DEFENSE SWITCHED NETWORK INFORMATION ASSURANCE ...

More documents

Recommendations

Info

2. Collect Data • Document findings o Note any findings deemed not applicable o Note any fixes performed by the vendor o Note any findings deemed as false positives • Document test limitations • Validate SUT is operational and conduct functionality checks after completion of assessment 3. Perform Data Analysis and Report Results Data collected from the STIG, their respective Checklists, and any SRR scripts will be analyzed to accomplish the following assessment objectives: • Identify and attempt to eliminate “false positive” results. • Highlight and categorize findings according to their level of importance, whether vulnerabilities are CAT I (high), CAT II (medium), or CAT III (low). • Provide recommendations to remediate or mitigate the risks. Additional IA Testing Methodology. The design of IA Generic Requirement (GR)-815 CORE testing focuses on the proper protection of the SUT’s control panel, security log, and transferred data through encryption, as well as conformance to acceptable security standards. The test team incorporated GR-815 requirements to STIG requirements, and developed additional test procedures in the DIACAP Scorecard to address GR-815 requirements that are not validated via the STIGs. There are 19 test procedures included in Appendix E, to support GR-815 requirements testing not supported by STIG. Unified Capabilities Requirements (UCR) IA Internet Protocol version 6 (IPv6) Methodology. The UCR IA IPv6 Requirements section is used to verify that the tested system can create or receive, process, and send or forward (as appropriate) IPv6 packets in mixed IPv4/v6 environments. The UCR IA IPv6 requirements have been implemented relating to voice telecommunications equipment specific to IPv6 Profile Categories. Networks that can receive, process, and forward IPv6 packets from/to devices within the same network and from/to other networks and systems, where those networks and systems may be operating with only IPv4, only IPv6, or both IPv4 and IPv6. An IPv6 capable network shall be ready to have IPv6 enabled for operational use, when mission need or business case dictates. Specifically, an IPv6 capable network must meet the following: a. Use IPv6 Capable Products. b. Accommodate IPv6 in network infrastructures, services, and management tools and applications. c. Conform to DoD and NSA-developed IPv6 network security implementation guidance. d. Manage, administer, and resolve IPv6 addresses in compliance with the DoD IPv6 Address Plan when enabled. 9
e. System Requirements, Maximum Transmission Unit (MTU), Flow Label, Address, Dynamic Host Configuration Portal (DHCP), Neighbor Discovery, Redirect Messages, Router Advertisements, Stateless Address Autoconfiguration and Manual Address Assignment, Internet Control Message Protocol (ICMP), Routing Functions, IP Security, Network Management, IP Version Negotiation, AS-SIP IPv6 Unique Requirements, and Miscellaneous Requirements. IP Vulnerability (IPV) Testing Methodology. The IPV test team conducts vulnerability assessments and penetration testing for Approved Products List (APL) telecommunication equipment destined for connection to the DSN. The design of a vulnerability assessment is to analyze the system in scope and find areas where attacks might be more likely to occur, without necessarily exploiting the problems identified. A vulnerability assessment typically involves investigation of the Operating System to determine whether current patches are applied, whether the system is configured in a manner that makes attacks more difficult, and whether the system exposes any information that an attacker could use to exploit other systems in the enclave. Vulnerability assessments use a number of commercial and proprietary tools to minimize false positives. The design of a penetration test is to simulate an attack on the vendor’s system within a specified environment. While a number of variables determine how the attacks are initiated and conducted, the defining characteristic of a penetration test is that IA testers will be actively attacking the system