Need help/clarification from DoD professionals

NavyITNavyIT Member Posts: 171
Is a proxy required for authentication for people coming from a .com/.net? Is there a DoD instruction that states this requirement?


Need help finding documentation supporting this. Any assistance is appreciated! Thanks!

Can a single server on a Federal IS provide authentication and host applications/services? Is this against best practices or a DoD instruction? Is there documentation that gives guidance?



A group is trying to have a single server provide authentication to the network and also host applications/services that require authentication on that same server.

Our argument is that there should be a proxy server that provides authentication and then you can access the server with the application/services on it.

I can't find any DoD instructions or documentation that states that this is a requirement or even a best practice.

Is anyone aware of any documentation to support this? Thanks!
A.S. - Computer Networking: Cisco
B.S. - Computer & Network Security

Comments

  • NersesianNersesian Users Awaiting Email Confirmation Posts: 96 ■■□□□□□□□□
    Howdy...

    I might be able to help. [insert list of DOD quals here] You're most likely not going to find up to date DOD documentation on best practices due to the risk management framework for DOD information technology (8510.01) assigning best practice accountability on page 45 of the directive to Homeland Security.

    http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf

    Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability,integrity, authentication, confidentiality, and nonrepudiation. Defined in National Security Presidential Directive-54/Homeland Security Presidential Directive-23.

    So I started poking around DHS documentation and found this:

    http://www.dhs.gov/sites/default/files/publications/TIC_Ref_Arch_v2%200_2013.pdf

    On page 9, TIC architecture is covered, which if you look on the diagram, shows both inbound and outbound proxies in front of any auth or app server on the D/A internal zone. Also:

    - Border between an organization’s internal infrastructure (users, systems, data) and external resources. Serves as the termination point for external connections and utilizes a standard set of security controls to monitor, authenticate, and filter data flows that enter/exit the TIC access point.

    That translates in my mind as use of a proxy as best practice. Your interpretation may vary of course.

    Edit - one other thing...

    In the same DHS document, page 13 lists use of a proxy as critical for any TIC access point. I don't read gud.
  • NavyITNavyIT Member Posts: 171
    Thanks Nersesian!

    I think this is a good start and will help me make a case. I'm still looking for documentation that says it's a requirement. I would really like a DoD Instruction or a CTO or something. I'll take these documents and put something together.

    Thanks again!
    A.S. - Computer Networking: Cisco
    B.S. - Computer & Network Security
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    You might be able to frame it by showing the diagram, then asking them to justify their request for deviation from that recommended model, or something similar.
    Working on: staying alive and staying employed
  • NavyITNavyIT Member Posts: 171
    colemic wrote: »
    You might be able to frame it by showing the diagram, then asking them to justify their request for deviation from that recommended model, or something similar.


    I would but the only problem is that I'm working in a DoD environment and the diagram is from a DHS diagram. If I had something similar to that document that was in the form of a DoD instruction it may work.
    A.S. - Computer Networking: Cisco
    B.S. - Computer & Network Security
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    Didn't Nersesian say that RMF Framework best practices are directed to be sourced from DHS?

    I would definitely say that separating the functions is an industry best practice... your proxy server would sit in DMZ, so external users would never have direct access to the internal network. I'd also hope they are using something besides username/password (such as two-factor token, etc.)

    At some point, hopefully you (or your boss, boss's boss, etc.) has the political firepower to say no.

    Sounds like you're doing the 'fun' part of IA. :)
    Working on: staying alive and staying employed
  • NersesianNersesian Users Awaiting Email Confirmation Posts: 96 ■■□□□□□□□□
    I should probably add that I don't have daily interaction with DOD or DHS. What I can say is that I worked for a large DOD contractor during the time when DOD IT was being paced under the jurisdiction of DHS and simply defaulted to what was considered their best judgement regarding infrastructure and architectural decisions. This resulted in a seemingly endless stream of memos like email chains from your grandmother.

    ...and I only worked on NIPRNet so this most likely doesn't apply to SIPRNet. I've got a guy I can ask, but he's on holiday with the family. PM me if you don't get a solid answer on this and I can ping him after Thanksgiving. He works for these guys: Invertix | Engineering National Security setting up those crazy secure communication pods for DOD contractors.
Sign In or Register to comment.