Network-Security-Checklist MSE安全攻防资料 checklist

UNCLASSIFIED UNCLASSIFIED NETWORK INFRASTRUCTURE SECURITY CHECKLIST Version 4 Release 1 23 August 2002 DISA FIELD SECURITY OPERATIONS Database Reference Number Database entered by Date Technical Q A by Date Final Q A by Date CAT I CAT II CAT III CAT IV Total UNCLASSIFIED Network Infrastructure Security Checklist V4R1Field Security Operations 23 August 2002Defense Information Systems Agency UNCLASSIFIED 2 Unclassified UNTIL FILLED IN CIRCLE ONE FOR OFFICIAL USE ONLY mark each page CONFIDENTIAL and SECRET mark each page and each finding Classification is based on classification of system reviewed Unclassified System FOUO Checklist Confidential System CONFIDENTIAL Checklist Secret System SECRET Checklist Top Secret System SECRET Checklist UNCLASSIFIED Network Security Checklist V4R1Field Security Operations 23 August 2002Defense Information Systems Agency UNCLASSIFIED 3 Date of Network SRR Network ReviewerPhone Location Previous SRR Y NDate of Previous SRRA03 Available Y N Number of Current Open Findings Site Information Site Name Address Phone Site Personnel Information PositionNamePhone NumberEmailArea of Responsibility SM ISSM NSO Penetration Test Information Network AddressISS Job IDFunctionType of Scan 1 2 3 4 5 UNCLASSIFIED Network Security Checklist V4R1Field Security Operations 23 August 2002Defense Information Systems Agency UNCLASSIFIED 4 This page is intentionally left blank UNCLASSIFIED Network Security Checklist V4R1Field Security Operations 23 August 2002Defense Information Systems Agency UNCLASSIFIED 5 SUMMARY OF CHANGES General Changes Added section about unclassified until filled in Various grammar changes throughout document Replaced all references to NSA approved encryption to FIPS 140 2 Section 3 4 2Device Management PDI NET0320 removed duplicate checks 8 and 9 Section 3 6 2 2 Exploits protection Updated PDI NET1010 to reflect new DDoS ports Section 4 2 General Standards for Remote Access Methods Removed PDI NET1520 and renumbered repeated PDI number 1160 to NET1520 Removed check 15 under PDI1560 UNCLASSIFIED Network Security Checklist V4R1Field Security Operations 23 August 2002Defense Information Systems Agency UNCLASSIFIED 6 This page is intentionally left blank UNCLASSIFIED Network Security Checklist V4R1Field Security Operations 23 August 2002Defense Information Systems Agency UNCLASSIFIED 7 TABLE OF CONTENTS Unclassified UNTIL FILLED IN 2 1 0Introduction 9 1 11NATO Classification 9 2 0Enclave Architecture 11 3 0Network Infrastructure 11 3 1Joint Intrusion Detection JID 12 3 2Leased Dedicated Lines 13 3 3Backdoor Circuits 13 3 4General Standards for Communication Devices 14 3 4 1Passwords 15 3 4 2Device Management 17 3 5Network Layer Addressing 20 3 5 2Router Tables 22 3 5 4Router Accounts 23 3 5 5Router Passwords 25 3 5 6Out of band Management 27 3 5 7In Band Router Management 28 3 5 8Router Global Configuration Commands 29 3 6Access Control Lists ACLs 35 3 6 1Filtering Traffic to Router Itself 36 3 6 2 1IP Address Spoof Protection 38 3 6 2 2Exploits Protection 39 3 6 3Logistics for Configuration Loading and Maintenance 43 3 6 4Router Change Management 45 3 6 6Syslog 46 3 7Firewalls 47 3 7 7Implementation and Waivers 54 3 8Network Intrusion Detection NID Real Secure 55 3 9Data Outlets 57 3 10Switch Intelligent Hubs 57 3 10 2Virtual Local Area Network VLAN 58 4 0Remote Access 58 4 2General Standards for Remote Access Methods 62 4 2 1Network Access Server NAS 65 4 2 2High Speed Communication 66 5 1Network Management 67 5 2Virtual Private Networks VPNs 72 5 3Domain Name System DNS 73 UNCLASSIFIED Network Security Checklist V4R1Field Security Operations 23 August 2002Defense Information Systems Agency UNCLASSIFIED 8 This page is intentionally left blank UNCLASSIFIED Network Security Checklist V4R1Field Security Operations 23 August 2002Defense Information Systems Agency UNCLASSIFIED 9 1 0Introduction N APassFail PolicySTIG Reference 1The NSO and each site s ISSO will ensure that the DISA Form 41 or similar access authorization form will be used to validate a user s requirement to have a management account on any network device Procedure Review authorization forms on file with the Site s security officer to verify only the required users have access to managed network devices 1 7 Comments CATIV NET0020 PDI Short Description A formal process including an authorization form is not being used to ensure that only authorized users are gaining management access to network