RedSeal Systems - Consensus Audit Guidelines

Solutions

Background: Consensus Audit Guidelines – Critical Controls

The Consensus Audit Guidelines (CAG) provide federal agencies with a prioritized baseline of information security measures and controls to help them effectively meet the requirements of the Federal Information Security Management Act (FISMA) and its successor, the U.S. Information and Communications Enhancement (ICE) Act of 2009. The guidelines identify 20 specific technology security controls that are effective in blocking currently known and anticipated high-priority attacks.

A guiding principle of both CAG and the security legislation is the need to “continuously test and evaluate information security controls and techniques to ensure that they are effectively implemented.” This results from evidence that the majority of cyber-breaches are enabled by errors and omissions in consistently and correctly implementing and maintaining controls.

RedSeal software offers capabilities that automatically and continuously monitor many of CAG’s crucial controls. It can serve as a critical component for any organization looking to implement the CAG guidelines.

RedSeal and the CAG

RedSeal Systems develops security posture management software that enables organizations to assess and strengthen their cyber-defenses. RedSeal software continuously monitors and analyzes the complex interaction of firewalls, routers, load balancers and hosts to assure that controls are implemented as intended. Unlike systems that detect attacks after they occur, RedSeal identifies holes in the security infrastructure that could be exploited—before they are discovered by hackers.

Critical Controls – RedSeal Capabilities	Sub-Control Specifics
Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers and Switches RedSeal software collects the configuration files for all network devices, checks that the configuration is secure and evaluates the rulesets to assure that they do not contain unintended holes. In addition to evaluating individual devices, RedSeal also evaluates the devices in combination to assess defense-in-depth and assure that attacks are not able to penetrate deeply into the network. RedSeal specifically implements the CAG recommendation, “Some organizations use commercial tools that evaluate the rule set of network filtering devices to determine whether they are consistent or in conflict, providing an automated sanity check of network filters and search for errors in rule sets or ACLs that may allow unintended services through the device. Such tools should be run each time significant changes are made to firewall rule sets, router ACLs, or other filtering technologies.”	The specific subcontrols monitored by RedSeal software are: RedSeal automatically compares the actual configuration of each network device against standard secure configurations. RedSeal incorporates numerous industry best practice checks as well as allows organizations to incorporate their own configuration checks. RedSeal identifies exactly what ports and protocols are enabled in each device. RedSeal further analyzes devices in combination to identify what traffic is enabled to flow between every two points in the network. RedSeal’s policy engine documents every enabled traffic flow, as well as the individual responsible for approving the flow and the specific business reason. RedSeal automatically manages time-based approvals, automatically identifying enabled access whose approval has expired. Additionally, Critical Control 4 identifies the need to evaluate the risk created by making exceptions to firewall policies. RedSeal automatically correlates host vulnerabilities with network access, enabling IT personnel to identify the additional risk created by exposing new hosts and services to untrusted sources.
Critical Control 5: Boundary Defense RedSeal software continuously monitors multi-layer perimeter defenses to identify security holes and assure that firewalls, proxies and other devices effectively implement perimeter security policy. As the CAG points out, “internal network segmentation is central to this control.” RedSeal analyzes how network devices interact to enable traffic to cross multiple boundaries of a segmented network. Unlike manual spot tests, RedSeal’s monitoring of the network is comprehensive. It validates that no unauthorized ingress is possible from any internet or extranet access point, and that no unauthorized egress is possible from any point within the network.	The specific subcontrols monitored by RedSeal software are: RedSeal continuously validates that internal systems are separated from DMZ and extranet systems. RedSeal continuously monitors the organization-wide rulesets to assure that all outgoing web, FTP and SSH traffic must pass through a DMZ proxy before egressing to the internet. RedSeal continuously monitors for back-channel connections to the internet that bypass the DMZ, including unauthorized VPN connections. RedSeal continuously validates that internal network segmentation schemes are being correctly enforced by network devices. RedSeal assures that outbound traffic to the Internet is forced through authenticated proxy servers on the perimeter.
Critical Control 10: Continuous Vulnerability Assessment and Remediation RedSeal software analyzes the results of vulnerability scanners in the context of network access. By identifying which vulnerabilities are exposed to untrusted networks as well as which vulnerabilities can be exploited to attack deeper in the network, RedSeal identifies the vulnerabilities that create the greatest risk for the organization and prioritizes vulnerabilities network-wide for remediation.	The specific subcontrols monitored by RedSeal software are: RedSeal automatically identifies portions of the network that have not been scanned. RedSeal offers further insight by identifying un-scanned systems that are exposed to the internet or extranet, heightening the risk they pose to the organization. RedSeal automatically maps vulnerabilities into risk by identifying if compensating network controls have been implemented. RedSeal continuously monitors the risk posed by each vulnerability, flagging vulnerabilities whose risk has been increased by network changes. RedSeal automatically identifies mitigating network controls for vulnerabilities. It identifies exactly which devices and rules are involved in exposing the vulnerability to untrusted sources, allowing IT organizations to block exploitation on systems where patches cannot be deployed due to business impact.
Critical Control 16: Secure Network Engineering RedSeal software continuously monitors the actual configuration of network devices to assure that they implement the planned network architecture. RedSeal automatically identifies network configurations that violate these policies and notifies the appropriate user.	The specific subcontrols monitored by RedSeal software are: Users can define trust zones within the RedSeal software and the policies for access between those zones. RedSeal continuously validates that the access controls between these security zones are implementing the engineering design. RedSeal also automatically creates network diagrams that show how subnets, routers and firewalls are interconnected, as specifically recommended by the implementation guidelines for this control.

