Transcript Network Security and Assured Networks

Network Security
Assessments
Robert Kimball
CTO – Ciena Government Solutions Inc.
Copyright © Ciena Corporation 2015. All rights reserved. Confidential & Proprietary.




The key difference between certification and
accreditation is that accreditation looks at the entire
enterprise (people, equipment, and procedures)
while certification only focuses on equipment
Since the answers to these questions are not static and
change as events occur, the risk tolerance of the
organization has to balance expected threats against costs
of protection
Control Type
Access Control
Awareness and Training
Audit and Accountability
Security Assessment and Authorization
Configuration management
Contingency Planning
Identification and Authentication
Incidence Response
Maintenance
Media Protection
Physical and Environmental Protection
Planning
Personnel Security
Risk assessment
System and services Acquisition
Systems and communications Protection
System and Information Integrity
Program Management
Controls
AC1, AC2(1,2,3,4), AC3, AC4,
AC6(1,2,5,9,10), AC7, AC8, AC11,AC14,
AC17(1,2,3,4)
N/A
AU2(3,4), AU3(1),AU4
N/A
CM2(1,3), CM3(2), CM5, CM6
CP9(1), CP10(2,3)
IA2(1,2,3,8), IA3, IA4, IA5(1,2,3), IA6
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
SC1, SC2, SC4, SC5, SC7(1,3,4,5,7), SC8(1),
SC10, SC12, SC13, SC17, SC23, SC28,
SC32, SC41
SI3(1,2,3), SI4(2,4,5,8), SI7(1,8), SC11
N/A



















Ref: AC-8 System Use Notification
The system must provide for the display of a notification message or banner prior
to logon, that remains in place until the user takes a specific action such as logging
on. Best practice banners include the following elements:
Information system usage may be monitored, recorded and subject to audit
Unauthorized use is prohibited and
Use of the system implies consent to monitoring and recording may be subject to
civil and criminal penalties
Ref: AC-11 Session lock
The system must prevent access to the system after a predetermined period of
inactivity or upon user request, conceal previously visible information behind a
publically viewable image, and require user to reestablish identification and
authorization prior to regaining access. Assessment is performed by monitoring the
session timeout behavior.

















Ref: AU-2 Auditable Events
The enterprise must define the relevant events that are auditable. Best
practice focus is on security related information and the ability to forensically
analyze a security incident. The assessment will validate that all of the
relevant auditable events are captured by the system. Best practice include:
A requirement to periodically review and update the available auditable events
The inclusion of privileged functions in auditable events
Ref: AU-3 Content of audit records
Audit records contain information that at a minimum establishes what event
happened, when and where, the source, and user account associated with the
incident. Best practices include:
User defined audit records specific to the enterprise
Ref: AU-4 Audit Storage Capacity
The assessment will validate that the system has the determined amount of
audit record storage capacity. The determined amount may be a fixed level,
user defined capacity, or ability to connect external storage devices.
Ref: CM-2 Baseline Configuration
The system must produce a baseline configuration under
configuration control. Best practices include:
Baselines are recomputed at a defined frequencies and as a part of
upgrades and installations
System retains a predefined number of previous versions
Ref: CM-3 Configuration Change Control
System deployments are under a change control process. The
assessment requires the system to produce records of configuration
control changes and audits activities associated with configuration
control events. Best practice includes:
The system must support test and validation of configuration control
changes. This should be done externally to the system.
Ref: CM-5 Access Restrictions for Change
System must impose access restrictions to enforce physical and
logical access restrictions of users allowed to make configurations
changes to hardware and software. This can take the form of access
control lists or privileged account types. Assessment will document
access control and validate that only authorized users are able to
make configuration changes.
Ref: CP-9 Information System Backup
The assessment will review historical backups of user, system, and security
information at the defined intervals.
The system must protect the confidentiality, integrity, and availability of
backed up information. The assessment will evaluate back-up protections to
ensure viability. Best practices include:
The backed up data is tested for reliability and information integrity
Ref: CP-10 Information system recovery and Reconstitution
Assessment will validate recovery and reconstitution of the system to a known
state after a disruption, compromise, or failure. This is likely to be preformed
via validation that the capability exists rather than the introduction of an actual
failure. Best practices includes:
If transaction based systems are involved, system implements transaction
recovery including transaction rollback and transaction journaling. This is
relevant to database management systems.
Identify compensating security controls for circumstances that may inhibit
recovery and reconstitution to a known state. This includes relaxation of
security controls if required during recovery operations and return to trusted
status and restoral of security controls during reconstitution to a known state.
