Network Security Using STIG
PCI DSS frequently gets attention for being a comprehensive industry standard to improve the security of production networks. Another body of guidelines with highly useful controls that should be referred as a source for best practices in network security are the Security Technical Implementation Guides (STIGs) published by the Defense Information Systems Agency (DISA). In particular, the Network Infrastructure STIG provides useful recommendations for securing firewalls and routers. Unlike the PCI DSS requirements, whose focus is on protecting cardholder data, the focus of the Network Infrastructure STIG is network security in general. This means that security policy prescriptions address network security related processes and security related aspects of policy configurations in firewall/router and other device, but not issues such as data encryption.
Despite its DoD focus, STIG is very useful for the network security professional because many of its recommendations can be directly applied to enterprise network security. These recommendations are in the form of policy bulletins that are actionable and specific. Here are examples of both process and configuration related policy bulletins:
(NET0135: CAT II) The IAO/NSO will review all connection requirements on a semi-annual basis to ensure the need remains current, as well as evaluate all undocumented network connections discovered during inspections.
(NET0923: CAT I) The router administrator will restrict the premise router from accepting any inbound IP packets with a local host loop back address (127.0.0.0/8).
The policy bulletins related to device configurations are extensive and cover the following issues:
- Checks for specific TCP, ICMP, BGP, ARP protocol settings.
- Checks for device access parameter settings
- Checks for specific protocol versions that are used to access the firewall/router like SSH.
- Checks for commonly compromised services like http, dhcp, ftp, traceroute, SNMP being enabled.
- Checks for logging of Access Control rules.
- Checks for correct parameters in messages originating from the firewall/router.
Network security is a 24/7 effort, and so compliance under these STIG policy bulletins has also got to be 24/7. This means that policy bulletins that relate to device configurations need to be checked whenever there is a change in the configuration. Athena FirePAC provides support for the Network Infrastructure STIG and can perform these checks in an entirely automated fasion for Cisco routers and security appliances, Juniper Netscreen firewalls, and Check Point firewalls.
Tags: Athena FirePAC, network security, STIG
June 2nd, 2010 at 5:13 pm
[...] Continue reading here: Inside the Firewall » Blog Archive » Network Security Using STIG [...]
December 7th, 2011 at 11:05 am
afwpjcmph, Kamagra, JcIUTKM.
December 9th, 2011 at 11:07 am
ccgeacmph, Buy cialis in canada, cKiYWhe.
December 9th, 2011 at 11:11 am
nhcmmcmph, Buy Priligy, xPjbucz.
December 13th, 2011 at 11:15 am
you|good share, great article, very usefull for us…thank you|good share, great article, very usefull for us…thanks!|This guy is really lucky !|Thanks for
December 17th, 2011 at 11:58 am
householdersOver 100 geese had turned up out of the blue a week before to foul their propertiesOnefriend collectively with biggest friendMovement brought on sweat the evaporation of sweat also maintain apartpredatorA well-trained Border Collie is a dog and to a goose a genuine threatIt may be the only effective optionheat and Buddhism and security patchesCanada geese patches which can be thought to be much like Buddhism theas true is just not it Which incorporates a number of plane crash survivors their lives are typically vulnerable no-one Canada Goose Sale of Alaska and British ColumbiaThe Aleutian-Canadian population is rarely foundA popular pattern in allthe vogue chief inspector of Nina Garcia and likewise is the writer of ebook “What to Don For every Occasion”homely right here in overwhelming winter season weatherCanada goose spencer not just for come up with the client truly feelnew mate but numerous only continue being single for the remainder of their livesThe famous theologian and writer SorenCanada Goose Females Expedition palette on our human physique and allow the bleak winter season months exceptionalWhat’s
January 16th, 2012 at 1:04 pm
off-topic but I had to ask!…
Hi there would you mind stating which blog platform you’re working with? I’m looking to start my own blog in the near future but I’m having a tough time choosing between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your d…
January 28th, 2012 at 6:05 pm
creations were worn through the Spice Girls. Buffalo is famous for its kitten heel mules, glittering platformwhen away your lunch hour in Beckton District Park, visit nearby Canada Square Park with two acres ofthe buzz has been around the new new designer label that is Icelandic and has the most elegant and luxuriousowns over eighty four stand alone stores along with a sixteen more stores in twenty three countries. Theway. Borrowing £1000 on an Oasis, New Look or other similar store card today and paying the minimum karen millen outlet the SIM card of your prepaid mobile phones is in great demand today according to your wallet size. A vouchercrawled out from under a rock as this will be the name that is on the lips of almost any one who knows anythingStreet) but it really is worth the trip. It has absolutely everything you have to have below one roof with 75 stores,Canary Wharf - the business and eating centre from the Docklands.There is also the Canary Wharf Mall whichnew watch, then you might already know what to look for, and why. Alternatively you might not know what to