Section 4: Perimeter ControlAnchor: #i1057824
Much as a fence with a locked gate can control who goes in or comes out of an area, a secure perimeter around TxDOT’s network can reduce the exposures of unwanted intrusions. Both, physical or virtual fences, must have the proper configurations to keep out trespassers. TxDOT is committed to reducing its exposure to potential threats while ensuring authorized individuals have the functionality necessary to perform legitimate business. This section establishes how TxDOT will control its perimeter as part of its Intrusion Prevention Policy and describes the minimum requirements that must be in place to regulate access to its network. This objective provides a boundary-based approach toward the “Protect” objective of the Texas CyberSecurity Framework.Anchor: #i1042788
TxDOT takes precautions, through a variety of mechanisms, to safeguard its network perimeter. These precautions include following the principle of Least Functionality; configuring protection devices to deny entry; and using only secured methods to gain access to the network. TxDOT conducts frequent perimeter checks, minimally once per quarter, to identify and disable unnecessary or non-secure functions, ports, protocols or services.
Least Functionality. The principle of Least Functionality limits access to only the amount needed for employees to complete routine job functions. Limiting functionality prevents individuals from maliciously or accidentally exploiting enabled functionality that is unused.
Deny all, allow only by exception rule. Security devices aimed at protecting the perimeter must be configured so that all entry requests are denied unless explicit entry permission is granted. Examples of these devices include firewalls, border routers, intrusion detection systems, and intrusion prevention systems. Additionally, software or applications must have prior approval before use of these connections.Anchor: #i1043285
Individuals who use TxDOT information resources must remain in compliance with Perimeter Control boundaries. Certain key roles have additional responsibilities listed below.
System Administrators must:
- ensure all device configurations TxDOT standards
- perform quarterly reviews of the perimeter defenses
- report review findings to the Information Security Office.
Information Security Officer must:
- review all information systems configurations
- provide authorization to operate for all information systems
- ensure all individuals who use TxDOT information resources comply with the perimeter control boundaries issued in the Intrusion Prevention Policy.
Compliance and Standards
See the “Network Perimeter Standards” in the Information Security Standards manual for a list of the minimum standards necessary to comply with this objective of the Intrusion Prevention Policy.