[179210] in North American Network Operators' Group
Re: Meeting IRS requirements for encrypted transmission of FTI
daemon@ATHENA.MIT.EDU (Watson, Bob)
Thu Apr 2 20:13:29 2015
X-Original-To: nanog@nanog.org
From: "Watson, Bob" <Bob.Watson@wwt.com>
To: "Hunt, Fred - DCF" <Fred.Hunt@wisconsin.gov>
Date: Thu, 2 Apr 2015 22:13:10 +0000
In-Reply-To: <8c2fac49d96c434b89d3d180621355c4@MEWMAD0P1964.accounts.wistate.us>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Macsec use cases are valid when working with hop by hop encryption needs be=
tween closets / buildings where structured wiring is not within control of =
agency personnel, in the case of other states we provide consulting servic=
es to, think multi tenant building with shared closet from other state age=
ncies or building leases with outsourced cabling. Router / firewall based =
Vpn is an option as well if transiting a consolidated state network or sp b=
ased public or private network. The physical sec control to mitigate true =
end to end helps reign back some of the costed options.
9.3.16.6 Transmission Confidentiality and Integrity (SC-8)
Information systems that receive, process, store, or transmit FTI, must:
a. Protecttheconfidentialityandintegrityoftransmittedinformation.
b. Implement cryptographic mechanisms to prevent unauthorized disclosure of=
FTI
and detect changes to information during transmission across the wide area =
network (WAN) and within the local area network (LAN). (CE1)
If encryption is not used, to reduce the risk of unauthorized access to FTI=
, the agency must use physical means (e.g., by employing protected physical=
distribution systems) to ensure that FTI is not accessible to unauthorized=
users. The agency must ensure that all network infrastructure, access poin=
ts, wiring, conduits, and cabling are within the control of authorized agen=
cy personnel. Network monitoring capabilities must be implemented to detect=
and monitor for suspicious network traffic. For physical security protecti=
ons of transmission medium, see Section 9.3.11.4, Access Control for Transm=
ission Medium (PE-4).
This control applies to both internal and external networks and all types o=
f information system components from which information can be transmitted (=
e.g., servers, mobile devices, notebook computers, printers, copiers, scann=
ers, fax machines).
Sent from my iPad
On Apr 2, 2015, at 2:15 PM, Hunt, Fred - DCF <Fred.Hunt@wisconsin.gov<mailt=
o:Fred.Hunt@wisconsin.gov>> wrote:
Does anyone have previous experience meeting IRS requirements for the encry=
pted transmission of FTI across a LAN and WAN, specifically the requirement=
s called for in IRS Publication 1075?
The IRS tests for the following:
All FTI data in transit is encrypted when moving across a Wide Area Network=
(WAN) and within the agency's Local Area Network (LAN). If FTI is transm=
itted over a LAN or WAN it is encrypted with FIPS 140-2 validated encryptio=
n, using at least a 128-bit encryption key.
MACsec is what we are looking at right now. I'm wondering if anyone who ha=
s been through such an implementation could share lessons learned, gotchas,=
etc.
Any input is appreciated?
Fred
