STIGQter STIGQter: STIG Summary: Network Infrastructure Policy Security Technical Implementation Guide

Version: 9

Release: 10 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-8532r3_ruleNetwork topology diagrams for the enclave must be maintained and up to date at all times.
SV-8533r3_ruleAll external connections must be validated and approved by the Authorizing Official (AO) and the Connection Approval Office (CAO) and meeting Connection Approval Process (CAP) requirements.
SV-8534r4_ruleExternal connections to the network must be reviewed and the documentation updated semi-annually.
SV-8535r3_ruleThe connection between the Channel Service Unit/Data Service Unit (CSU/DSU) and the Local Exchange Carriers (LEC) data service jack (i.e., demarc) as well as any service provider premise equipment must be located in a secure environment.
SV-8537r4_ruleWritten mission justification approval must be obtained from the Office of the DoD CIO prior to establishing a direct connection to the Internet via commercial service provider outside DoD CIO approved Internet access points (e.g. DISA IAP, Cloud Access Point, NIPRnet Federated Gateway, DREN IAP, etc.).
SV-8538r4_ruleExternal network connections must not bypass the enclaves perimeter security.
SV-8540r3_ruleAll network infrastructure devices must be located in a secure room with limited access.
SV-8546r2_ruleA centralized syslog server must be deployed in the management network.
SV-8547r2_ruleCurrent and previous network element configurations must be stored in a secured location.
SV-8552r3_ruleWhen protecting the boundaries of a network, the firewall must be placed between the private network and the perimeter router and the Demilitarized Zone (DMZ).
SV-8564r3_ruleThe organization must establish weekly data backup procedures for the network Intrusion Detection and Prevention System (IDPS) data.
SV-8566r2_ruleThe Intrusion Detection and Prevention System (IDPS) software and signatures must be updated when updates are provided by the vendor.
SV-8567r3_ruleThe organization must ensure all switches and associated cross-connect hardware are kept in a secure Intermediate Distribution Frame (IDF) or an enclosed cabinet that is kept locked.
SV-8585r3_ruleDynamic Host Configuration Protocol (DHCP) audit and event logs must record hostnames and MAC addresses to be stored online for thirty days and offline for one year.
SV-8586r3_ruleDynamic Host Configuration Protocol (DHCP) servers used within SIPRNet infrastructure must be configured with a minimum lease duration time of 30 days.
SV-8758r3_ruleAn Intrusion Detection and Prevention System (IDPS) must be deployed to monitor all unencrypted traffic entering and leaving the enclave.
SV-12294r5_ruleA deny-by-default security posture must be implemented for traffic entering and leaving the enclave.
SV-12654r2_ruleAll Releasable Local Area Network (REL LAN) environments must be documented in the System Security Authorization Agreement (SSAA).
SV-12655r2_ruleAnnual reviews must be performed on all Releasable Local Area Network (REL LAN) environments.
SV-15259r4_ruleIf the site has a non-DoD external connection (i.e. Approved Gateway), an Intrusion Detection and Prevention System (IDPS) must be located between the sites Approved Gateway and the perimeter router.
SV-15263r4_ruleAll hosted NIPRNet-only applications must be located in a local enclave Demilitarized Zone (DMZ).
SV-15265r4_ruleAll Internet-facing applications must be hosted in a DoD Demilitarized Zone (DMZ) Extension.
SV-15268r6_ruleThe organization must implement a deep packet inspection solution when protecting perimeter boundaries.
SV-15442r2_ruleAn Out-of-Band (OOB) management network must be deployed for MAC I systems or 24x7 personnel must have console access for device management.
SV-15473r2_ruleTwo-factor authentication must be implemented to restrict access to all network elements.
SV-15493r6_ruleEncapsulated and/or encrypted traffic received from another enclave must not bypass the network perimeter defense without being terminated and inspected before entering the enclaves private network.
SV-15494r3_ruleTunneling of classified traffic across an unclassified IP transport network or service provider backbone must be documented in the enclaves security authorization package and an Approval to Connect (ATC), or an Interim ATC must be issued by DISA prior to implementation.
SV-15496r2_ruleDSAWG approval must be obtained before tunneling classified traffic outside the components local area network boundaries across a non-DISN or OCONUS DISN unclassified IP wide area network transport infrastructure.
SV-15497r2_ruleEnabling a connection that extends DISN IP network connectivity (e.g., NIPRNet and SIPRNet) to any DoD Vendor, Foreign, or Federal Mission Partner enclave or network without a signed DoD CIO approved sponsorship memo is prohibited. For classified connectivity it must be to a DSS approved contractor facility or DoD Component approved foreign government facility.
SV-15498r2_ruleCommand and Control (C2) and non-C2 exceptions of SIPRNet must be documented in the enclaves accreditation package and an Authority to Connect (ATC) or Interim ATC amending the connection approval received prior to implementation.
