Baseline security requirements for network security zones (version 2.0) – ITSP.80.022 – Canadian Centre for Cyber Security

Objective Number
Requirement Number
Zone Requirement
Related ITSG 33 Control
IBS
Internetwork
End System
Network Interface
MZ OBJ 100
MZ-NI-100
All network paths between an MZ and the zones they manage pass through ZIPs.
SC-7
X
X
–
MZ-OBJ-103
MZ-NI-102
An MZ does not have direct network connections to a PZ.
SC-7
X
X
X
MZ-OBJ-103
MZ-NI-103

To protect an MZ from interference and tampering, the MZ infrastructure is separate from the data path network infrastructure.

An MZ does not share the following infrastructure:

• Any network layer infrastructure with any other zone;
• Any data link layer infrastructure with any other zone; and
• Any physical layer infrastructure with any other zone.

AC-4
SC-32
X
X
–
MZ-OBJ-104
MZ-NI-105
IBSs and internetwork components support the attachment of network based intrusion detection sensors (e.g. monitors) and the collection of data from these sensors.
SI-4 (4)
X
X
–
MZ-OBJ-100
MZ-NI-106
Zone specific MZs do not have network connections to each other (e.g. PAZMZ does not communicate with the OZMZ).
AC-4
X
X
X
MZ-OBJ-100
MZ-NI-107
Zone specific MZ instances are implemented on separate infrastructures with either physical or logical separation mechanisms, which are based on the ISSIP results.
AC-4
SC-7
SC-39
X
X
X
Traffic Control
MZ-OBJ-102
MZ-TC-102

In an emergency or an increased threat, the MZ responds quickly to heightened security levels, as authorized to do so. For example, the MZ can improve the network security posture by increasing the level of the following security measures:

• Filtering;
• Monitoring (active or passive);
• Protecting the continuous delivery of critical services, (e.g. reconfigure or block non essential services if required); and
• Auditing.

Before implementing these measures, test them carefully to ensure they cannot be exploited to cause a DoS.

Personnel are trained and authorized to initiate responses to heightened security levels.

AC-4
AU-6
IR-4
SC-7
SC-10
SI-4
X
X
X
MZ-OBJ-103
MZ-TC-103
The identity of both zones is authenticated before the zones can communicate.
IA-3
–
X
–
MZ-OBJ-100
MZ-TC-104
The internetwork provides an access control service that enforces access control requirements between edge interfaces. This service is based on a network layer source, a network layer destination, a transport protocol, and a transport layer service interface.
AC-3
AC-4
SC-10
–
X
–
MZ-OBJ-100
MZ-TC-105

An MZ network security zone authority defines requirements for an MZ internetwork access control service based on the following principles:

• The access control policy denies all traffic that is not explicitly permitted;
• The access control policy supports community of interest separation (i.e. where network traffic is divided into natural communities of interest, the access control policy enforces these natural traffic flows);
• The access control policy limits available network paths for management end systems;
• The MZ network security zone authority denies all connections to an MZ by remote access hosts that are not connections from an RMAZ; and
• The access control policy supports separation between classes of service if the internetwork provides more than one class of service.

AC-2
AC-3
AC-4
AC-17
IA-3
SC-5 (3)
SC-7 (5)
SC-7 (11)
X
X
–
MZ-OBJ-104
MZ-TC-106
If an MZ manages more than one class of service, the internetwork implements mechanisms to ensure non interference between classes of service.
AC-4
SC-5 (2)
–
X
–
MZ-OBJ-103
MZ-TC-107
The internetwork uses an addressing model that detects and diagnoses malicious traffic.

• word

CA-3
SC-7
SI-3
–
X
–
MZ-OBJ-105
MZ-TC-108
An MZ supports SVPN traffic between any pair of edge interfaces.
SC-8
X
X
–
MZ-OBJ-104
MZ-TC-110

An MZ network security zone authority defines an access control policy, which is enforced by the access control service, that is based on the following principles:

• The access control policy denies all traffic unless it is explicitly permitted; and
• Outgoing management traffic is restricted to destination addresses of the infrastructure of the zone which it manages.

