Establish and maintain a networks and firewalls management metrics program.

UCF ID: 02082

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain a technical measurement metrics policy. [UCF Control ID 01655]

This control has the following supporting controls:

Report on the percentage of workstation firewalls, host firewalls, sub-network firewalls, and perimeter firewalls configured in accordance with policy. [UCF Control ID 02116]

Report on the percentage of remote access points used to gain unauthorized access. [UCF Control ID 04572]

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE26; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.2.4, ¶ 9.2 Table Row “Operational Procedures”, ¶ 10.3.4, ¶ 10.4.15, ¶ 10.4.16

US Federal Security Guidance

The organization must establish and maintain a networks and firewalls metrics management program [ISPE26, CISWG Information Security Program Elements, January 10,2005]

ISO Guidance

¶ 8.2.4 Network Management. An organization should implement safeguards to achieve network management, which includes planning, operation and administration of networks. The proper configuration and administration of networks is an effective means to reduce risks. Safeguards in the area of network management are listed below.
1. Operational Procedures
The establishment of operational procedures and responsibilities is necessary to ensure the correct and secure operation of networks. This includes the documentation of the operating procedures and the establishment of procedures to react to security relevant incidents.
2. System Planning
In order to ensure reliable functioning and adequate network capacity, advanced planning and preparation, and monitoring (including of loading statistics) should be implemented. Acceptance criteria for new systems should be applied and changes should be controlled and reacted to.
3. Network Configuration
An appropriate network configuration should be implemented for reliable functioning. This includes a standardized approach for the configuration of servers throughout the organization, and good documentation. Servers used for special purposes should only used for these purposes (e.g. no other tasks should run on a firewall), and that sufficient protection from failure is in place.
4. Network Segregation
In order to minimize the risks and the possibilities of misuse in a network in operation, business areas dealing with critical business issues and information should be kept separate, logically or physically. As well, development facilities should be separated from operational facilities.
5. Network Monitoring
Network monitoring should be used to identify the weaknesses within the existing network configuration. It allows for reconfiguration caused by traffic analysis and helps to identify attackers.
6. Intrusion Detection
Attempts to gain entry to systems or networks and successful unauthorized entry should be detected so that the organization can respond in an appropriate and effective manner.
¶ 9.2 Table Row “Operational Procedures” in safeguard Network Management should be implemented under normal circumstances for Servers or Workstations with Shared Resources Connected to a Network.
¶ 10.3.4 Masquerading of user identity. An organization should implement safeguards to prevent masquerading of user identity, which can be used to circumvent authentication and all services and security functions related to that. In conclusion it can lead to integrity problems whenever this masquerade allows access and modification to information. Safeguards in this area are listed below.
• I&A (Identification & Authentication): Masquerade becomes more difficult if I&A (Identification & Authentication) safeguards based on combinations of something known, something possessed, as well as intrinsic characteristics of users are applied.
• Logical access control and audit: Logical access control cannot distinguish between an authorized user and somebody masquerading as this authorized user, but the use of access control mechanisms in place can reduce the area of impact. Review and analysis of audit logs can detect unauthorized activities.
• Protection against malicious code: A way to acquire passwords is to introduce malicious code to capture passwords, protection against such software should be in place.
• Network management: Implement network management to prevent unauthorized access by masquerading as a user in traffic, e.g. e-mail.
• Data integrity protection: Additional protection can be provided using cryptographic means like digital signatures.
¶ 10.4.15 Traffic overloading. An organization should implement safeguards that prevent traffic overloading, which threatens the availability of information communicated via these services. Safeguards to protect the availability are listed below.
• Redundancy and Back-ups: Redundant implementation of communication services components can be used to lower the probability of traffic overloading. Depending on the maximal acceptable downtime, standby equipment may also be used to fulfill the requirements. In any case, configuration and layout data should be backed up to ensure availability in case of an emergency.
• Network management: The proper configuration, management and administration of networks and communication services should be used to avoid overloading.
• Network management: Network security can be applied to protect against traffic overloading.
¶ 10.4.16 Transmission errors. An organization should implement safeguards that prevent transmission errors, which can destroy the availability of the information transmitted. Safeguards to protect availability are listed below.
• Cabling: Careful planning and laying of cables can avoid transmission errors, for example, if the error is caused by overloading.
• Network management: Network management cannot protect against transmission errors but can be used to recognize problems occurring from transmission errors and to raise alarms in such cases. This allows timely reaction to these problems. [¶ 8.2.4, ¶ 9.2 Table Row “Operational Procedures”, ¶ 10.3.4, ¶ 10.4.15, ¶ 10.4.16, ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]