SV-15499r2_ruleTunneling of classified traffic across an unclassified IP transport network must employ cryptographic algorithms in accordance with CNSS Policy No. 15.
SV-15501r2_ruleVPN gateways used to create IP tunnels to transport classified traffic across an unclassified IP network must comply with appropriate physical security protection standards for processing classified information.
SV-18981r2_ruleA dedicated management network must be implemented.
SV-19152r2_ruleTwo Network Time Protocol (NTP) servers must be deployed in the management network.
SV-20025r2_ruleAn Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor all Demilitarized Zone (DMZ) segments housing public servers.
SV-20027r2_ruleAn Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor the network segment hosting web, application, and database servers.
SV-20028r2_ruleAn Intrusion Detection and Prevention System (IDPS) sensor must be deployed to monitor network segments that house network security management servers.
SV-20031r2_ruleSensor traffic in transit must be protected at all times via an Out-of-Band (OOB) network or an encrypted tunnel between site locations.
SV-20032r2_ruleIntrusion Detection and Prevention System (IDPS) traffic between the sensor and the security management or sensor data collection servers must traverse a dedicated Virtual Local Area Network (VLAN) logically separating IDPS traffic from all other enclave traffic.
SV-20039r2_ruleProducts collecting baselines for anomaly-based detection must have their baselines rebuilt based on changes to mission requirements such as Information Operations Conditions (INFOCON) levels and when the traffic patterns are expected to change significantly.
SV-20041r2_ruleIf a Secure File Transfer Protocol (SFTP) server is used to provide updates to the sensors, the server must be configured to allow read-only access to the files within the directory on which the signature packs are placed.
SV-20042r2_ruleIf an automated scheduler is used to provide updates to the sensors, an account on the file server must be defined that will provide access to the signatures only to the sensors.
SV-20045r2_ruleThe Intrusion Detection and Prevention System (IDPS) configuration must be backed up before applying software or signature updates, or when making changes to the configuration.
SV-20046r2_ruleThe Intrusion Detection and Prevention System (IDPS) file checksums provided by the vendor must be compared and verified with checksums computed from CD or downloaded files.
SV-28616r3_ruleThe organization must encrypt all network device configurations while stored offline.
SV-41919r3_ruleAll global address ranges used on unclassified and classified networks must be properly registered with the DoD Network Information Center (NIC).
SV-41924r7_ruleNetwork Address Translation (NAT) and private IP address space must not be deployed within the SIPRNet enclave.
SV-44284r2_ruleA policy must be implemented to keep Bogon/Martian rulesets up to date.
SV-80839r1_rulePrior to having external connection provisioned between enclaves, a Memorandum of Agreement (MOA) or Memorandum of Understanding (MOU) must be established.
SV-80841r1_ruleSyslog messages must be retained for a minimum of 30 days online and then stored offline for one year.
SV-80843r1_ruleMulti-Protocol Labeled Switching (MPLS) protocols deployed to build Label-Switch Path (LSP) tunnels must authenticate all messages with a hash function using the most secured cryptographic algorithm available.
SV-80845r1_ruleMulti-Protocol Labeled Switching (MPLS) labels must not be exchanged between the enclaves edge routers and any external neighbor routers.
SV-80847r1_ruleLabel Distribution Protocol (LDP) must be synchronized with the Interior Gateway Protocol (IGP) to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange.
SV-80851r1_ruleRapid Spanning Tree Protocol (STP) must be implemented at the access and distribution layers where Virtual Local Area Networks (VLANs) span multiple switches.
SV-80853r1_ruleA Quality of Service (QoS) policy must be implemented to provide preferred treatment for Command and Control (C2) real-time services and control plane traffic.
SV-80855r1_ruleProtocol Independent Multicast (PIM) must be disabled on all router interfaces that are not required to support multicast routing.
SV-80857r1_ruleA Protocol Independent Multicast (PIM) neighbor filter must be implemented to restrict and control multicast traffic.
SV-80859r1_ruleThe multicast domain must block inbound and outbound administratively-scoped multicast traffic at the edge.
SV-80861r1_ruleThe multicast domain must block inbound and outbound Auto-RP discovery and announcement messages at the edge.
SV-80863r1_ruleProtocol Independent Multicast (PIM) register messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups.
SV-80865r1_ruleProtocol Independent Multicast (PIM) join messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups.
SV-80869r1_ruleMulticast register messages must be rate limited per each source-group (S, G) entry.
SV-80871r1_ruleInternet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) report messages must be filtered to allow hosts to join only those multicast groups that have been approved by the organization.
SV-80879r1_ruleThe number of mroute states resulting from Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) membership reports must be limited.
SV-80881r1_ruleThe number of source-group (SG) states must be limited within the multicast topology where Any Source Multicast (ASM) is deployed.
SV-80883r1_ruleInternet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping must be implemented within the network access layer.
SV-80887r2_ruleFirst-hop redundancy services must be configured to delay any preempt to provide enough time for the Internet Gateway Protocol (IGP) to stabilize.