Critical Security Control: 19

Critical Security Control: 19

Secure Network Engineering

Make security an inherent attribute of the enterprise by specifying, designing, and building-in features that allow high confidence systems operations while denying or minimizing opportunities for attackers.

Why Is This Control Critical?

System or security designers rarely get to start from scratch and build in all of the security features they might want. And even if they did, systems constantly evolve, new business imperatives appear, attackers develop new techniques, and new technologies emerge to complicate the security problem. In such an environment, attackers take advantage of missing security features, time gaps in deploying new defenses or moving information, and the "seams" between defensive controls. Defenders are quickly overwhelmed with new operational requirements, managing tools and changes, new information, and "fire-fighting".

How to Implement This Control

ID # Description Category
CSC 19-1 Design the network using a minimum of a three-tier architecture (DMZ, middleware, and private network). Any system accessible from the Internet should be on the DMZ, but DMZ systems should never contain sensitive data. Any system with sensitive data should reside on the private network and never be directly accessible from the Internet. DMZ systems should communicate with private network systems through an application proxy residing on the middleware tier. Quick win
CSC 19-2 To support rapid response and shunning of detected attacks, engineer the network architecture and its corresponding systems for rapid deployment of new access control lists, rules, signatures, blocks, blackholes, and other defensive measures. Configuration/Hygiene
CSC 19-3 Deploy domain name systems (DNS) in a hierarchical, structured fashion, with all internal network client machines configured to send requests to intranet DNS servers, not to DNS servers located on the Internet. These internal DNS servers should be configured to forward requests they cannot resolve to DNS servers located on a protected DMZ. These DMZ servers, in turn, should be the only DNS servers allowed to send requests to the Internet. Visibility/Attribution
CSC 19-4 Segment the enterprise network into multiple, separate trust zones to provide more granular control of system access and additional intranet boundary defenses. Configuration/Hygiene

CSC 19 Procedures and Tools

To help ensure a consistent, defensible network, the architecture of each network should be based on a template that describes the network's overall layout and the services it provides. Organizations should prepare diagrams for each of their networks that show network components such as routers, firewalls, and switches, along with significant servers and groups of client machines.

Although the Critical Security Controls overall provide many specific, high-priority steps that will improve enterprise security, a comprehensive treatment of Secure Network Engineering is beyond the scope of this document. In CSC 19, we describe capabilities that should be built-in to any security architecture.

CSC 19 Effectiveness Metrics


CSC 19 Automation Metrics


CSC 19 Effectiveness Test


CSC 19 System Entity Relationship Diagram

Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to implement them, test the controls, and identify where potential failures in the system might occur.

A control system is a device or set of devices used to manage, command, direct, or regulate the behavior of other devices or systems. In this case, we are examining the network engineering process and evaluating the controls that work together in order to create a secure and robust network architecture. The following list of the steps in the above diagram shows how the entities work together to meet the business goal defined in this control. The list also delineates each of the process steps in order to help identify potential failure points in the overall control.

Step 1: Network engineering policies and procedures dictate how network systems function to include dynamic host configuration protocol (DHCP) servers

Step 2: DHCP servers provide IP addresses to systems on the network

Step 3: Network devices perform DNS lookups to internal DNS servers

Step 4: Internal DNS servers perform DNS lookups to external DNS servers

Step 5: Network engineering policies and procedures dictate how a central network management system functions

Step 6: Central network management systems configure network devices.

Creative Commons - Attribution-NoDerivs 3.0 Unported (CC BY-ND 3.0)

This work is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

To further clarify the Creative Commons license related to the 20 Critical Controls content, (i) All persons are authorized to use the content as a framework in their organization or to sell professional services related to the content (e.g. a consulting engagement to implement the 20 Critical Controls), and (ii) sale of the contents as a framework model is not authorized. Users of the 20 Critical Controls framework are also required to refer to when referring to the 20 Critical Controls in order to ensure that users are employing the most up to date guidance.