Subcontrol 12.3

[adammontville]

Deny communications with known malicious or unused Internet IP addresses and limit access only to trusted and necessary IP address ranges at each of the organization's network boundaries.

Measures

a) Coverage --># of sent spoofed packets / # of IP addresses provided by (phishtank or clean-mx)

b) Detectability = # of detected Spoofed packed / # of sent spoofed packets

a) Coverage --># of sent spoofed packets / # of unused IP addresses (nmap)

b) Detectability = # of detected Spoofed packets / # of sent spoofed packets

Metrics

See measure.

[adammontville]

NOTES: Two ways to approach this. First is the method UNCC offers - active testing using spoofed packets. Second is checking the running config. Active testing seems more outcome-focused, so we can try for that first.

Deny communications with known malicious or unused Internet IP addresses and limit access only to trusted and necessary IP address ranges at each of the organization's network boundaries.

Sub-control Notes:

• What exactly is an unused IP address? Would this encompass private IP ranges being targeted outside the organization's boundaries?
• This sub-controls seems to imply that the organization also maintain a list of trusted IP address ranges and further to identify which of those are necessary.

Inputs:

• List of network boundaries
• List of known-malicious IP addresses
• List of unused IP addresses

Operations:

• For each network boundary, attempt access to each
  • Known-malicious IP address
  • Unused IP address

Measures:

• M1 - Count of sent (spoofed) packets
• M2 - Count of IP addresses provided by input 2 and input 3
• M3 - Count of detected (spoofed) packets

Metrics:

• M1 / M2 - Coverage: The ratio of sent (spoofed) packets to the number of number of IP addresses provided
• M3 / M1 - Detectability: The ratio of detected (spoofed) packets to the number of sent (spoofed) packets

[ealshaer]

INPUT

• List of firewall devices and rules (for each network boundaries)
• List of blacklisted or untrusted domains/hosts for an enterprise.
• List of rule to constitute invalid/inappropriate IP address (assuming this is the "unused" means.) e.g., 127.0.01, spoofed pkt, private IPs etc

Measured

• M1: for each set of devices in the boundry, find if it include all the rules from Input 2 or Input 3
• M2: counting all number of devices

Metric

Ration of network boundary devices that complies with this subcontrol (quality of firewall screening ) = M1/M2

[adammontville]

Deny communications with known malicious or unused Internet IP addresses and limit access only to trusted and necessary IP address ranges at each of the organization's network boundaries.

Per 2019-08-14 discussion: Make this more of a level 1 measure than a level 2 measure.

Inputs:

• EI: Endpoint inventory
• List of trusted and necessary IP address ranges
• List of known malicious IP addresses
• List of unused Internet IP addresses

Operations:

• Enumerate all network devices identified as guarding a network boundary
• For each network boundary device, examine its configuration to ensure rules as follows, noting appropriately and inappropriately configured devices:
  • Allow communications only with IP addresses in the list of trusted and necessary IP address ranges
  • Explicitly deny communications with IP addresses in the list of known malicious IP addresses
  • Explicitly deny communications with IP addresses in the list of unused IP addresses

Measures:

• M1 = List of all network boundary devices
• M2 = List of appropriately configured network boundary devices
• M3 = List of inappropriately configured network boundary devices
• M4 = |M1|
• M5 = |M2|
• M6 = |M3|

Metrics:

• M5 / M4 = Ratio of appropriately configured network boundary devices to the total number of network boundary devices