Ref: IA-2 Identification and Authentication (organizational users)
The system uniquely identifies and authenticates users, and processes acting on
behalf of users.
Best practices includes:
System employs multi-factor authentication for network access to non-privileged
accounts
System employs multi-factor authentication for local access to privileged accounts.
System employs replay resistant authentication mechanisms such as Transport Layer
security Protocol (TLS) and time synchronous or one time authenticators for network
access to privileged accounts
Note that the DOD prefers hard certs for authentication
Ref: IA-3 Device to Device Identification and Authentication
Information system uniquely identifies specific or types of devices before establishing
a connection (remote, network, or local).
Typically MAC or IP addresses are used as device identifiers for authentication
solutions (e.g. IEE.802.1x and Extensible Authentications protocol (EAP), radius
server with EAP-TLS authentications, or Kerberos).
Assessment will monitor the connection process for a number of devices and validate
that each device and device type are uniquely identified.
Ref: IA-4 Identifier Management
The system facilitates management of information system identifiers by preventing the reuse of assigned
identifiers for a defined period and disabling identifiers after a defined period of inactivity.
The assessment will review the connection identification of all connected devices and verify that no
duplicate identifiers are present. The assessment will attempt to connect using a previously allocated
identifier and confirm that the system prevents reuse of identifiers. Finally the assessment will confirm the
timeout behavior of inactive identifiers.
Ref: IA-5 Authenticator Management
The system shall ensure the authentications mechanism has sufficient strength for it’s intended use,
change default content of authenticators upon system installation, establishing min and max lifetime and
reuse of authenticators, periodic change of authenticator, protecting authenticator information from
modifications or disclosure, and forcing an authenticator change upon role change.
Authenticators generally include passwords, tokens, biometrics, PKI certificates, and key cards. All forms
do not have to be supported.
In this case the enterprise identifies the required strength of its authentication mechanisms. The
assessment evaluates actual performance to ensure the requested strength is available.
Best practices include:
Password authentications enforces a minimum complexity, a minimum delta after change, enforces min
and max lifetime restrictions, prevents reuse for a defined number of generations. Passwords are stored
and transmitted only with encrypted representations. Minimums and maximums are user defined.
PKI authenticators map a certifications path to an accepted trusted anchor, enforces authorized access
to the corresponding private key, and maps the authenticated identity to an individual account.
In person registration is N/A
Ref: SC-1 System and Communication Procedures
The enterprise establishes formal policy and procedures for effective
implementation of security controls related to system and communication
protection.
The assessment action is to review the document.
Procedures required to implement security controls must appear in
system documentation if user configuration is required to implement
security controls.
Ref: SC-2 Application Partitioning
System management information must be kept separate from user data
on the system. Separation can be physical or logical. Assessment
examines NMS and control plane communication channels to ensure
adequate separation. The level of separation required is based on the
enterprise risk profile.
Ref: SC-4 Information in shared resources
The information system prevents unauthorized and unintended
information transfer via shared system resources. This includes access
to shared resources (registers, main memory, or hard disks) after those
resources are released back to a shared resource pool.
The assessment activity for this area will consist of memory scans and
disk audits to ensure unintended information transfer is prevented.
Ref: SC-5 Denial of Service Protection
This control requires identification of the types of denial of service
attacks that are mitigated by the system and a list of the security
controls used. This requirement consists of an analysis activity once a
set of security controls are defined.
The assessment activity includes a review of the mitigated DOS attacks
and an audit to ensure the planned security controls are correctly
implemented. A deeper aspect of the assessment would also evaluate the
list of DOS mitigations against the current threat environment and the
enterprise risk profile.
Ref: SC-7 Boundary Protection
The system monitors and controls communications at the external boundary of the
system and at key internal boundaries and connects to external systems only
through managed interfaces.
Assessment examines each external interface and identifies key internal boundaries.
Assessment validates that these connections are achieved through managed
interfaces.
Best practices include:
Physically allocates publically accessible system components to subnetworks that
are separate from internal networks
Limited number of access points to external connections
Managed interfaces include a traffic flow policy, a method for protecting
confidentiality and integrity, and management of exceptions of the traffic flow policy
Deny external network traffic by default and allow by exception
Prevents remote devices that have established a non-remote connection (such as
the craft interface) from communicating with resources in an external network. This
control specifically prohibits split tunneling between a network VPN and an external
resource such as a printer or file server.
Ref: SC-8 Transmission Integrity
System protects the integrity of transmitted information.
Assessment evaluates enterprise requirements to protect information
integrity, and ensures identified protection are adequate to meet
requirements.
Best practices includes:
Cryptography should be used to detect changes in information during
transmission. Cryptographic mechanisms should meet FIPS requirements.
