STIGQter: STIG Summary: Network Infrastructure Policy Security Technical Implementation Guide Version: 9 Release: 10 Benchmark Date: 24 Jan 2020: STIGQter: STIG Summary: Network Infrastructure Policy Security Technical Implementation Guide Version: 9 Release: 10 Benchmark Date: 24 Jan 2020:SV-41924r7_rule
V-31637
Unauthorized use of NAT and IP addresses within the SIPRNet enclave.
NET0185
CAT II
10
Remove the NAT configurations and private address space from the organization's SIPRNet enclave. Configure the SIPRNet enclave with SSC authorized .smil.mil or .sgov.gov addresses. If NAT or private address space is required, as per one of the stated exceptions or for valid mission requirements, then submit a detailed approval request to use private addressing through the DSAWG Secretariat to the DISN accreditation official, DISA AO.
Review network diagrams, enterprise sensor reports, and network scans submitted to the Connection Approval Office. Determine that only global IP addresses assigned by the NIC are in use within the organization's SIPRNet enclave.
Determine whether NAT and unauthorized IP address space is in use in the organization's SIPRNet enclave.
Exceptions to this requirement are listed below:
1. Closed classified networks logically transiting SIPRNet for enclave-to-enclave VPN transport only.
2. Out-of-Band management networks, where the NATd nodes do not access SIPRNet base enterprise services.
3. Thin client deployments where the hosting thin client server serves as the SIPRNet access point for its thin clients and that the organization maintains detailed thin client service usage audit logs.
4. Valid operational mission need or implementation constraints.
All exceptions must have approval by the SIPRNet DISN accreditation official, DISA AO.
If NAT and unauthorized IP address space is in use on the organization's SIPRNet infrastructure, this is a finding.
V-31637
False
NET0185
Review network diagrams, enterprise sensor reports, and network scans submitted to the Connection Approval Office. Determine that only global IP addresses assigned by the NIC are in use within the organization's SIPRNet enclave.
Determine whether NAT and unauthorized IP address space is in use in the organization's SIPRNet enclave.
Exceptions to this requirement are listed below:
1. Closed classified networks logically transiting SIPRNet for enclave-to-enclave VPN transport only.
2. Out-of-Band management networks, where the NATd nodes do not access SIPRNet base enterprise services.
3. Thin client deployments where the hosting thin client server serves as the SIPRNet access point for its thin clients and that the organization maintains detailed thin client service usage audit logs.
4. Valid operational mission need or implementation constraints.
All exceptions must have approval by the SIPRNet DISN accreditation official, DISA AO.
If NAT and unauthorized IP address space is in use on the organization's SIPRNet infrastructure, this is a finding.
M
838