LAN Domain Policies

The LAN Domain refers to the organization’s local area network (LAN) infrastructure. ­
A LAN policy should outline the processes and requirements to ensure sensitive data and applications are appropriately segmented and protected.

Control Standards

A key component in the control standards for the LAN will define firewall controls, denial of service protection, Wi-Fi security control, and more.

A Firewall Controls standard describes how LAN firewalls should handle ­application traffic. This kind of traffic includes web, e-mail, and Telnet traffic. The standard should also describe how the firewall should be managed and updated. The following are ­examples of statements from a typical Firewall Control standard:

The default policy for the firewall for handling inbound traffic must block all packets and connections unless the traffic type and connections have been specifically permitted.

Typically, good firewall hygiene always blocks the following types of traffic:

• Inbound traffic from a non-authenticated source system with a destination address of the firewall system itself. This type of packet normally represents some type of probe or attack against the firewall. One common exception to this rule would be in the event the firewall system accepts delivery of inbound email (SMTP on port 25). In this event, the firewall must allow inbound connections to itself, but only on port 25.

• Inbound traffic with a source address indicating that the packet originated on a ­network behind the firewall. This type of packet likely represents some type of ­spoofing attempt.

• Inbound traffic containing ICMP (Internet Control Message Protocol) traffic. Since ICMP can be used to map the networks behind certain types of firewalls, ICMP must not be passed in from the Internet, or any untrusted external network.

A Denial of Service (DoS) Protection standard describes controls that protect against or limit the effects of DoS attacks. This standard also addresses Smurf attacks and distributed denial of service (DDoS). Here are some examples of controls statements from this type of standard:

Routers and firewalls must be configured to forward IP packets only if those packets have the correct source IP address for <Organization> network.

Only allow packets to leave the network with valid source IP addresses that belong to the organization’s network. This will minimize the chance that the network will be the source of a spoofed DoS attack.

Baseline Standards

LAN Domain control standards may refer to specific technical requirements for network devices, including servers. Where there is a specific technology component, you’ll need a baseline standard to document the security settings for those devices. How networks policies, standards, and guidelines are documented will vary from organization to organization. The larger and more regulated the organization is, the more formal the documentation. The following are some examples of baseline documents to be included in the network audit scope:

• Wi-Fi Access Point (AP) Security Configuration Guide—Describes each product and version of supported APs

• Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)—Describes technical controls for LAN-attached IDSs and IPSs

• Baseline Configuration(s)—Describes each LAN-attached device product family, such as Windows Server, UNIX server software, routers, firewalls, IDSs, IPSs, and so on

• Remote Maintenance—Describes the actions that should be taken for each type of LAN-attached device in the event of crisis or emergencies, where the organization may need immediate access to remote maintenance, and diagnostic services to restore essential operations or services

• Audit Storage Capacity—Describes the requirements for allocating sufficient audit record storage capacity and configuration of auditing tools and devices to reduce the likelihood of capacity being exceeded

• Content of Audit Records—Describes the need to produce audit record details for each audit record generating device to ensure that it contains sufficient information to establish what events occurred, the sources of the events, and the outcomes of the events

• Firewall Baseline Security Standards—Describes technical controls for each firewall, version, and manufacturer

• Router Baseline Security Standards—Describes technical controls for each router, ­version, and manufacturer

• Server Configuration Settings—Describes the technical controls for each server 
product family

• Server Baseline Configuration(s)—Describes the baseline configuration for each server product family

Guidelines

Guidelines for implementing control standards are useful for system administrators, network administrators, and their managers who have responsibilities for maintaining LAN-attached devices. Unlike standards or policies, they provide more flexibility and deviation. The guideline provides insight into the network architecture. The following are a few examples of guideline documents:

• Security Assessments Guidelines—Provides recommendations on how security ­assessments should be conducted, how the information in them should be protected, and what the assessment process should focus on assessing

• Information System Backup Guidelines—Provides recommendations for system ­backups, offsite storage, retrieval, periodic testing of backup media, and so on

• Firewall Architecture and Management Guidelines—Provides information on firewall architectures, when they should be used in the organization and recommendations for ongoing management and maintenance

• Router Architecture and Management Guidelines—Provides information on router types and architectures, when they should be used in the organization and ­recommendations for ongoing management and maintenance

• IDS and IPS Architecture and Management Guidelines—Provides information on IDS and IPS architectures, types, when they should be used in the organization, and recommendations for ongoing management and maintenance

• Wi-Fi Security Guidelines—Provides information on Wi-Fi systems architectures, types, when they should be used in the organization and recommendations for ­ongoing management and maintenance

• Demilitarized Zone (DMZ) Guidelines—Recommends how to design a DMZ ­architecture, the typical systems that are operated in the DMZ, and how network communications should be designed for security

• Intrusion Detection Systems Guidelines—Recommends how to design an IDS system of sensors, collection stations, alert mechanisms, and recommendation on how alerts should be managed and how to tune devices to eliminate or reduce false positives

• Intrusion Prevention Systems Guidelines—Describes the types of IPSs, their uses, how they operate, and under what conditions the organization wishes to deploy them

• User Proxy Server Guidelines—Offers recommendations on implementing a user proxy for Internet access, tips on establishing access credentials, and tips on ­suspending or revoking access

• Content Filtering Guidelines—Provides recommendations on content filtering options, ways to maintain the list of banned sites, and ways to request access to blocked sites needed for business purposes