Ref; SC-9 Transmission Confidentiality
System protects the confidentiality of transmitted information
Assessment evaluates enterprise requirements to protect information
confidentiality, and ensures identified protection are adequate to meet
requirements.
Best practices includes:
Cryptography should be used to detect changes in information during
transmission. Cryptographic mechanisms should meet FIPS requirements.
Ref: SC-10 Network Disconnect
System terminates network connections after the end of a session or after
a defined period of inactivity. Inactivity period may be a set parameter or a
user input.
Assessment validates that connections are terminated after a session.
Assessment also validates that connections are terminated after the
defined period of inactivity.
Ref: SC-12 Cryptographic Key management
System manages cryptographic keys via a FIPS approved procedure. Key
management may be automated or manual.
If FIPS certification was achieved, he assessment only needs to note the
presence of the certificate. If FIPS certification was not achieved, and
cryptography is used, then the key management process must be
evaluated against FIPS criteria.
Ref: SC-13 Cryptographic Protection
All cryptographic protection used by the system conforms to FIPS
requirements.
If FIPS certification was achieved, he assessment only needs to note the
presence of the certificate. If FIPS certification was not achieved, and
cryptography is used, then the key cryptographic system must be evaluated
against FIPS criteria.
Ref: SC-17 PKI certificates
If PKI certificates are used they are obtained via an approved source.
The assessment will document the PKI certificate issuing authority.
Ref: SC-23 Session Authenticity
The system protects the authenticity of communications at the session level
not the packet level.
The assessment will examine the session level protections.
Ref: SC-28 Protection of Information at Rest
The system will protect confidentiality and authenticity of information at rest.
Required data is a user defined parameter but should generally include all
security related data. Cryptography may be used to implement this control.
Assessment will validate that any data identified by the enterprise that
requires protection is identified in the system security document. The
assessment will also examine the protection mechanism used to protect
data at rest if required.
Ref: SC-32 System Partitioning
System partitions information system into separate domains. This
requirement could be satisfied by an analysis that shows that there is no
requirement for physical separation between system components.
Assessment will determine enterprise requirements for separate domains.
If the requirement exists, assessment will validate that the intended
separation is achieved.
Ref: SC-39 Out of Band Channels
System assigns specific data and functions to out of band channels.
Assessment will determine enterprise requirements for out of band. If the
requirement exists, assessment will validate that data intended for out of
band channels is correctly routed .
Ref: SC-41 Process isolation
The system maintains a separate execution domain for each executing
process. This may be accomplished by assigning each process their
own address space. Care should be taken to ensure that no process can
alter the execution of any other process.
This is an area that may be fairly difficult to assess in 3rd party
equipment. Penetration testing may be used to look for weaknesses in
this area.
SI-3 Malicious Code Protection
This requirement is generally written to cover the need for anti-virus software in information systems. In the
case of communication systems the requirement applies to the introduction of malicious code during software
upgrades or through system vulnerabilities. The requirement is for periodic scans and regular updates to the
malicious code protection.
The assessment will consist of an examination of the software upgrade process, both in terms of
documentation and actual execution.
Best practices includes:
Malicious code protection is centrally managed
Automatic updates are performed to the malicious code prevention mechanisms
Non-privileged users are prohibited from circumventing the malicious code protection capability.
Ref: SI-4 Information System Monitoring
The system is monitored to detect attacks and indicators of potential attacks and identifies unauthorized use.
Assessment evaluates system monitoring capabilities, particularly of system administrator actions and
configuration control activities. Authorized use is defined in the system security document and unauthorized
use criteria are defined and controls implemented.
Best practices includes
The system employs automated tools
The system monitors inbound and outbound communications for unusual or unauthorized activities
The system provides alarms
The system prevents non-privileged users from circumventing intrusion detection and prevention capabilities
Ref: SI -7 Software, Firmware, and Information Integrity
Integrity verification tools are used to detect unauthorized changes to software or
firmware. Integrity checking mechanisms include parity checks, cyclical
redundancy checks, and cryptographic hashes.
Assessment documents integrity verification tools used by the enterprise.
Assessment evaluates all software and firmware upgrade elements and validates
complete integrity coverage of all elements.
Best practices include:
Scans are performed at security relevant times such as system start-up or software
upgrade
Detection of unauthorized changes are tracked as part of an incident response
system.
Ref: SI-11 Error Handling
The system identifies security relevant error conditions and generates error
messages that are only disclosed to authorized personnel.
Assessment validates that security relevant error conditions identified by the
enterprise generate error messages. Assessment also validates that only those
personnel identified in the system security document have access to those error
messages.