DoD UC Framework 2013, Section 13 Table of Contents TABLE OF CONTENTS

Similar documents
Changes to UCR 2008, Change 1, Section 5.3.2, Assured Services Requirements

Changes to UCR 2008, Change 2, made by UCR 2008, Change 3 for Section 5.8, Security Devices Requirements

Changes to UCR 2008, Change 2, made by UCR 2008, Change 3 for Section 5.3.6, Multifunction Mobile Devices

Changes to UCR 2008, Change 1, Section 5.3.5, IPv6 Requirements

DoD UC Framework 2013, Section 2 Table of Contents TABLE OF CONTENTS

Changes to UCR 2008, Change 2, Section 5.8, Security Devices Requirements

Changes to UCR 2008, Change 2, made by UCR 2008, Change 3 for Section 5.3.1, ASLAN Requirements

Deployment Scenarios

Changes to UCR 2008, Change 2, Section 5.3.1, ASLAN Requirements

Changes to UCR 2008, Change 1, Section 5.3.1, ASLAN Requirements

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 21 Feb 13

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

DoD UC Framework 2013, Section 7 Table of Contents TABLE OF CONTENTS

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND

Communications Transformations 2: Steps to Integrate SIP Trunk into the Enterprise

Cisco Associate-Level Certifications

CertifyMe. CertifyMe

PrepKing. PrepKing

DoD UCR 2013, Section 13 Table of Contents TABLE OF CONTENTS

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 28 Dec 11

Vol. 1 Technical RFP No. QTA0015THA

Chapter 1 B: Exploring the Network

HikCentral V.1.1.x for Windows Hardening Guide

T&E IN CYBERSPACE (UCR TESTING)

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 2 Sep 11

INFORMATION ASSURANCE DIRECTORATE

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND MEMORANDUM FOR DISTRIBUTION 20 May 11

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

CISCO EXAM QUESTIONS & ANSWERS

Understanding Cisco Unified Communications Security

ASA/PIX Security Appliance

BeOn Security Cybersecurity for Critical Communications Systems

SECTION CORRECTION EFFECTIVE DATE

CCNP BCMSN Quick Reference Sheets

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND F. Joint Interoperability Test Command (JTE) 15 Oct 12

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

CND Exam Blueprint v2.0

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 6 Sep 12

Changes to UCR 2008, Change 2, Section 5.3.3, Network Infrastructure E2E Performance Requirements

Steganophony: Challenges and Detection of Exfiltration Attacks

Changes to UCR 2008, Change 2, made by UCR 2008, Change 3, Section 5.3.3, Network Infrastructure E2E Performance Requirements

CompTIA Network+ Study Guide Table of Contents

HikCentral V1.3 for Windows Hardening Guide

Title: Information Assurance (IA) Design Review Information Package (DRIP) Number: DI-MGMT Approval Date:

Virtual Private Networks (VPNs)

2007 NEC Unified Solutions, Inc.

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND

Security Assessment Checklist

Chapter 5. Security Components and Considerations.

Cisco SR 520-T1 Secure Router

Cisco Technologies, Routers, and Switches p. 1 Introduction p. 2 The OSI Model p. 2 The TCP/IP Model, the DoD Model, or the Internet Model p.

Cisco Webex Cloud Connected Audio

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND

CCNP Switch Questions/Answers Cisco Enterprise Campus Architecture

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 30 Oct 15

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 16 Oct 12

Campus Network Design

Understanding Networking Fundamentals

Allstream NGNSIP Security Recommendations

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND

CyberP3i Course Module Series

Logical Network Design (Part II)

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 25 Jul 13

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND F

Selling the Total Converged Solution Module #1: Nortel Enterprise Networking Overview of the 4 Pillars and Why Nortel Tom Price Nortel HQ Sales

COURSE PROJECT SEM ATTENTION ALL ADVANCED DIPLOMA & BACHELOR STUDENTS

4562 Converged Networking Router

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

White Paper. SIP Trunking: Deployment Considerations at the Network Edge

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 24 Oct 12

Changes to UCR 2008, Change 1, Section 5.9, Network Elements

Firewalls for Secure Unified Communications

Cisco ISR G2 Management Overview

Unified Communications Networks Security and Platforms

CompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ]

Cisco Self Defending Network

Exam: : VPN/Security. Ver :

WHITE PAPER. Session Border Controllers: Helping keep enterprise networks safe TABLE OF CONTENTS. Starting Points

Network Configuration Guide

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

CCNA Exploration Network Fundamentals

2007 Cisco Systems, Inc. All rights reserved. 1

Cisco Number: Passing Score: 800 Time Limit: 120 min File Version: 1.0. Cisco

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 22 Jan 13

Security+ SY0-501 Study Guide Table of Contents

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 28 Aug 14

Unified IP IVR Architecture

MANAGED WAN SERVICE GENERAL Service Definition Standard Service Features. Monitor and Notify Service Level Monitoring Notification

Live Demo: Top Deployed SD-WAN Use Cases

PROTECTING INFORMATION ASSETS NETWORK SECURITY

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTD) 1 March 2018

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 14 Jun 13

DEFENSE INFORMATION SYSTEMS AGENCY P. O. BOX 549 FORT MEADE, MARYLAND Joint Interoperability Test Command (JTE) 14 Apr 15

Contents at a Glance

Digital Advisory Services Professional Service Description SIP SBC with Field Trial Endpoint Deployment Model

Cisco Cisco ADVDESIGN. Download Full Version :

