Implementing NIST 800-53 Using USP

You can implement NIST 800-53 regulation compliance that is tailored to your specific business requirements and network topology using a Unified Security Policy (USP). View compliance reports from the violations browser at any time, and verify compliance with each specific regulation. If a regulation is not in compliance, identify the specific device and rule that is causing the violation.

Overview

To implement best practices or the compliance regulations of a standard, you need to create a USP Matrix containing the compliance zones required by the standard. The compliance zones are placeholder zones into which you place your network zones, using SecureTrack zone hierarchies. Your existing zones can then be collected into these compliance zones, to ensure compliance monitoring of your entire network. To ensure that you maintain ongoing compliance as your network topology evolves, we recommend that you periodically review the hierarchy of your compliance zones.

The required NIST 800-53 compliance zones are:

  • Corporate
  • DMZ
  • Internet
  • Database
  • Wireless Network
  • Admin Network
  • Application
  • Users Network
  • VoIP

Create the USP

To create a Unified Security Policy that implements NIST 800-53:

Before you create this USP, make sure all the required compliance zones have been created (see Network Zones).

  1. From the menu, go to Browser > USP Viewer.
  2. Click +ADD UNIFIED SECURITY POLICY.
  3. Select NIST 800-53 from the menu. The zones required for NIST 800-53 appear.

  4. For each required zone displayed, select the appropriate compliance zone.

  5. (optional) Enter the USP description.

  6. Click Create.

The NIST 800-53 USP has now been created. You can click on the card to view the matrix in the USP Builder and modify the policy as needed.

The following requirements are defined in the USP matrix:

Source / Destination

Admin Network

Application

Corporate

Database

DMZ

Internet

Users Networks

VoIP

Wireless Networks

Admin Network

Allow All

Block all

Block all

Block all

Block all

Block all

Block all

Block all

Block all

Application

Allow only

RDP
ssh
tcp 80
tcp 443

Block all

Block all

Block all

Allow only

TCP 8080

Block all

Block all

Block all

Block all

Corporate

Allow only

RDP
ssh
tcp 80
tcp 443
udp 53
tcp 53
tcp 445
tcp 389
tcp 686

Block all

Block all

Block all

Block all

Block all

Allow only

ssh
tcp 53
udp 53
udp 67
udp 68
tcp 389
tcp 686
tcp 445
tcp 3389

Allow only

tcp 53
udp 53
udp 67
udp 68
tcp 389
tcp 8404

Allow only

tcp 53
udp 53
tcp 389
tcp 686
tcp 445
ssh

Database

Allow only

ssh RDP
tcp 1433
tcp 3306
tcp 1521
tcp 1830
tcp 1434

Allow only

tcp 1433
tcp 3306
tcp 1521
tcp 1830
tcp 1434

Block all

Block all

Block all

Block all

Block all

Block all

Block all

DMZ

Allow only

ssh
RDP
tcp 80
tcp 443

Block all

Block all

Block all

Block all

Allow only

tcp 80
tcp 443

Allow only

tcp 80
tcp 443

Block all

Allow only

tcp 80
tcp 443

Internet

Allow only

tcp 80
tcp 443

Block all

Block all

Block all

Block all

Allow all

Allow only

tcp 80
tcp 443

Block all

Allow only

tcp 80
tcp 443

Users Networks

Allow all

Block all

Block all

Block all

Block all

Block all

Allow all

Allow only

tcp 5060
udp 5060
tcp 5061
udp 5061

Allow all

VoIP

Allow only

tcp 5060
udp 5060
tcp 5061
udp 5061
ssh
RDP
tcp 1720
tcp 2727
udp 2727
udp 2443
tcp 2443

Block all

Allow only

tcp 5060
udp 5060
tcp 5061
udp 5061
ssh
tcp 1720
tcp 2727
tcp 2443

Block all

Block all

Block all

Allow only

tcp 5060
tcp 5061
udp 5060
udp 5061

Allow all

Allow only

tcp 5060
tcp 5061
udp 5060
udp 5061

Wireless Networks

Allow all

Block all

Block all

Block all

Block all

Block all

Allow all

Block all

Allow all