devices FindingNot a FindingNot ReviewedNot Applicable 1 11NATO Classification N APassFail PolicySTIG Reference 1Provide all personnel with a NATO security briefing For those personnel with a U S S E C R E T or above clearance a NATO security briefing must be administered Procedure Verify that the site exchanges NATA data via SIPRNet if so verify with the NSO or ISSO that all personnel with Secret or above clearance has had a NATA security briefing 1 11 2Each enclave DAA must provide a letter notifying CUSR that their enclave is now accredited to process NATO classified information Procedure Attain copy of the CUSR letter that was signed by the Enclave DAA 1 11 3Each enclave DAA must ensure all personnel have at least a U S S E C R E T clearance Personnel with interim U S clearances with established need to know may be granted access to NATO classified information subject to conditions outlined below 1 Approval by the authority who is granting access to U S classified information based on the interim security clearance 2 Written authorization maintained as a record 3 Interim clearance held is at the S e c r e t or Top S e c r e t level 4 Process for a final security clearance has been initiated Individual has received and acknowledged a briefing on NATO security requirements Procedure Verify with the NSO or ISSO that all interim clearances have been processed for final and that a written authorization is maintained as a record 1 11 UNCLASSIFIED Network Security Checklist V4R1Field Security Operations 23 August 2002Defense Information Systems Agency UNCLASSIFIED 10 4Each enclave DAA must ensure personnel that have access to NATO classified information have a need to know and implement required measures to enforce Example mechanisms include password protected web sites or folders on the network that have NATO S E C R E T information DoD Instruction 8500 bb Information Assurance Implementation has guidance on implementing need to know Procedure Interview the NSO to verify that the NATA classified information is restricted to the individual with the need to know and proper protections have been put into place 1 11 5In transmitting e mail it is the sender s responsibility to ensure that the receiver is cleared for NATO S E C R E T information and has a need to know The sender must also ensure that the receiver is hosted by a network accredited to process NATO classified information A listing of accredited enclaves will be posted to the CUSR web site www cusr army mil Procedure Interview the ISSO and request copies of the security briefing to verify that personnel have been properly instructed to this requirement 1 11 6Each enclave DAA must ensure that equipment i e desktops laptops and servers that stores and processes NATO S E C R E T information is labeled NATO S E C R E T Procedure Visually inspect devices to verify compliance with this requirement 1 11 7Each DAA must ensure electronic labeling of information This includes ensuring e mail transmissions have a classification label as the first line software products exist to force this or ensure any documentation or information posted to web sites is marked at the top and bottom of the pages per NATO security policy described in the NATO security briefing Procedure Verify compliance with this requirement by having the NSO process request to the web pages so you can visually inspect for the security markings 1 11 8Each DAA must ensure that inventory of accountable media is provided to Central U S Registry U S directed recurring ADPE inventory per DoDD 7950 1 meets this requirement Procedure Interview the ISSM to verify compliance with this mandate 1 11 9Each DAA must ensure existing personnel security records i e evidence of clearance and access usually maintained in the personal security office relating to access to NATO S E C R E T information are retained for three years Procedure Interview the NSO and the have personal security department display the records for inspection 1 11 Comments CATIII NET0060 PDI Short Description Site has not followed the required security markings or policy that is needed to be accredited to the NATA Secret level FindingNot a FindingNot ReviewedNot Applicable UNCLASSIFIED Network Security Checklist V4R1Field Security Operations 23 August 2002Defense Information Systems Agency UNCLASSIFIED 11 2 0Enclave Architecture N APassFail PolicySTIG Reference 1The NSO will ensure that the site architecture complies with the Enclave Architecture as outlined in