investigate whether the transfer was successfully blocked.
The following paragraphs identify additional controls that are important but that cannot be automatically or continuously monitored. It should be noted that these controls overlap to a greater degree than the ones in the previous section.
Critical Control 16: Secure Network Engineering
Many controls in this document are effective but can be circumvented in networks that are badly designed. Therefore a robust secure network engineering process must be deployed to complement the detailed controls being measured in other sections of this document. Among the engineering/architectural standards to be used are:
Config/Hygiene: To support rapid response and shunning of detected attacks, the network architecture and the systems that make it up should be engineered for rapid deployment of new access control lists, rules, signatures, blocks, blackholes and other defensive measures required by US-CERT.
Vis/Attrib: All access of websites on the Internet must occur through a perimeter that includes a firewall, IDS, web proxy, packet inspection, packet logging functionality and session reconstructor abilities.
Vis/Attrib: DNS should be deployed in a hierarchical, structured fashion, with all client machines sending requests to DNS servers inside a government-controlled network and not to DNS servers located on the Internet. These internal DNS servers should be configured to forward requests they cannot resolve to DNS servers located on a protected DMZ. These DMZ servers, in turn, should be the only DNS servers that are allowed to send requests to the Internet.
Config/Hygiene: Each organization should standardize the DHCP lease information and time assigned to systems, and verbosely log all information about DHCP leases distributed in the organization.