What is a STIG?
The Security Technical Implementation Guidelines (STIG) are device security guidelines set by the US government's Defense Information Security Agency (DISA). DISA is responsible for maintaining the security requirements necessary to access the Department of Defense Information Systems Information Networks (DODIN). Updates are released quarterly.
- Our focus is on visibility into your network. In our demonstration, we’re going to zero in on the STIGs applicable to your switches, routers, firewalls, and load balancers.
- STIGs are broken down by vendor, device type, and operating system and generally come from the best practices set by vendors to secure the OS. This is where we see some overlap with CVEs.
How STIGs are typically handled
When it comes to keeping up with STIG compliance, especially around audits, defining best practices can be painfully time-consuming.
DISA provides their STIG viewer for viewing STIGs and creating checklists. For each device, you have to:
- Find it in the STIG viewer.
- Locate the STIG files that apply to that device.
- Make a checklist and input this device information.
- Go down the line for each ID running show commands to check your config for each one of these IDs.
In our demonstration, you see that one router, we have to review 144 rules. That’s time-consuming in itself, but imagine the time spent on an enterprise network with hundreds to thousands of devices!
How Forward Networks handles STIGs
See the NQE demonstration in the video above
- Import STIGS from DISA and reformat as NQE
- NQE stands for Network Query Engine and is Forward Networks’ proprietary language to interrogate your network. STIG information is available and maintained as NQE
- Develop Queries and QC for accuracy and usability for customers
What about non-standard STIGs?
See the NQE demonstration in the video above
An NDM STIG, whether it's for a router, L2 or L3 switch, has basic device configs that are easy to convert, but requirements are rarely so simple. One example we see is when looking at STIGs under Cisco IOS_XE Router RTR, ID CISC-RT-000010 says to filter "traffic for specific source and destination addresses as well as ports and protocols." This requirement can be met a number of ways and will differ from one organization to another. Without looking at your network, we have no way of knowing what the configuration looks like. The example provided shows an ACL and how the interfaces should be configured to allow traffic to pass through.
When we create queries for these complex requirements, we strive to get you as close to the finish line as possible. Using this example, all you have to do is paste in your ACL and run the query.
Have questions? Ask below!
Recommended assets