ITdumpsFree. Get free valid exam dumps and pass your exam test with confidence

Securing Access to Network Devices

QUESTION: 1 You have been asked to establish a design that will allow your company to migrate from a WAN service to a Layer 3 VPN service. In your des

Transcription:

, Table of Contents TABLE OF CONTENTS SECTION PAGE Security Devices... 13-1 13.1 Physical Security... 13-1 13.2 Security Devices Security Design... 13-1 13.3 Network Security Design... 13-1 13.4 Requirements Development Concept... 13-3 i

DOD UC Framework 2013, List of Figures LIST OF FIGURES FIGURE PAGE Figure 13.3-1. Notional Example of Voice and Data ASLAN Segmentation... 13-3 ii

SECTION 13 SECURITY DEVICES The UCR Security Devices describes the requirements for security devices that will be on the Approved Products List (APL). This includes requirements for firewalls (FWs), Intrusion Prevention Systems (IPSs), Network Access Control, Wireless Internet protocols (IPs), and Virtual Private Network (VPN) devices. 13.1 PHYSICAL SECURITY Physical security is the responsibility of the installing Base/Camp/Post/Station (B/P/C/S). Essentially, two sets of requirements are associated with a complete Unified Capabilities (UC) system. The end points (i.e., PCs, End Instruments [EIs], Classified Provider Edge [C-PE]) have one set of physical security requirements while the network (i.e., Local Area Network [LAN] switches, security devices, and routers) and signaling products (i.e., Session Controller [SC], Softswitch [SS], and Media Gateway [MG]) require another set of requirements. A full definition of physical security requirements is beyond the scope of this section. 13.2 SECURITY DEVICES SECURITY DESIGN Security devices use a defense in-depth approach based on best commercial practices. The product security defenses are categorized as follows and are discussed in Section 4, Information Assurance: User Roles. Hardened operating systems. Auditing. Application security. Redundant systems. Additional defenses may be added dependent on the specific threats associated with a product. The requirements in UCR describe the requirements necessary to ensure that the separation of information is maintained and that the network managers are able to be aware of attacks against the network, configure the devices to protect against those attacks, and provide data to perform forensic activity on security-related incidents. 13.3 NETWORK SECURITY DESIGN One of the principal tenets of any Information Assurance design is the separation of components (i.e., traffic, appliances, and users) and/or services from each other based on their characteristics. A converged network requires the opposite, in that appliances within a converged network may service the voice, data, and video applications. As a result of this conflict, the interactions 13-1

between the various component segments must be controlled to ensure that an attacker that gains access to one segment cannot gain access to nor affect the other segments. In addition, interaction control between various segments is used to prevent configuration or user errors in one segment from affecting other segments. The actions of normal users of converged network services must not affect the other services, specifically the voice service. The principal mechanisms that are used within this design for segmenting the network are Virtual LANs (VLANs), segmented IP address space or subnets, and VPNs, and are used in combination with filters, access control lists (ACLs), and stateful packet inspection firewalls (Voice and Video over IP [VVoIP] stateful firewalls) to control the flow of traffic between the VLANs and VPNs. The UCR ensures that the equipment can set up VLANs or VPNs as appropriate. It does not dictate the way that they should be implemented, but the STIGs do provide that guidance.figure 13.3-1, Notional Example of Voice and Data ASLAN Segmentation, provides one example and presents the simplest type of converged LAN with only voice and data applications. Separate VLANs are established between voice and data applications and the Layer 3 switches are responsible for providing access control between the different VLANs using filtering techniques, such as ACLs. In this type of deployment, appliances are classified as VVoIP appliances or data appliances and it may be possible to avoid deploying appliances that service both VVoIP and data appliances. At the Customer Edge (CE) Router (CE-R), separate VPNs may be established, if necessary, to segment the voice traffic from the data traffic as the packets transit the Defense Information Systems Network (DISN) Wide Area Network (WAN). In addition, VPNs may be used to extend the local enclave to remote offices of the same organization, telecommuters, and travelers. Also, the VVoIP traffic is routed from the CE-R to the Provider Edge (PE) Router along the same path as the non-vvoip traffic. The only connection to the Public Switched Telephone Network (PSTN) is through a Time Division Multiplexing (TDM) interface using Primary Rate Interface (PRI) or Channel Associated Signaling (CAS) so that there is no interaction between the VVoIP system and commercial VVoIP IP networks. Moreover, it is important to note that the SC has two separate interfaces: one for local Network Management (NM) and a second for the Voice over IP (VoIP) end-to-end (E2E) NM traffic. 13-2

Figure 13.3-1. Notional Example of Voice and Data ASLAN Segmentation 13.4 REQUIREMENTS DEVELOPMENT CONCEPT Based on the UC Information Assurance design, threats, and countermeasures, a set of derived requirements were developed for security devices. Different vendors combine different functions into their appliances to meet the requirements of a particular type of product. For the purposes of the Unified Capabilities Requirements (UCR), the requirements are levied on the individual security devices, as applicable, to secure the entire product. It is understood that the Information Assurance design provides a high-level description of how the security devices interact in a secure manner. In addition, the appropriate Security Technical Implementation Guidelines (STIGs) will further clarify how the Information Assurance design and requirements are implemented on the appliance. This section is intended to provide a level of security requirements consistent with the level of security requirements defined for the UC, but adapted for the unique Department of Defense (DoD) UC environment consistent with the requirements in the UCR. 13-3

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback