Professional Documents
Culture Documents
Domain
1 No Network devices must have HTTP service for administrative
access disabled.
9 The network device must not allow SSH Version 1 to be used for
administrative access.
10 The network device must use its loopback or OOB management
interface address as the source address when originating SNMP
traffic.
22 The VPN gateway must enable anti-replay for all IPSec security
associations.
33 The VPN gateway must use Secure Hash Algorithm for IPSec
cryptographic hashing operations required for authentication
and integrity verification.
34 The network device must drop half-open TCP connections
through filtering thresholds or timeout periods.
64 The VPN gateway must use Secure Hash Algorithm for IKE
cryptographic hashing operations required for authentication
and integrity verification.
65 Network devices must have the PAD service disabled.
69 The VPN gateway must ensure traffic from a remote client with
an outbound destination does not bypass the enclaves
perimeter defense mechanisms deployed for egress traffic.
70 The VPN gateway must use IKE for negotiating and establishing
all IPSec security associations.
71 The VPN gateway must use a key size from Diffie-Hellman Group
14 or larger during IKE Phase 1.
72 The VPN gateway must use IKE main mode for the purpose of
negotiating an IPSec security association policy when pre-
shared keys are used for authentication
75 The VPN gateway must use ESP tunnel mode for establishing
secured paths to transport traffic between the
organization’s sites or between a gateway and remote end-
stations.
76 The VPN gateway peer at a remote site must receive all ingress
traffic and forward all egress traffic via the IPSec tunnel or other
provisoned WAN links connected to the central or remote site.
77 The VPN gateway must use AES for IKE cryptographic encryption
operations required to ensure privacy of the IKE session.
82 The network device must log all interface access control lists
(ACL) deny statements.
83 The network devices must time out access to the console port
at 10 minutes or less of inactivity.
Devices can find their startup configuration either in their own NVRAM or
access it over the network via TFTP or Remote Copy (rcp). Loading the
image from the network is taking a security risk since the image could be
intercepted by an attacker who could corrupt the image resulting in a
denial of service. Configuration auto-loading can be enabled when the
device is connected to a non-operational network. Once the device is
connected to an operational (i.e. production) network, configuration auto-
loading must be disabled.
Terminating an idle session within a short time period reduces the window
of opportunity for unauthorized personnel to take control of a
management session enabled between the managed network device and
a PC or terminal server when the later has been left unattended. In
addition quickly terminating an idle session will also free up resources
committed by the managed network device as well as reduce the risk of a
management session from being hijacked. Setting the timeout of the
session to 10 minutes or less increases the level of protection afforded
critical network components.
Situations may arise in which the certificate issued by a Certificate
Authority (CA) may need to be revoked before the lifetime of the
certificate expires. For example, the certificate is known to have been
compromised. To achieve this, a list of certificates that have been revoked,
known as a Certificate Revocation List (CRL), is sent periodically from the
CA to the IPSec gateway. When an incoming Internet Key Exchange (IKE)
session is initiated for a remote client or peer whose certificate is revoked,
the CRL will be checked to see if the certificate is valid; if the certificate is
revoked, IKE will fail and an IPSec security association will not be
established for the remote end-point.
Cisco IOS provides the "small services" that include echo, chargen, and
discard. These services, especially their User Datagram Protocol (UDP)
versions, are infrequently used for legitimate purposes. However, they
have been used to launch denial of service attacks that would otherwise
be prevented by packet filtering. For example, an attacker might send a
DNS packet, falsifying the source address to be a DNS server that would
otherwise be unreachable, and falsifying the source port to be the DNS
service port (port 53). If such a packet were sent to the Cisco's UDP echo
port, the result would be Cisco sending a DNS packet to the server in
question. No outgoing access list checks would be applied to this packet,
since it would be considered locally generated by the router itself. The
small services are disabled by default in Cisco IOS 12.0 and later software.
In earlier software, they may be disabled using the commands no service
tcp-small-servers and no service udp-small-servers.
RFC 6379 Suite B Cryptographic Suites for IPSec defines four cryptographic
user interface suites for deploying IPSec. Each suite provides choices for
Encapsulating Security Payload (ESP) and Internet Key Exchange (IKE). The
four suites are differentiated by the choice of IKE authentication and key
exchange, cryptographic algorithm strengths, and whether ESP is to
provide both confidentiality and integrity or integrity only. The suite
names are based on the Advanced Encryption Standard (AES) mode and
AES key length specified for ESP. Two suites are defined for transporting
classified information up to SECRET level—one for both confidentiality
and integrity and one for integrity only. There are also two suites defined
for transporting classified information up to TOP SECRET level.
When using digital certificates, Internet Key Exchange (IKE) negotiation
between peers is restricted by either manually configuring each peer with
the public key for each peer to which it is allowed to connect, or enrolling
each peer with a Certificate Authority (CA). All peers to which the peer is
allowed to connect must enroll with the same CA server and belong to the
same organization.
