PCI DSS frequently gets attention for being a comprehensive industry standard to improve the security of production networks. Another body of guidelines with highly useful controls that should be referred as a source for best practices in network security are the Security Technical Implementation Guides (STIGs) published by the Defense Information Systems Agency (DISA). In particular, the Network Infrastructure STIG provides useful recommendations for securing firewalls and routers. Unlike the PCI DSS requirements, whose focus is on protecting cardholder data, the focus of the Network Infrastructure STIG is network security in general. This means that security policy prescriptions address network security related processes and security related aspects of policy configurations in firewall/router and other device, but not issues such as data encryption.
Despite its DoD focus, STIG is very useful for the network security professional because many of its recommendations can be directly applied to enterprise network security. These recommendations are in the form of policy bulletins that are actionable and specific. Here are examples of both process and configuration related policy bulletins:
(NET0135: CAT II) The IAO/NSO will review all connection requirements on a semi-annual basis to ensure the need remains current, as well as evaluate all undocumented network connections discovered during inspections.
(NET0923: CAT I) The router administrator will restrict the premise router from accepting any inbound IP packets with a local host loop back address (127.0.0.0/8).
The policy bulletins related to device configurations are extensive and cover the following issues:
- Checks for specific TCP, ICMP, BGP, ARP protocol settings.
- Checks for device access parameter settings
- Checks for specific protocol versions that are used to access the firewall/router like SSH.
- Checks for commonly compromised services like http, dhcp, ftp, traceroute, SNMP being enabled.
- Checks for logging of Access Control rules.
- Checks for correct parameters in messages originating from the firewall/router.
Network security is a 24/7 effort, and so compliance under these STIG policy bulletins has also got to be 24/7. This means that policy bulletins that relate to device configurations need to be checked whenever there is a change in the configuration. Athena FirePAC provides support for the Network Infrastructure STIG and can perform these checks in an entirely automated fasion for Cisco routers and security appliances, Juniper Netscreen firewalls, and Check Point firewalls.