AC-4
SC-7 (5)
SC-7 (8)
SC-7 (11)
X
X
X
MZ-OBJ-100
MZ-TC-121
Audit relevant traffic control and data flow information is recorded in the security audit log according to the requirements of the security audit service.
AU-1
AU-2
–
X
–
Network Configuration
MZ-OBJ-104
MZ-NC-100
The MZ network configuration is monitored to detect additions, deletions, or changes to edge interfaces. Unauthorized changes are reported to an MZ network security zone authority.
AU-1
CM-2
CM-3
SI-4
X
X
–
MZ-OBJ-104
MZ-NC-101
The MZ edge interfaces are registered with an MZ network security zone authority.
CM-8
–
X
–
MZ-OBJ-104
MZ-NC-103
An MZ network security zone authority periodically verifies the network topology.
AU-1
CM-2
CM-2 (1)
CM-9
X
X
–
MZ-OBJ-105
MZ-NC-104
An MZ network security zone authority periodically assesses the network configuration for unauthorized external interfaces.
AU-1
SI-4 (4)
X
X
–
MZ-OBJ-104
MZ-NC-106
MZ edge interface addresses are distinct and dedicated.
SC-7
–
X
–
MZ-OBJ-105
MZ-NC-107
MZ edge interface addresses are visible only to the zone to which the zone specific MZ is accountable.
SC-7
–
X
–
MZ-OBJ-104
MZ-NC-108
A change to an MZ edge interface address assignment constitutes a configuration change and requires approval by an MZ network security zone authority.
CM-3
CM-9
–
X
–
MZ-OBJ-104
MZ-NC-109
An MZ network security zone authority maintains current configuration information for all interfaces within the internetwork.
CM-2
CM-6
–
X
–
MZ-OBJ-104
MZ-NC-110
Changes to an MZ are approved by a MZ network security zone authority before they are implemented.
CM-3 (4)
CM-9
X
X
X
MZ-OBJ-104
MZ-NC-111
Connections within an MZ have established security associations. All communications are authenticated (either explicitly or implicitly) within the context of these security associations. The permitted security associations are determined by traffic control requirements.
AC-4
IA-3
SC-23
X
X
–
MZ-OBJ-104
MZ-NC-112
Internetwork edge interfaces are authenticated to each other using Cyber Centre approved cryptographic authentication mechanisms.
IA-3 (1)
SC-23 (5)
–
X
–
MZ-OBJ-104
MZ-NC-121
Service level agreements for outsourced networks require that any changes to internetwork interfaces that are controlled by network service providers must be approved by an MZ network security zone authority.
CP-8
X
X
X
MZ-OBJ-104
MZ-NC-122

Service level agreements for outsourced networks include the following requirements:

• The network service provider gives evidence of the effectiveness of the security controls used to enforce the security within the internetwork core;
• All security incidents that could impact an MZ are reported to an MZ network security zone authority; and
• The network service provider gives an MZ network security zone authority the capability to verify the effectiveness of the controls.

CP-8
X
X
X
MZ-OBJ-104
MZ-NC-123

An MZ allows only authorized administrators to remotely connect to MZ management end systems through an organization-controlled zone (i.e. RMAZ) if remote management is allowed.

The access is controlled and protected. Access is restricted by IP address, port, and protocol.

AC-2
AC-3
AC-17
IA-3
IA-5
X
X
X
Host Configuration
MZ-OBJ-104
MZ-HC-100
An MZ network security zone authority maintains a node and host network configuration policy that is consistent with applicable baseline security requirements, standards, and guidance. This policy applies to all nodes and hosts attached to the zone.
CM-1
CM-2
X
X
X
MZ-OBJ-104
MZ-HC-101

The policy on node and host network contains the following considerations:

• A specification of prohibited and mandated networking software and hardware configurations; and
• The minimum maintenance procedures for all networking software.

CM-1
CM-6
CM-7
MA-2
MA-6
SI-2
X
X
X
MZ-OBJ-104
MZ-HC-103

Regular network vulnerability assessments (VAs) of all nodes and hosts are conducted to assess trends in the effectiveness of the node and host network configuration policy.

The frequency of the VAs is enough to support trend analysis. The results of all VAs are managed within the framework of continuous risk management and provide feedback to the security assessment and authorization (SA&A) process.