All software remote clients must present a DoD approved warning banner
prior allowing access to VPN. The banner should warn any unauthorized
user not to proceed. It also should provide clear and unequivocal notice to
both authorized and unauthorized personnel that access to the network is
subject to monitoring to detect unauthorized usage. Failure to display the
required warning banner prior to logon attempts will limit the ability to
prosecute unauthorized access and also presents the potential to give rise
to criminal and civil liability for systems administrators and information
systems managers.
DoD CIO has issued new, mandatory policy standardizing the wording of
“notice and consent†banners and matching user agreements for all
Secret and below DoD information systems, including stand-alone systems
by releasing DoD CIO Memo, “Policy on Use of Department of Defense
(DoD) Information Systems Standard Consent Banner and User
Agreementâ€, dated 9 May 2008. The banner is mandatory and
deviations are not permitted except as authorized in writing by the Deputy
Assistant Secretary of Defense for Information and Identity Assurance.
Implementation of this banner verbiage is further directed to all DoD
components for all DoD assets via USCYBERCOM CTO 08-008A.
Network devices not running the latest tested and approved versions of
software are vulnerable to network attacks. Running the most current,
approved version of system and device software helps the site maintain a
stable base of security fixes and patches, as well as enhancements to IP
security. Viruses, denial of service attacks, system weaknesses, back doors
and other potentially harmful situations could render a system vulnerable,
allowing unauthorized access to DoD assets.
The Security Association (SA) and its corresponding key will expire after
the number of seconds has exceeded the configured limit. A new SA is
negotiated before the lifetime threshold of the existing SA is reached to
ensure a new SA is ready for use when the old one expires. The longer the
life time of the Internet Key Exchange (IKE) Security Association, the
longer the life time of the key used for the IKE session, which is the control
plane for establishing IPSec Security Associations. The SA is less secure
with a longer lifetime because an attacker has a greater opportunity to
collect traffic encrypted by the same key and subject it to cryptanalysis.
However, a shorter IKE lifetime causes IPSec peers to have to renegotiate
IKE more often resulting in the expenditure of additional resources.
Nevertheless, it is imperative the IKE SA lifetime terminates within 24
hours or less.
The security posture of the remote PC connecting to the enclave via VPN
is vital to the overall security of the enclave. While on-site hosts are
behind the enclave’s perimeter defense, a remote PC is not and
therefore is exposed to many vulnerabilities existing in the Internet when
connected to a service provider via dial-up or broadband connection.
Though it is policy to have a firewall installed on the remote PC according
to the Secure Remote Computing Endpoint STIG (SRC-EPT-405), it is
imperative the VPN gateway enforce the policy to the software client to
verify the firewall is active prior to enabling access to the VPN.
Diffie-Hellman (DH) is a public -key cryptography scheme allowing two
parties to establish a shared secret over an insecure communications
channel. IKE uses Diffie-Hellman to create keys used to encrypt both the
Internet Key Exchange (IKE) and IPsec communication channels. The
process works by two peers both generating a private and a public key and
then exchanging their public keys with each other. The peers produce the
same shared secret by using each other’s public key and their own
private key using the DH algorithm.
Enabling the password save function requires users to only enter their
password once when establishing the VPN tunnel. After that the software
client will automatically re-enter the password when prompted for
credentials by the VPN gateway.
Berkeley Software Distribution (BSD) "r" commands allow users to execute
commands on remote systems using a variety of protocols. The BSD "r"
commands (e.g., rsh, rlogin, rcp, rdump, rrestore, and rdist) are designed
to provide convenient remote access without passwords to services such
as remote command execution (rsh), remote login (rlogin), and remote file
copy (rcp and rdist). The difficulty with these commands is they use
address-based authentication. An attacker who convinces a server that he
is coming from a "trusted" machine can essentially get complete and
unrestricted access to a system. The attacker can convince the server by
impersonating a trusted machine and using IP address, by confusing DNS
so that DNS thinks that the attacker's IP address maps to a trusted
machine's name, or by any of a number of other methods.
The Finger service supports the UNIX Finger protocol, which is used for
querying a host about the users that are logged on. This service is not
necessary for generic users. If an attacker were to find out who is using
the network, they may use social engineering practices to try to elicit
classified DoD information.
Enabling write access to the device via SNMP provides a mechanism that
can be exploited by an attacker to set configuration variables that can
disrupt network operations.
If the keys used for routing protocol authentication are guessed, the
malicious user could create havoc within the network by advertising
incorrect routes and redirecting traffic. Changing the keys frequently
reduces the risk of them eventually being guessed. When configuring
authentication for routing protocols that provide key chains, configure two
rotating keys with overlapping expiration dates, both with 180-day or less
expirations.
DoD CIO has issued new, mandatory policy standardizing the wording of
"notice and consent" banners and matching user agreements for all Secret
and below DoD information systems, including stand-alone systems by
releasing DoD CIO Memo, "Policy on Use of Department of Defense (DoD)
Information Systems Standard Consent Banner and User Agreement",
dated 9 May 2008. The banner is mandatory and deviations are not
permitted except as authorized in writing by the Deputy Assistant
Secretary of Defense for Information and Identity Assurance.
Implementation of this banner verbiage is further directed to all DoD
components for all DoD assets via USCYBERCOM CTO 08-008A.
Detailed information about the network is sent across the network via
SNMP. If this information is discovered by attackers it could be used to
trace the network, show the networks topology, and possibly gain access
to network devices.
The Route Processor (RP) is critical to all network operations as it is the
component used to build all forwarding paths for the data plane via
control plane processes. It is also instrumental with ongoing network
management functions that keep the routers and links available for
providing network services. Hence, any disruption to the RP or the control
and management planes can result in mission critical network outages.
Using the ingress filter on forwarding interfaces is a method that has been
used in the past to filter both forwarding path and receiving path traffic.
However, this method does not scale well as the number of interfaces
grows and the size of the ingress filters grow. Control plane policing can be
used to increase security of routers and multilayer switches by protecting
the RP from unnecessary or malicious traffic. Filtering and rate limiting the
traffic flow of control plane packets can be implemented to protect
routers against reconnaissance and DoS attacks allowing the control plane
to maintain packet forwarding and protocol states despite an attack or
heavy load on the router or multilayer switch.
The OOBM access switch will connect to the management interface of the
managed network device. The management interface of the managed
network device will be directly connected to the OOBM network. An
OOBM interface does not forward transit traffic; thereby, providing
complete separation of production and management traffic. Since all
management traffic is immediately forwarded into the management
network, it is not exposed to possible tampering. The separation also
ensures that congestion or failures in the managed network do not affect
the management of the device. If the OOBM interface does not have an IP
address from the managed network address space, it will not have
reachability from the NOC using scalable and normal control plane and
forwarding mechanisms.
The OOBM access switch will connect to the management interface of the
managed network device. The management interface can be a true OOBM
interface or a standard interface functioning as the management interface.
In either case, the management interface of the managed network device
will be directly connected to the OOBM network.
Both IPSec endpoints must authenticate each other to ensure the identity
of each by additional means besides an IP address which can easily be
spoofed. The objective of IPSec is to establish a secured tunnel with
privacy between the two endpoints traversing an IP backbone network. In
the case of teleworkers accessing the enclave using a laptop configured
with an IPSec software client, the secured path will also traverse the
Internet. The secured path will grant the remote site or client access to
resources within the private network; thereby establishing a level of trust.
Hence, it is imperative that some form of authentication is used prior to
establishing an IPSec session for transporting data to and from the enclave
from a remote site.
The OOBM access switch will connect to the management interface of the
managed network devices. The management interface can be a true
OOBM interface or a standard interface functioning as the management
interface. In either case, the management interface of the managed
network devices will be directly connected to the OOBM network.
The IPSec SA and its corresponding key will expire either after the number
of seconds or amount of traffic volume has exceeded the configured limit.
A new SA is negotiated before the lifetime threshold of the existing SA is
reached to ensure that a new SA is ready for use when the old one
expires. The longer the life time of the IPSec Security Association, the
longer the life time of the session key used to protect IP traffic. The SA is
less secure with a longer lifetime because an attacker has a greater
opportunity to collect traffic encrypted by the same key and subject it to
cryptanalysis. However, a shorter lifetime causes IPSec peers to have to
renegotiate IKE Phase II more often resulting in the expenditure of
additional resources. Nevertheless, it is imperative the IPSec SA lifetime
terminates within 8 hours.
SNMP Versions 1 and 2 are not considered secure. Without the strong
authentication and privacy that is provided by the SNMP Version 3 User-
based Security Model (USM), an unauthorized user can gain access to
network management information used to launch an attack against the
network.
Terminating an idle session within a short time period reduces the window
of opportunity for unauthorized personnel to take control of a
management session enabled on the console or console port that has
been left unattended. In addition quickly terminating an idle session will
also free up resources committed by the managed network device. Setting
the timeout of the session to 10 minutes or less increases the level of
protection afforded critical network components.
Audit logs are necessary to provide a trail of evidence in case the network
is compromised. Without an audit trail that provides a when, where, who
and how set of information, repeat offenders could continue attacks
against the network indefinitely. With this information, the network
administrator can devise ways to block the attack and possibly identify and
prosecute the attacker.
Configure an idle time value of 1 hour or less for all IPSec security
associations either within IPSec profiles or as a global command.
Option A