Critical Controls – RedSeal Capabilities

Sub-Control Specifics

Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers and Switches

RedSeal software collects the configuration files for all network devices, checks that the configuration is secure and evaluates the rulesets to assure that they do not contain unintended holes. In addition to evaluating individual devices, RedSeal also evaluates the devices in combination to assess defense-in-depth and assure that attacks are not able to penetrate deeply into the network.

RedSeal specifically implements the CAG recommendation, “Some organizations use commercial tools that evaluate the rule set of network filtering devices to determine whether they are consistent or in conflict, providing an automated sanity check of network filters and search for errors in rule sets or ACLs that may allow unintended services through the device. Such tools should be run each time significant changes are made to firewall rule sets, router ACLs, or other filtering technologies.”

The specific subcontrols monitored by RedSeal software are:

RedSeal automatically compares the actual configuration of each network device against standard secure configurations. RedSeal incorporates numerous industry best practice checks as well as allows organizations to incorporate their own configuration checks.
RedSeal identifies exactly what ports and protocols are enabled in each device. RedSeal further analyzes devices in combination to identify what traffic is enabled to flow between every two points in the network.
RedSeal’s policy engine documents every enabled traffic flow, as well as the individual responsible for approving the flow and the specific business reason. RedSeal automatically manages time-based approvals, automatically identifying enabled access whose approval has expired.

Additionally, Critical Control 4 identifies the need to evaluate the risk created by making exceptions to firewall policies. RedSeal automatically correlates host vulnerabilities with network access, enabling IT personnel to identify the additional risk created by exposing new hosts and services to untrusted sources.

Critical Control 5: Boundary Defense

RedSeal software continuously monitors multi-layer perimeter defenses to identify security holes and assure that firewalls, proxies and other devices effectively implement perimeter security policy. As the CAG points out, “internal network segmentation is central to this control.” RedSeal analyzes how network devices interact to enable traffic to cross multiple boundaries of a segmented network.
Unlike manual spot tests, RedSeal’s monitoring of the network is comprehensive. It validates that no unauthorized ingress is possible from any internet or extranet access point, and that no unauthorized egress is possible from any point within the network.

The specific subcontrols monitored by RedSeal software are:

RedSeal continuously validates that internal systems are separated from DMZ and extranet systems.
RedSeal continuously monitors the organization-wide rulesets to assure that all outgoing web, FTP and SSH traffic must pass through a DMZ proxy before egressing to the internet.
RedSeal continuously monitors for back-channel connections to the internet that bypass the DMZ, including unauthorized VPN connections.
RedSeal continuously validates that internal network segmentation schemes are being correctly enforced by network devices.
RedSeal assures that outbound traffic to the Internet is forced through authenticated proxy servers on the perimeter.

Critical Control 10: Continuous Vulnerability Assessment and Remediation

RedSeal software analyzes the results of vulnerability scanners in the context of network access. By identifying which vulnerabilities are exposed to untrusted networks as well as which vulnerabilities can be exploited to attack deeper in the network, RedSeal identifies the vulnerabilities that create the greatest risk for the organization and prioritizes vulnerabilities network-wide for remediation.

The specific subcontrols monitored by RedSeal software are:

RedSeal automatically identifies portions of the network that have not been scanned. RedSeal offers further insight by identifying un-scanned systems that are exposed to the internet or extranet, heightening the risk they pose to the organization.
RedSeal automatically maps vulnerabilities into risk by identifying if compensating network controls have been implemented. RedSeal continuously monitors the risk posed by each vulnerability, flagging vulnerabilities whose risk has been increased by network changes.
RedSeal automatically identifies mitigating network controls for vulnerabilities. It identifies exactly which devices and rules are involved in exposing the vulnerability to untrusted sources, allowing IT organizations to block exploitation on systems where patches cannot be deployed due to business impact.

Critical Control 16: Secure Network Engineering

RedSeal software continuously monitors the actual configuration of network devices to assure that they implement the planned network architecture. RedSeal automatically identifies network configurations that violate these policies and notifies the appropriate user.

The specific subcontrols monitored by RedSeal software are:

Users can define trust zones within the RedSeal software and the policies for access between those zones. RedSeal continuously validates that the access controls between these security zones are implementing the engineering design.

RedSeal also automatically creates network diagrams that show how subnets, routers and firewalls are interconnected, as specifically recommended by the implementation guidelines for this control.

Why RedSeal for CAG?

Identifies holes in network security
Assures continuous policy enforcement
Validates FISMA compliance
Automates control testing
Prioritizes vulnerabilities by risk
Reduces scope and frequency of scanning
Demonstrates control of risk to auditors

Get More Information

Call us at 888.845.8169
Request a Demo

RedSeal

Solutions

Background: Consensus Audit Guidelines – Critical Controls

RedSeal and the CAG

Why RedSeal for CAG?

Get More Information

Featured Customers