How do attackers exploit the absence of this control?
Many controls in this document are effective but can be circumvented in networks that are poorly designed. Without a carefully planned and properly implemented network architecture, attackers can bypass security controls on certain systems, pivoting through the network to gain access to target machines. Attackers frequently map networks looking for unneeded connections between systems, weak filtering, and a lack of network separation. Therefore, a robust, secure network engineering process must be employed to complement the detailed controls being measured in other sections of this document.How to Implement, Automate, and Measure the Effectiveness of this Control
- Quick wins: The network should be designed using a minimum of a three-tier architecture (DMZ, middleware, and private network). Any system accessible from the Internet should be on the DMZ, but DMZ systems never contain sensitive data. Any system with sensitive data should reside on the private network and never be directly accessible from the Internet. DMZ systems should communicate with private network systems through an application proxy residing on the middleware tier.
- Configuration/Hygiene: To support rapid response and shunning of detected attacks, the network architecture and the systems that make it up should be engineered for rapid deployment of new access control lists, rules, signatures, blocks, blackholes, and other defensive measures.
- Visibility/Attribution: DNS should be deployed in a hierarchical, structured fashion, with all internal network client machines configured to send requests to intranet DNS servers, not to DNS servers located on the Internet. These internal DNS servers should be configured to forward requests they cannot resolve to DNS servers located on a protected DMZ. These DMZ servers, in turn, should be the only DNS servers allowed to send requests to the Internet.
- Visibility/Attribution: Security should be built into all phases of the software development lifecycle, ensuring that any security issues are addressed as early as possible.
- Configuration/Hygiene: Organizations should segment the enterprise network into multiple, separate trust zones to provide more granular control of system access and additional intranet boundary defenses.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls
IR-4 (2), SA-8, SC-7 (1, 13), SC-20, SC-21, SC-22, PM-7Associated NSA Manageable Network Plan Milestones and Network Security Tasks
Milestone 3: Network ArchitectureProcedures and Tools to Implement and Automate this Control
To help ensure a consistent, defensible network, the architecture of each network should be based on a template that describes the network's overall layout and the services it provides. Organizations should prepare diagrams for each of their networks that show network components such as routers, firewalls, and switches, along with significant servers and groups of client machines.Control 19 Sensors, Measurement, and Scoring
Sensor: Port or vulnerability scannerMeasurement: Determine which systems are visible from the Internet or untrusted systems. Sensitive systems or databases should not be accessible from untrusted networks.
Score: 100 percent if no unauthorized systems are found. Minus 10 percent for unauthorized systems and minus 15 percent for database servers or any system that contains sensitive information.
Sensor: Network diagram
Measurement: Check and scan the network to determine that it matches the network diagram.
Score: Minus 5 percent for each unauthorized change.