using the same or similar methods to what an actual attacker would use. The following DoDI 8500.2 IA Controls apply to the IPV testing procedures: Design and Configuration Ports Protocols and Services (DCPP-1), Enclave and Computing Environment Voice over IP (ECVI-1), Enclave and Computing Environment Transmission Integrity Controls (ECTM-2), Vulnerability and Incident Management Vulnerability Management (VIVM-1), and Enclave and Computing Monitoring and Testing (ECMT-1). The IPV test team conducts vulnerability scanning with penetration tools and techniques. Vulnerability analysis for custom software and applications may require additional, more specialized approaches (e.g., vulnerability scanning tools for application, source code reviews, and statistical analysis of source code). The following steps outline the general procedures that the test teams employ. Appendix E contains detailed procedures. 1. Perform Identification and Verification • IP Interface Identification – Identify and verify all operational IP interfaces. 2. Determine Test Components 10
Page 1 and 2: DEFENSE INFORMATION SYSTEMS AGENCY
Page 3 and 4: DEFENSE SWITCHED NETWORK INFORMATIO
Page 5 and 6: EXECUTIVE SUMMARY The Department of
Page 7 and 8: TABLE OF CONTENTS iii Page EXECUTIV
Page 9 and 10: TABLE OF CONTENTS (continued) LIST
Page 11 and 12: SUMMARY OF CHANGES Editor/Approver
Page 13 and 14: The DSN provides end-to-end command
Page 15 and 16: implementing a security baseline, p
Page 17 and 18: • Apply applicable STIGs and subm
Page 19: Some products, such as CPE, rely on
Page 23 and 24: 8. Conduct Service Enumeration Serv
Page 25 and 26: (The page intentionally left blank.
Page 27 and 28: IAM Information Assurance Manager I
Page 29 and 30: (The page intentionally left blank.
Page 31 and 32: Table B-1. STIG Listing STIG Descri
Page 33 and 34: Table B-1. STIG Listing (continued)
Page 35 and 36: Figure B-2. NSA Website B-4. MICROS
Page 37 and 38: compliant, non-compliant, or not ap
Page 39 and 40: Within the delivered scorecard, the
Page 41 and 42: Absinthe (SQL injection) Arpoison (
Page 43 and 44: APPENDIX C TEST PREPARATION DOCUMEN
Page 45 and 46: DSN IA Test Team Test Preparation D
Page 47 and 48: DSN IA Test Team Test Preparation D
Page 49 and 50: APPENDIX D DSN ARCHITECTURE The Def
Page 51 and 52: APPENDIX E ASSESSMENT OBJECTIVES, C
Page 53 and 54: STIG. Not all checklists have paren
Page 55 and 56: HKLM\SYSTEM\CurrentControlSet\Servi
Page 57 and 58: Figure E-3. Configure Your Computer
Page 59 and 60: Table E-1. Gold Disk Minimum System
Page 61 and 62: Table E-3. DISA Gold Disk Test Proc
Page 63 and 64: Procedures (continued) Table E-5. S
Page 65 and 66: Table E-6. Additional IA Requiremen
Page 67 and 68: Table E-6. Additional IA Requiremen
Page 69 and 70: Table E-7. IPv6 Requirements Test C
Page 71 and 72:
Table E-7. IPv6 Requirements (conti
Page 73 and 74:
NOTE 2: There is no requirement tha
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
106 (continued) Table E-7. IPv6 Req
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
3. Post Test. An IA Assessment Draf
Page 121 and 122:
7. System Under Test (SUT) Test Pro
Page 123 and 124:
Table E-9. TCP Sweep Test Procedure
Page 125 and 126:
Table E-12. Service Enumeration Tes
Page 127 and 128:
types of applications they are desi
Page 129 and 130:
(SQL) injection through web interfa
Page 131 and 132:
• Use TCP fragments in reverse or
Page 133 and 134:
Locater (URL) encoding string, sess
Page 135 and 136:
Figure E-8. Function Keys (3) Captu
Page 137 and 138:
1. Level 1 - T1/E1 Signal, Sync AIS
Page 139 and 140:
(d) Add additional Information Elem
Page 141 and 142:
(10) Key - F10 - Help. See Figure E
Page 143 and 144:
Figure E-21. Configuration Level 3
Page 145 and 146:
Figure E-25. Configure Level 1 (3)
Page 147 and 148:
f. SS7 Examples (1) SS7 Network Exa
Page 149 and 150:
APPENDIX F DOD INFORMATION ASSURANC
Page 151 and 152:
The DIP should contain the followin
Page 153 and 154:
APPENDIX G REFERENCES Department of
Page 155 and 156:
Napier, Michael JITC Action Officer
show all

DEFENSE SWITCHED NETWORK INFORMATION ASSURANCE ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?