implemented as required by policy [UCF Common Control ID 02097]
• Report on the percentage of systems with configurations that do not deviate from approved standards [UCF Common Control ID 02098]
• Establish and maintain a networks and firewalls metrics management program [UCF Common Control ID 02082]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.