Security Control 19:
Secure Network Engineering

Keep poor network design from enabling attackers: Use a robust, secure network engineering process to prevent security controls from being circumvented. Deploy network architecture with at least three tiers: DMZ, middleware, private network. Allow rapid deployment of new access controls to quickly deflect attacks.

Key: REQ = Required, REC = Recommended, OPT = Optional

IDDetailsHighMedLow

19.1

To support rapid response and shunning of detected attacks, the network architecture and the systems that make it up should be engineered for rapid deployment of new access control lists, rules, signatures, blocks, black holes, and other defensive measures.

REQ REQ REQ

19.2

Segment the network into multiple, separate risk levels (trust zones) to provide more granular control of system access and additional intranet boundary defenses.

REQ REQ REQ

19.3

DNS should be deployed in a hierarchical, structured fashion, with all internal network client machines configured to send requests to intranet DNS servers, not to DNS servers located on the Internet.

[additional details]

These internal DNS servers should be configured to forward requests they cannot resolve to DNS servers located on a protected DMZ. These DMZ servers, in turn, should be the only DNS servers allowed to send requests to the Internet.

REQ REQ REC

19.4

The network should be designed using a minimum of three-tier architecture (DMZ, middleware, and private network).

[additional details]

The DMZ systems never contain sensitive or restricted data. Any system with sensitive data should reside on the private network and never be directly accessible from the Internet. Where possible, DMZ systems should communicate with private network systems through an application proxy residing on the middleware tier.

REQ REQ OPT

Additional Reading