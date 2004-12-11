Network Connectivity

Networks that are controlled by organizations external to your chain of command are not to be directly connected Networks that are controlled by organizations external to your chain of command may be connected through the use of a DMZ or Extranet established for that purpose External resources that must be accessed by a proxy server include (by protocol): http/https; ftp/sftp; smtp/imap; chat/irc/h.323/t.120; dns/ntp; ldap/lsass; sqlnet/mssql; soap; or rpc.

Network Authentication

Authentication determines who an individual is. Strong Identification & and Authentication (I&A) is only available when two or more factors are employed in the process: something you have; something you know; or something you are. Authentication based on User Id and Password is only single factor, based on something you know ? the User Id and the Password ? and result in weak I&A The portion of authentication based on something you know must always be transmitted in a manner which precludes disclosure to all other personnel or network devices, including the authentication server Para 8, above, may be restated as ? User Id and/or Password must never be transmitted over the network in the clear Unacceptable authentication methods (when not used in conjunction with approved client-to-server encryption or hash methods): Microsoft Basic Authentication; Microsoft Forms Authentication; FTP Authentication; HTTP Cookie; or TCP/IP address.

Network Authorization

Authorization determines what rights and capabilities an individual or process has. Personnel from organizations that are controlled external to your chain of command may be granted access to resources inside the DMZ Personnel from organizations that are controlled external to your chain of command may not be granted direct access to internal resources beyond the DMZ Personnel from organizations that are connected to your network via an Extranet that is controlled by personnel within your chain of command may be granted access to internal resources on the Extranet and on internal networks. Authorization controls must be employed on all internal network resources where personnel have write privileges Authorization controls must be employed on all internal network resources where personnel will have read privileges and the data being accessed is Protected A, or above, or all classified material, including all NATO information Personnel from organizations within your chain of command may only use resources on external networks through proxy devices controlled within the DMZ

Network Devices

A router is not a firewall A firewall may be a router A firewall may contain numerous proxy servers for different protocols A firewall is not a guard Network Address Translation (NAT) is not a proxy server

Data Markings

All classified documents, information or data, including those only on network resources, must contain appropriate markings as to classification and releasability: documents, including memoranda, letters, presentations, briefings, spreadsheets, web pages, email and graphics, must contain classification and releasability information at top and bottom of all pages, and there must be classification indicators for all titles, paragraphs, sub-paragraphs, tables and figures; documents on network resources should be named so that classification and releasability is understood without opening the document, or stored in directories dedicated for that particular classification and releasability and where the directory name indicates the classification and releasability; data rows in database tables or views should contain classification and releasability indicators; data columns should have classification and releasability rules associated with various data values allowed to facilitate appropriate marking of data rows; and email must have labels indicating classification and releasability information so that these details may be determined without directly accessing the contents of the email. All information contained within classified network resources must have classification and releasability markings when the information is classified or protected All protected documents, information or data, including those only on network resources, must contain appropriate markings as to protection level: documents, including memoranda, letters, presentations, briefings, spreadsheets, web pages, email and graphics, must contain protection level information at top and bottom of all pages; documents on network resources should be named so that protection level is understood without opening the document, or stored in directories dedicated for that particular protection level and where the directory name indicates the protection level; data rows in database tables or views should contain protection level indicators; data columns should have protection level rules associated with various data values allowed to facilitate appropriate marking of data rows; and email must have labels indicating protection level information so that these details may be determined without directly accessing the contents of the email.

Data Backup

All information systems must implement procedures to backup data. RAID arrays do not remove the requirement for separate backup data. Backup data must be stored offsite, or in approved fire proof containers.

User Privilege

No user should have any rights not directly required to perform approved functions.

Discussion of reasons why these have become forgotten

The main reason why these principles have been forgotten is that technology was not available to implement the requirement in an economical fashion.