CA-7
RA-5
X
X
X
MZ-OBJ-104
MZ-HC-104
All nodes apply controls that implement continuous protection against malware at start up.
SI-3
SI-7 (1)
X
X
–
MZ-OBJ-104
MZ-HC-106
System and network management processes and technology are implemented to detect changes in node configurations.
SI-7 (7)
X
X
–
MZ-OBJ-104
MZ-HC-107
Regular back-ups of system files and system configuration parameters are performed for every node contained in an MZ. The frequency and the retention period of back-ups are consistent with business needs.
CP-9
X
X
–
MZ-OBJ-104
MZ-HC-108
The failure of an MZ node does not result in the compromise of its resources or the resources of any connected network.
SC-24
X
X
–
MZ-OBJ-104
MZ-HC-109
MZ nodes and hosts are within an area that meets the physical security requirements as determined by the ISSIP. GC departments must also align with the Operational Security Standard on Physical Security [16].
PE-18
X
X
X
MZ-OBJ-104
MZ-HC-111
Operating systems and necessary applications for all nodes are hardened based on documented best practices.
CM-6
CM-7
X
X
X
MZ-OBJ-106
MZ-HC-112
SVPN products, if used, are validated to Federal Information Processing Standard (FIPS) 140-2, at a minimum of Security Level 2, through the Cyber Centre’s Cryptographic Module Validation Program (CMVP).
SC-13
X
X
X
MZ-OBJ-104
MZ-HC-113
Nodes are physically secured to limit access to only authorized personnel who need to access the equipment, according to the principles of least privilege and the need to know.
PE-2
PE-3 (1)
PE-18
X
X
–
MZ-OBJ-100
MZ-HC-114
An end system includes a personal firewall, a configuration integrity mechanism that can identify changes to the configuration and notify the end system administrator.
SC-7 (12)
SI-7
–
–
X
MZ-OBJ-104
MZ-HC-115
An end system undergoes the SA&A process before it is attached to an edge interface.
CA-1
CA-6
–
–
X
MZ-OBJ-105
MZ-HC-116
Host based intrusion detection sensors are placed on all critical hosts.
SC-7 (12)
–
–
X
MZ-OBJ-105
MZ-HC-117
MZ nodes generate and maintain audit log records, as required by the security audit service.
AU-2
X
X
X
MZ-OBJ-105
MZ-HC-118
MZ nodes ensure that locally stored security audit log records are accessible to authorized security audit administrators, as required by the security audit service.
AU-6 (3)
AU-6 (4)
X
X
X
MZ-OBJ-105
MZ-HC-119

Each MZ node is subject to regular configuration audits. The network security zone authority determines the frequency of these audits and documents the frequency in the MZ configuration management procedures. The frequency of configuration audits is enough to identify configuration errors.

The configuration audit includes, but is not limited to, the following checks:

• Verification of node configuration against network topology design;
• Verification of hardware devices and physical interfaces;
• Verification of traffic control configuration, including permissions and access controls; and
• Verification of permitted software load and permitted functions.

AU-1
AU-6
AU-6(1)
AU-6(2)
AU-6(3)
AU-6(4)
AU-6(7)
X
X
X
MZ-OBJ-105
MZ-HC-120
The MZ nodes record time stamps on audit records. The MZ internal system clocks are synchronized to an authoritative time source.
AU-8 (1)
X
X
X
Data Protection

MZ-OBJ-105
MZ-OBJ-106

MZ-DP-100
The internetwork can support SVPN data traffic connections between edge interfaces.
SC-8
–
X
–

MZ-OBJ-105
MZ-OBJ-106

MZ-DP-102
An MZ should be capable of supporting data protection services at the network layer or higher.
SC-8
X
X
–

MZ-OBJ-105
MZ-OBJ-106

MZ-DP-104
Where encryption or digital signature is required, products (whether software, firmware or hardware) incorporate a Cyber Centre approved algorithm and Cyber Centre approved key management processes, such as those products validated to FIPS 140-2 (or subsequent FIPS 140 releases) by the Cyber Centre’s CMVP.
SC-13
X
X
X