Internet Security

This section provides specific DHS technical policy regarding the use and proper configuration of firewalls and the management of dial-up connections and other protocols.

DHS Policy

a. Any direct connection of DHS networks to the Internet or to extranets must occur through firewalls that have been certified and accredited.

b. Firewalls shall be configured to prohibit any protocol or service that is not explicitly permitted.

c. Components shall ensure that all executable code, including mobile code (e.g., ActiveX, JavaScript), is reviewed and approved by an appropriate senior official prior to the code being allowed to execute within the DHS environment. [Note: When the technology becomes available and code can be vetted for security, the policy will be “Ensure that all approved code, including mobile code (e.g., ActiveX, JavaScript), is digitally signed by the designated DHS authority and that only signed code is allowed to execute on DHS IT systems.”]

d. Telnet shall not be used to connect to any DHS computer. A connection protocol such as Secure Shell (SSH) that employs secure authentication (two factor, encrypted, key exchange, etc.) and is approved by the Component shall be used instead.

e. File Transfer Protocol (FTP) shall not be used to connect to or from any DHS computer. A

connection protocol that employs secure authentication (two factor, encrypted, key exchange, etc.) and

DHS Policy is approved by the Component shall be used instead.

Internet security responsibilities are provided below.

Internet Security Responsibilities DAA

• Ensures all external network connections are protected by a firewall and possibly other boundary protection devices that have been certified and accredited at a level commensurate with the sensitivity of the information to be protected.

• Ensures dial-up connections are addressed in the C&A documentation.

ISSOs

• Ensure all external network connections are addressed in the risk assessment and System Security Plan.

• Ensure all external network connections are protected by a firewall and possibly other boundary protection devices.

• Ensure all boundary protection devices are properly configured and monitored.

• Ensure dial-up connections are properly configured and secure.

Network/System Administrators

• Ensure all boundary protection devices are properly configured and monitored.

• Ensure firewall ports that allow file and printer sharing, whether through Microsoft NetBIOS, Common Internet File Service (CIFS), Network File Services (NFS), or TCP SMB (Server Message Block) protocols, are closed.

• Ensure firewalls are configured to prohibit any protocol or service that is not explicitly permitted.

• Ensure the following are prohibited:

− Telnet (clear text) connections.

− FTP unsecured (clear text) file transfers.

− SNMP protocols that can be used to monitor and control systems

− Cross boundary routing broadcasts

− Address Resolution Protocol (ARP) messages

− DNS communications across the boundary (by using split DNS with zone transfer authentication)

− Unsecured file transfers

− Mobile code (e.g., ActiveX, JavaScript) that has not been reviewed and digitally signed by an appropriate DHS authority.

• Ensure dial-up connections are properly configured and secure.

Sound network security practice dictates that all network connections be identified and the threats and vulnerabilities associated with these connections be analyzed. The guidance

provided in Section 5.4.3, Network Connectivity, specifically with regard to ISAs, also applies to connections to Internet and extranet connections.

An extranet is a private network encompassing that portion of an organization’s intranet that it chooses to securely share—via the Internet and the public telecommunication system—with external suppliers, vendors, or customers. An extranet requires security and privacy and may involve firewalls, digital certificates, message encryption, and virtual private networks that can tunnel through the public network.

All external connections, including extranets, must be identified and documented in the Security Plan, the Risk Assessment, and other C&A documentation as necessary. The risks associated with these connections must be addressed during the C&A process. Additionally, external network connections are to be reviewed annually by Component personnel and documented in the annual IT security assessment.

Adequate protection requires the proper selection and installation of firewalls and other boundary devices, Intrusion Detection Systems, and ancillary encryption or filtering devices.

These devices must be certified and accredited prior to their use on DHS networks.

Implementation guidance for firewalls is discussed in Section 5.4.4, Firewalls. Intrusion Detection Systems are covered in Section 5.4.2, and encryption is addressed in Section 5.5.1.

The adequacy of these devices must be monitored and reviewed as part of periodic IT security assessments.

Firewalls must be configured to prohibit any Transport Control Protocol (TCP), User Datagram Protocol (UDP) service, or other protocol that is not explicitly permitted. Of particular concern is the need to close ports that allow file and printer sharing, whether through Microsoft

NetBIOS, Common Internet File Service (CIFS), Network File Services (NFS), or TCP Server Message Block (SMB) protocols. The use of file and printer sharing is associated with

numerous vulnerabilities related to everything from enumeration of devices and user accounts to anonymous control of systems without authorization.

Telnet, which is prohibited on DHS systems and networks, is a utility program and protocol that allows one computer to connect to another computer on a network. After providing a username and password to login to the remote computer, a user can enter commands that will be executed as if entered directly from the remote computer. Telnet transfers all information in “clear text”

(human readable text), which allows Internet service providers (ISPs) and other users on the Internet, intranet, or LAN to intercept the traffic it creates. This could allow unauthorized users to get user IDs and passwords, capture information or commands that are being sent, and

potentially alter the information in the telnet connection. Telnet uses a commonly known port, which makes it easy for someone to “sniff” telnet traffic. The approved solution for this functionality is to use Secure Shell (SSH). SSH is an IETF protocol that provides encrypted connections and supports authentication with digital certificates and other secure methods of authentication.

FTP is a means of transferring files from one computer to another. FTP transfers all information in clear text (human readable text), which allows Internet Service Providers (ISPs) and other users on the Internet, intranet, or LAN to intercept the traffic it creates. This allows

unauthorized users to capture information or commands and possibly alter the information in the FTP connection. FTP generally uses a commonly known port, which makes it easy for someone to “sniff” FTP traffic. The approved solution for this security risk is to use the Secure File Transfer Protocol (SFTP) component of Secure Shell (SSH). SSH is a FIPS 140-2-approved

Internet Engineering Task Force (IETF) protocol, which provides encrypted connections and supports authentication with digital certificates and other secure methods of authentication.

Use of the following is expressly prohibited:

• Telnet

• File Transfer Protocol (FTP)

• Simple Network Management Protocol (SNMP), which can be used to monitor and control systems

• Address Resolution Protocol (ARP) messages

The following have significant risks and shall be used only in conjunction with appropriate countermeasures and risk-reduction procedures:

• Cross boundary routing broadcasts

• DNS communications across the boundary (by using split DNS with authentication of zone transfers)

• Mobile code (e.g., ActiveX, JavaScript) that has not been reviewed and digitally signed by an appropriate DHS authority.

Implementation guidance for securing dial-up connections is addressed in Section 5.4.1, Remote Access and Dial-In. Dial-in connections must be strictly controlled, to the extent they can even be justified.