the Network Infrastructure STIG Procedure View the network diagram and ensure that the following devices exist JID Router w ACLs Application Level Firewall NID DMZ and Split DNS are present 2 0 Comments CATI NET0070 PDI Short Description The site architecture does not comply with the Enclave Security Architecture FindingNot a FindingNot ReviewedNot Applicable 3 0Network Infrastructure N APassFail PolicySTIG Reference 1 The NSO will ensure all connections are in compliance with the requirements of the Connection Approval Process CAP Procedure Review the CAP process with the ISSO to verify compliance 3 0 Comments CATII NET0080 PDI Short Description Network connections are not in compliance with the CAP FindingNot a FindingNot ReviewedNot Applicable N APassFail PolicySTIG Reference 2The NSO will maintain current up to date infrastructure and dataflow diagrams of the network under the NSO s control The diagrams will include all remote connections all local connections to domains not under site control and all internal connections to PCs workstations servers routers bridges and hubs or switches This will help to show what the security traffic and physical impact of adding a new user s will be on the LAN These diagrams will be based on a physical and if available an automated inspection of the network wiring plant Special circumstances concerning the installation such as a path that leaves a secure controlled environment will be noted Procedure Review the network diagram walk around the facility and physically check if the diagram is accurate Verify that the protocols and services depicted on the dataflow diagram are current and that communication devices are configured for only the depicted protocols and services 3 0 Comments UNCLASSIFIED Network Security Checklist V4R1Field Security Operations 23 August 2002Defense Information Systems Agency UNCLASSIFIED 12 CATIII NET0090 PDI Short Description Network infrastructure is not properly maintained and cable connection management is not enforced FindingNot a FindingNot ReviewedNot Applicable 3 1Joint Intrusion Detection JID N APassFail PolicySTIG Reference 1The NSO and RCERT will ensure that the JID is located between the site s NIPRNet POP and the site s premise router and is under the operation control of the RCERT Procedure Visually inspect the Network Topology to verify compliance 3 1 1 Comments CATII NET0110 PDI Short Description The JID is not located between the NIPRNet POP and the premise router FindingNot a FindingNot ReviewedNot Applicable N APassFail PolicySTIG Reference 2The NSO will ensure the site will not further distribute the JID software Procedure Interview the NSO to verify compliance with this requirement 3 1 1 3The NSO will ensure that local JID monitoring and data review will only be performed by trusted system administration and security personnel with a legitimate need to know for the information Authorized reviewers of JID output will be identified in writing by the Automated Information System AIS environment s Commanding Officer or equivalent management level Procedure Have the NSO provide copies of the authorization letter assigning the reviews Then verify that the RCERT has only granted those individuals access 3 1 1 4The NSO will ensure that the JID source code will be stored on a secured off line i e not connected to any network system or storage device Procedure Have the NSO show you the local of the JID source code to verify compliance 3 1 2 5The NSO will ensure that physical access to the JID will be restricted to specifically authorized personnel Procedure Visually inspect the placement of the JID to verify compliance 3 1 2 Comments CATIII NET0120 PDI Short Description The JID or JID source code is not properly maintained or has been further distributed FindingNot a FindingNot ReviewedNot Applicable 3 2Leased Dedicated Lines N APassFail PolicySTIG Reference UNCLASSIFIED Network Security Checklist V4R1Field Security Operations 23 August 2002Defense Information Systems Agency UNCLASSIFIED 13 N APassFail PolicySTIG Reference 1The NSO will ensure that the distance from the LAN to the leased line provider s point of presence POP will be as short as possible making the data passing to the WAN easier to protect Procedure Verify that the distance between the POP and the communication room is as short as possible If the POP could be moved to better facilitate this requirement then this would be a finding 3 2 2The NSO will ensure the communication lines are in a secure controlled and protected environment to the local exchange carrier LEC POP Procedure Verify that the POP is in a protected communication room or facility 3 2 3The NSO will ensure that network management modems connected to all Channel Service Units CSUs Data Service Unite DSUs will be disabled or disconnecting when not in use Procedure Visually inspect the CSU DSU to verify compliance for routers with the CSU DSU built in verify the routers aux port is disabled 3 2 Comments CATIII NET0140 PDI Short Description The distance between the POP and the communication room is either unsecured or unmanageable or the CSU DSU modems are not configured properly FindingNot a FindingNot ReviewedNot Applicable 3 3Backdoor Circuits N APassFail PolicySTIG Reference 1If NIPRNet access redundancy is required it will be accomplished using the Defense Information System Network DISN data services Procedure Inspect the Network Topology diagrams to verify how many POPs the network currently has then interview the NSO to verify that all additional POPs have been provided via the DISN 3 3 Comments CATIIINET0150 PDI Short Description FindingNot a FindingNot ReviewedNot Applicable N APassFail PolicySTIG Reference 2Direct ISP connections are prohibited unless Designated Approving Authority DAA written approval is obtained It will state that an ISP connection is required for mission purposes and that all other alternatives were considered but could not satisfy the requirement Procedure Have the ISSM provide a copy of the DAA written approval letter and then verify the mission need is still valid 3 3 Comments UNCLASSIFIED Network Security Checklist V4R1Field Security Operations 23 August 2002Defense Information Systems Agency UNCLASSIFIED 14 N APassFail PolicySTIG Reference CATINET0160 PDI Short Description A direct ISP connection exists without DAA approval FindingNot a FindingNot ReviewedNot Applicable N APassFail PolicySTIG Reference 3All external connections will be validated and approved prior to connection Efforts will be made to eliminate backdoor connections Procedure Interview the ISSM to verify that all connections have a mission requirement and that the DAA is aware of the requirement 3 3 Comments CATIII NET0170 PDI Short Description External connections are not validated and approved and no efforts have been made to eliminate backdoor connections FindingNot a FindingNot ReviewedNot Applicable N APassFail PolicySTIG Reference 4The NSO will review all connection requirements on a regular basis to ensure the need remains current as well as investigate all undocumented network connections discovered during inspections Unjustified connections will be disconnected Procedure Verify that the NSO is aware of all connections and that all self assessments require the NSO to verify the need for all connections 3 3 Comments CATII NET0190 PDI Short Description Then NSO is not aware of a mission critical need to have the backdoor connections or the NSO does not take an active role in the self assessments FindingNot a FindingNot ReviewedNot Applicable 3 4General Standards for Communication Devices N APassFail PolicySTIG Reference 1To identify and combat MAC address spoofing the NSO will maintain a listing of valid MAC addresses and conduct audits and reviews to identify new addresses This can be accomplished via an automated tool HP Openview Whats Up Gold etc or a manual process such as reviewing the ARP table from the router Procedure Interview the NSO to verify compliance and have the NSO provide the list for inspection 3 4 Comments UNCLASSIFIED Network Security Checklist V4R1Field Security Operations 23 August 2002Defense Information Systems Agency UNCLASSIFIED 15 N APassFail PolicySTIG Reference CATII NET0200 PDI Short Description A listing of MAC addresses is not maintained and validated and the NSO is not conducting reviews or audits to identify new addresses FindingNot a FindingNot ReviewedNot Applicable N APassFail PolicySTIG Reference 2The NSO will ensure that communication devices will be located in a secure room with limited access The NSO will have ultimate authority to determine who has access both physically and administratively Procedure Interview the NSO to verify compliance with this requirement 3 4 Comments CATIINET0210 PDI Short Description Communication devices are not in a secure location FindingNot a FindingNot ReviewedNot Applicable N APassFail PolicySTIG Reference 3The NSO will ensure that all communication devices are registered wi