1、CEIM-P CEIM-S Circular No. 25-1-246 DEPARTMENT OF THE ARMY U.S. Army Corps of Engineers Washington, DC 20314-1000 EC 25-1-246 30 November 1996 Expires 31 December 1998 Information Management ENTERPRISE NETWORK OPERATING SECURITY PROCEDURES 1. Pumose. a. This circular establishes Command policy for n
2、etwork operating security in the U.S. Amy Corps of Engineers for all computing and communications assets directly or indirectly connected to the Corps of Engineers Automation Plan (CEAP-IA) (COE) Network provided through the CEAP-IA program. b. This circular promulgates minimum security standards an
3、d procedures necessary to safeguard corporate information assets - hardware, software, data, and capacity (processing, storage, and transmission/bandwidth). c. For purposes of this document, network security compromise is divided into the following three general categories: (1) Breach of Confidentia
4、lity - involves unauthorized access to corporate information assets, (2) Denial of service - involves the unauthorized use of corporate information assets, or the prevention of authorized use of corporate information assets, and (3) Data compromise - involves unauthorized access to corporate informa
5、tion assets, with possible corruption of corporate data. d. These policies, standards, and procedures are necessary to ensure that: (1) Corporate information assets are not compromised, (2) Corporate information asset usage is not illegally converted, and that (3) Corporate information assets are no
6、t used as a vehicle for compromising the security of the Department of the Army, the Department of Defense, or any federal, state, or local agency using the Corps of Engineers as an information resource. Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-
7、,-EC 25-1-246 30 Nov 96 e. These policies and procedures will ensure that the Corps is able to: (1) present a defense in depth against any potential intruder by means of “firewalls, I “bastion hosts, I “proxying“ of selected network services, and “packet fil tering routers, I (2) identify any penetr
8、ation of corporate information assets with maximum accuracy in minimum time, and (3) minimize the damage to corporate information assets which any potential intruder can cause. 2. Atmlicabilitv. This circular is applicable to: a. All HQUSACE/OCE staff elements, USACE Major Subordinate Commands (MSC)
9、 and their Districts, Laboratories, Centers, and Field Operating Activities (FOA) . b. Use of any electronic medium for transmission, storage, or processing of data or information and the creation of records for which the US Army Corps of Engineers or its representatives have stewardship and which m
10、akes use of Corps automation or telecommunications resources in a networked environment. c. All government employees, contractor employees, or other personnel having operational access, either directly or indirectly to, and use of, Corps of Engineers Automation Plan (CEAP-IA) automation and telecomm
11、unications assets. 3. References. Related references are listed in Appendix A. Definitions and Acronyms are in Appendix B. 4. Policv. It is the policy of the Corps that: a. Network Access Will Be Strictly Controlled. (1) All dial-in access to Corps of Engineers (COE) information assets at any organi
12、zational level will be strictly controlled by USERID/PASSWORD in accordance with AR 380-19. (2) All INTERNET access will be accomplished through CEAP-IA Program Office designated ingress and egress points. (3) Access to the INTERNET by non-CEAP-IA provided and controlled dual- homed devices, i.e. de
13、vices (modems, routers, etc.) which are simultaneously connected physically and/or logically to both the internal network(s) and to the INTERNET is strictlv prohibited, unless waived in accordance with Para. 5. 2 Provided by IHSNot for ResaleNo reproduction or networking permitted without license fr
14、om IHS-,-,-COE EC 25-1-246 m 3515789 0822bYY 231 rn EC 25-1-246 30 Nov 96 b. Inbound Internet Network Services Will Be Strictly Controlled. (1) The following communications services/capabilities will be provided by the CEAP-IA Network Control Center and controlled via packet filtering and these serv
15、ices will be restricted to “INTERNET Accessible“ corporate information assets: (a) File-Transfer Protocol (FTP), (b) Hypertext-Transfer-Protocol (HTTP), (c) Telnet, (d) X-Windows, and (e) Domain Name Server (DNS) host lookups. (2) Select communications services/capabilities will be provided only thr
16、ough designated servers: (a) Network News Transfer Protocol (NNTP), (b) X-Windows (proxy server), and (c) Simple Mail Transfer Protocol (SMTP) . (3) Domain Name Server (DNS) host lookups will be permitted through the INTERNET firewall gateways. (4) All services not specifically authorized are prohib
17、ited. (5) It will be possible for INTERNET inbound users to access a single designated Corps ORACLE WebServer for the purpose of retrieving selected data imported from a “Corps Trusted“ ORACLE database. c. Data Will Be Partitioned Into “INTERNET Accessible“ and “Corps Trusted“ Data Sets, and Segrega
18、ted By Network Segment. (1) All data and data presentations (including “web pages“ , which are to be made available to the public will be partitioned into two data sets - an “INTERNET Accessible“ data set and a “Corps Trusted“ data set. (2) No “Corps Trusted“ data set or data presentation will be ac
19、cessible via the INTERNET, except in accordance with AR 380-19. 3 Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-COE EC 25-3-246 D 3515789 0822b4.5 178 I EC 25-1-246 30 Nov 96 (3) “INTERNET Accessible“ data sets and data presentations will be period
20、ically refreshed from the appropriate “Corps Trusted“ data sets in accordance with procedures established by the Functional Proponent as data security cannot be assumed. (4) All data on “INTERNET Accessible“ servers will be monitored for data quality (accuracy and completeness). (5) All data on “INT
21、ERNET Accessible“ servers will be backed up in accordance with standard operating procedures. (6) Outbound initiated connections from “INTERNET accessible“ network segments to Corps Trusted“network segments will be denied - with the exception of mail and DNS server access. d. All Commuaications Sess
22、ions Will Be Subject To Monitoring. (1) All communications sessions are subject to automatic and/or random session monitoring. (2) All monitored sessions will be subject to extensive “logging“ of “session profile“ data. (3) Any communications session that shows evidence of having been compromised ca
23、n and will be traced, and/or terminated at the discretion of CEAP-IA Network Control Center/Alternate Network Control Center security personnel. Any such deliberate interruption of services may result in the complete termination of data communications to/from a particular platform, component, or net
24、work segment. All such incidents will be reported to the local and enterprise Information Systems Security Manager (ISSM) or Information Systems Security Officer (ISSO) . e. All Corporate Network Security Controls Will Be Implemented, Managed, and Controlle By the CW-IA Program Office. (1) All packe
25、t filtering routers used for control of CEAP network communications ingress and egress will be under the control and management of the CEAP-IA Network Control Center/Alternate Network Control Center security personnel. (2) All “firewalls,“ associated hardware platforms, and hardware/software, will b
26、e under the control and management of the CEAP-IA Network Control Center/Alternate Network Control Center security personnel. 4 Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-COE EC 25-1-246 3535789 0822646 004 H EC 25-1-246 30 Nov 96 (3) All “basti
27、on hosts“ or “proxying“ servers, or single purpose “sacrificial“ servers providing selected services, will be under the control and management of the CEAP-IA Network Control Center/Alternate Network Control Center security personnel; this includes INTERNET Accessible“ servers resourced by Functional
28、 Proponents. (4) INTRANET Accessible servers, used for purely internal communications, will remain under Functional Proponent control and management. 5. DoD 8120.2-M, Interim Guidance on Conducting Automated Information System (AIS) Life-Cycle Management, Section 9, Security Planning; and the USACE
29、Managers Guide to the Life Cycle Management of Automated Information Systems, Appendix 7. e. All waiver requests for existing automation or telecommunication resource configurations will be submitted within six (6) months of the issuance of this circular. f. All waiver requests for actions not yet e
30、mplaced, but anticipated to be in violation of this circular will be submitted to the CEAP-IA Program Office not less than six (6) weeks before any effort attempting execution of said actions is made. g. Waiver requests will be submitted to, analyzed, reviewed, and approved or denied by the CEAP-IA
31、Program Office in coordination with the USACE Office of Security and Law Enforcement. 6. ResDonsibilities. a. The HQUSACE Director of Information Management (CEIM) will ensure that appropriate enterprise network operating security policies and procedures are in place and are based on contemporary te
32、chnology and security practices. b. The HQUSACE Office of Security and Law Enforcement (CEPM) will: (1) Support the Directorate of Information Management in (DIM) reporting and responding to all CEAP-IA network security 6 Provided by IHSNot for ResaleNo reproduction or networking permitted without l
33、icense from IHS-,-,-COE EC 25-1-246 3515789 0822648 987 W EC 25-1-246 30 Nov 96 violations. (2) Ensure that appropriate Department of the Army (DA) and Department of Defense (DoD) security personnel are notified of suspected or verified network security violations. (3) Assist DIM in securing adequat
34、e: (a) funding for security related acquisitions, and (b) training for all Corps personnel having significant security responsibilities. (4) Coordinate with the CEAP-IA Program Management Office (CEIM-S) in the analysis, reviewing and approval/denial of waiver requests. c. The CEAP-IA Program Manage
35、ment Office (CEIM-S) will: (1) Ensure availability of resources to acquire and sustain corporate information assets in support of the Corps necessary “INTERNET Accessible“ network segments. (2) Oversee the distribution and allocation of resources to support the Corps “INTERNET Accessible“ network se
36、gments. (3) Acquire and distribute necessary security software (e.g., firewalls, proxy servers, etc. 1 . (4) Provide for the backup of all corporate “INTERNET Accessible“ network segments, and (5) Provide for the Continuity of Operations (COOP) of corporate “INTERNET Accessible“ network segments. (6
37、) Review, analyze, and recommend approval or denial of waiver requests, in coordination with CEPM. d. The CEAP-IA Network Control Center, Western Processing Center (WPC) will : (1) Manage the operations and control of the packet filtering router(s). (2) Operate the designated proxy servers. (3) Oper
38、ate the SMTP server (s) . (4) Operate the “TP server (s) . 7 Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-COE EC 25-1-246 m 3535789 0822649 813 m EC 25-1-246 30 Nov 96 e. The Alternate Network Control Center, CEAP-IA Program Management Office(CEAP
39、-PM0)Information Infrastructure Support Branch (CEIM-SI) will: (1) Establish and maintain the rules base for packet filtering. (2) Determine the criteria for selection of necessary security hardware/software, electronic tokens, firewalls, proxy servers, etc. (3) Oversee the acquisition, distribution
40、, and maintenance of necessary security hardware/software, electronic tokens, firewalls, proxy servers, etc. f. The U.S. Army Cold Regions Research and Engineering Laboratory (CRREL), as the USACE Internet/Intranet Support Center will: (1) Operate corporate “INTERNET Accessible“ servers (as defined
41、in this circular, and funded by the CEAP-IA Program Management Office or other proponent activity) on a reimbursable basis. (2) Provide support and assistance to USACE elements who elect to make use of corporate “INTERNET Accessible“ servers. (3) Support the network security program by continuously
42、gathering technical information on potential security threats to USACE automation assets and ensuring that relevant information is distributed appropriately. (4) Support the USACE network security program by maintaining an active, thorough awareness of state-of-the-art in INTERNET technology, standa
43、rds, tools, and security capabilities and weaknesses; employing such tools and awareness in the protection of corporate “INTERNET Accessible“ systems; and, advising USACE elements in the employment of such tools and techniques for the protection of local assets. (5) Incorporating appropriate INTERNE
44、T specific security issues awareness into various presentations and training sessions that CRREL presents throughout USACE. g. All HQUSACE staff elements and Commanders, USACE Major Subordinate Commands (MSC) and their Districts (including Resident, Area, and Project Offices), Laboratories, Centers,
45、 and Field Operating Activities (FOA) shall: (1) Ensure that organization appointed Information Systems 8 Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,- COE EC 25-1-2Yb m 3535789 0822650 535 m EC 25-1-246 30 Nov 96 Security Manegers(fSCMs), nformat
46、ion System Security officers (ISSOS), Network Security Officers NSOs), and Systems Administrators (SAS) are familiar with and comply with policies and procedures as set forth by this circular. (2) Ensure that all communications assets within their purview come into compliance with the requirements o
47、f this circular within nine (9) months of publication. (31 Ensure that adequate resources for security-related acquisitions, training, and awareness are programed in the operating budgets . h. All USACE Directors of Information Management (DIMS), and Chiefs of Information Management (CIMs) shall: (1
48、) Be familiar the requirements of this circular and ensure cornpliance with the requirements of this circular by their subordinates within 9 months of publication. (21 Encourage the centralization of network security requirements within organizational areas. i- The Functional Proponents of Automated
49、 Information Systems (AIS) and/or computing/communications resources external to the enterprise network will: (11 Comgly with requirements of this circular, including waiver applications if deemed necessary. (2) Ensure the availability of funds/resources to acquire and/or maintain hardware and/or software required to support dedicated functional data servers and/or support any uniquely identified network operating security procedure r
