transmission. Through such actions, the attacker gains access to sensitive data, alters important information, or even uses one compromised machine to pose as another trusted system on the network.
How can this control be implemented, automated, and its effectiveness measured?
QW: Compare firewall, router, and switch configuration against standard secure configurations defined for each type of network device in use in the organization. The security configuration of such devices should be documented, reviewed, and approved by an agency change control board.
QW: At network interconnection points, such as Internet gateways, inter-agency connections, and internal network segments with different security controls, implement ingress and egress filtering to allow only those ports and protocols with a documented business need, monitor traffic flows looking for attacks using intrusion detection technology, and log each connection for a period of at least 30 days.
QW: Network devices that filter unneeded services or block attacks (including firewalls, network-based Intrusion Prevention Systems, routers with access control lists, etc.) should be tested under laboratory conditions with each given organization’s configuration to ensure that these devices fail in a closed/blocking fashion under significant loads with traffic including a mixture of legitimate allowed traffic for that configuration intermixed with attacks at line speeds.
Config/Hygiene: All new configuration rules beyond a baseline hardened configuration that allow traffic to flow through network security devices, such as firewalls and network-based IPSs, should be documented with a specific business reason for the change, a specific individual’s name responsible for that business need, and an expected duration of the need. At least once per quarter, these rules should be reviewed to determine whether they are still required from a business perspective. Expired rules should be removed.
Config/Hygiene: Periodically attempt to penetrate network devices by simulating attacker’s actions against such devices. Such testing should occur from outside the network perimeter (i.e., the Internet or wireless frequencies around an agency) as well from within its boundaries (i.e., on the internal network) to simulate both outsider and insider attacks.
Config/Hygiene: Network infrastructure devices should be managed using two-factor authentication and encrypted sessions.