- Training
- Training Live Events
- Training Without Travel
- Security Courses
- Security Curricula
- Certified Instructors
- Training Calendars
- SANS vLive! / SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- Coins
- SANS Onsite
- SANS SelfStudy
- SANS Summit Series
- SANS Partnership Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- List of Resources
- Top 20 List
- Top 25 Programming Errors
- 20 Coolest Jobs
- Application Security Procurement Language
- Top 10 Security Trends
- Top 5 Essential Log Reports
- Reading Room
- Webcasts
- AudioCasts
- WhatWorks
- Newsletters
- RSS Feeds
- Calendar Feeds
- Security Thought Leaders
- Security Policy Project
- Security+ Study Guide
- SANS Buyers Guide
- Security Tool Demos
- 2008 Salary Survey
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
The most trusted source for computer security training, certification and research.
Critical Control 16: Secure Network Engineering
How do attackers exploit the lack of this control?
Many controls in this document are effective but can be circumvented in networks that are poorly designed. Without a carefully planned and properly implemented network architecture, attackers can bypass security controls on certain systems, pivoting through the network to gain access to target machines. Attackers frequently map networks looking for unneeded connections between systems, weak filtering, and a lack of network separation. Therefore a robust, secure network engineering process must be employed to complement the detailed controls being measured in other sections of this document.
How can this control be implemented, automated, and its effectiveness measured?
Among the engineering/architectural standards to be used are:
- QW: Each organization should standardize the DHCP lease information and time assigned to systems, and verbosely log all information about DHCP leases distributed in the organization.
- Config/Hygiene: To support rapid response and shunning of detected attacks, the network architecture and the systems that make it up should be engineered for rapid deployment of new access control lists, rules, signatures, blocks, blackholes, and other defensive measures.
- Vis/Attrib: DNS should be deployed in a hierarchical, structured fashion, with all internal network client machines configured to send requests to intranet DNS servers, not to DNS servers located on the Internet. These internal DNS servers should be configured to forward requests they cannot resolve to DNS servers located on a protected DMZ. These DMZ servers, in turn, should be the only DNS servers allowed to send requests to the Internet.
- Advanced: Organizations should segment the enterprise network into multiple, separate trust zones to provide more granular control of system access and additional intranet boundary defenses.
Associated NIST SP 800-53 Rev 3 Priority 1 Controls:
IR-4 (2), SA-8, SC-7 (1, 13), SC-20, SC-21, SC-22, PM-7
Procedures and tools for implementing and automating this control:
To help ensure a consistent, defensible network, the architecture of each network should be based on a template that describes the overall layout of the network and the services it provides. Organizations should prepare network diagrams for each of their networks that show network components such as routers, firewalls, and switches, along with significant servers and groups of client machines.
List Of Controls
- Critical Control 1: Inventory of Authorized and Unauthorized Devices
- Critical Control 2: Inventory of Authorized and Unauthorized Software
- Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
- Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Critical Control 5: Boundary Defense
- Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- Critical Control 7: Application Software Security
- Critical Control 8: Controlled Use of Administrative Privileges
- Critical Control 9: Controlled Access Based on Need to Know
- Critical Control 10: Continuous Vulnerability Assessment and Remediation
- Critical Control 11: Account Monitoring and Control
- Critical Control 12: Malware Defenses
- Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
- Critical Control 14: Wireless Device Control
- Critical Control 15: Data Loss Prevention
Additional Security Controls
The following sections identify additional controls that are important but cannot be fully automatically or continuously monitored to the same degree as the controls covered earlier in this document.
- © 2000-2009 The SANS™ Institute
- Web Privacy Policy | Web Contact |
- Press Room | Trademark Usage Policy