External network connections must not bypass the enclaves perimeter security.

From Network Infrastructure Policy Security Technical Implementation Guide

Part of Backdoor network connections bypass perimeter security.

Associated with: CCI-001102 CCI-001103

SV-8538r4_rule External network connections must not bypass the enclaves perimeter security.

Vulnerability discussion

Without taking the proper safeguards, external networks connected to the organization will impose security risks unless properly routed through the perimeter security devices. Since external networks to the organization are considered to be untrusted, this could prove detrimental since there is no way to verify traffic inbound or outbound on this backdoor connection. An attacker could carry out attacks or steal data from the organization without any notification. An external connection is considered to be any link from the organization's perimeter to the NIPRNet, SIPRNet, Commercial ISP, or other untrusted network outside the organization's defined security policy. The DREN and SREN are DoD's Research & Engineering Network. A DoD Network that is the official DoD long-haul network for computational scientific research, engineering, and testing in support of DoD's S&T and T&E communities. It has also been designated as a DoD IPv6 pilot network by the Assistant Secretary of Defense (Networks & Information Integration)/DoD Chief Information Officer ASD (NII)/DoD CIO. A DISN enclave should not have connectivity to the DREN unless approved by the AO and the requirements have been met for all external connections described in NET0130.

Check content

Review the network topology diagram and verify that ingress and egress traffic via external connections to the enclave do not bypass the enclave’s perimeter security. If there are external connections to the enclave that bypass the enclaves’ perimeter security, this is a finding.

Fix text

Disconnect any external network connections not routed through the organization's perimeter security or validated and approved by the AO.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer