A: In February 2009, a group of U.S. government agencies—NSA, US-CERT, various Department of Defense computer security groups—and the SANS Institute put out a list of “top 20 controls” that was subsequently published as the CAGs. John Gilligan, who chaired the effort, has been a pillar of the community for years. Allen Paller, with the SANS Institute, was very helpful in support of our early information security efforts at DHS and has helped in the development of this list.

The CAGs’ first recommendation is that companies keep a dynamic inventory of authorized and unauthorized hardware accessing their networks to reduce network attacks via unprotected systems. Having a whitelist and inventory of authorized and unauthorized software is also high on the list. The CAGs are scheduled to undergo pilot implementations this year and have a “high probability of becoming a common set of controls” for private industry.

Q: Why is “Inventory of Authorized and Unauthorized Devices” at the top of the control list?

A: Without an inventory, you cannot hope to proceed. I strongly feel that any security effort, or for that matter most any IT effort, has to start with an accurate understanding of what the ground truth is. That is totally dependent upon an accurate inventory of your networks, attached devices— including wireless—and all hardware and software in use.

Q: How do the CAGs compare with the DISA access control STIG?

A: The CAGs state you must take inventory of authorized and unauthorized devices. The DISA STIG for access control takes it a step further and states that device access must be controlled at the switch port: “Network ports should be both physically and logically secured to prevent unauthorized access to the DoD enclave”; and “Both unclassified and classified networks require the implementation of a logical network port security solution.” Not all NAC solutions are alike, so you need to be sure that if you are implementing a NAC solution, it meets this fundamental requirement outlined in the STIG.

Q: Don’t all access control solutions provide this capability?

A: Unfortunately, no. Some NAC solutions require the deployment of 802.1X to provide port base access control. Many organizations have yet to deploy it or are not in a position to deploy it, and therefore look to fulfill the STIG requirement using port-based solutions that are not 802.1X-dependent.

Q: So the key is to control access at the switch port?

A: Yes. The key is to do it in a scalable way without blowing your operations budget. Agencies can meet this requirement through “port-based security,” whereby an individual asset is associated with a specific switch port. This type of security is extremely resource-intensive to maintain, because the network administrator needs to manually modify switch configurations anytime a device is added or moved. Also, the drawbacks of this approach are highlighted in the DISA STIG: It is very easy for someone to spoof an individual machine address and connect to the network, thus bypassing this type of solution.

Q: Are there products or educational resources that can help IT staff embrace and apply these recommendations today?

A: Absolutely. In fact, the Army has an approved product list that identifies the access control products that have been tested, proven and certified to work “as advertised.” It’s called the Army Information Assurance Approved Products List [AIAAPL]. One such tool is CounterACT from ForeScout Technologies, a NAC appliance that does many of the things described above [and other things, as well].

Q: If our readers want to learn more, where can they go?

A: For military, I’d start with the AIAAPL “recommended list of products.” IT staff are asked to trust and use only those solutions that have been certified and added to the list, so this will save you some time. I also recommend visiting sans.org to learn more about these latest security controls. And, of course, the DISA STIGs and FISMA FIPs documentation offers a wealth of information. Both can be found on the Web at http://iase.disa.mil/stigs/stig/index.html and http://csrc.nist.gov/groups/sma/fisma/index.html. ♦

Back to Top