[179211] in North American Network Operators' Group
Re: Meeting IRS requirements for encrypted transmission of FTI
daemon@ATHENA.MIT.EDU (Fred Baker (fred))
Thu Apr 2 23:44:26 2015
X-Original-To: nanog@nanog.org
From: "Fred Baker (fred)" <fred@cisco.com>
To: "Watson, Bob" <Bob.Watson@wwt.com>
Date: Fri, 3 Apr 2015 03:44:21 +0000
In-Reply-To: <37ABCE16-7867-46E0-B09E-D80813200B20@wwt.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>, "Hunt,
Fred - DCF" <Fred.Hunt@wisconsin.gov>
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_FD40E756-1028-40DD-B1A5-F64B5B6BF974
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
Dumb question. So this is essentially physical or link layer encryption. =
That=E2=80=99s fine out on the wire, but is decrypted in memory (if I =
understand what you said), and requires point to point connectivity to =
be any better than that. Are you aware of anyone at NIST or other places =
suggesting end to end encryption?
> On Apr 2, 2015, at 3:13 PM, Watson, Bob <Bob.Watson@wwt.com> wrote:
>=20
>=20
> Macsec use cases are valid when working with hop by hop encryption =
needs between closets / buildings where structured wiring is not within =
control of agency personnel, in the case of other states we provide =
consulting services to, think multi tenant building with shared closet =
from other state agencies or building leases with outsourced cabling. =
Router / firewall based Vpn is an option as well if transiting a =
consolidated state network or sp based public or private network. The =
physical sec control to mitigate true end to end helps reign back some =
of the costed options.
>=20
>=20
> 9.3.16.6 Transmission Confidentiality and Integrity (SC-8)
>=20
> Information systems that receive, process, store, or transmit FTI, =
must:
>=20
> a. Protecttheconfidentialityandintegrityoftransmittedinformation.
> b. Implement cryptographic mechanisms to prevent unauthorized =
disclosure of FTI
>=20
> and detect changes to information during transmission across the wide =
area network (WAN) and within the local area network (LAN). (CE1)
>=20
> If encryption is not used, to reduce the risk of unauthorized access =
to FTI, the agency must use physical means (e.g., by employing protected =
physical distribution systems) to ensure that FTI is not accessible to =
unauthorized users. The agency must ensure that all network =
infrastructure, access points, wiring, conduits, and cabling are within =
the control of authorized agency personnel. Network monitoring =
capabilities must be implemented to detect and monitor for suspicious =
network traffic. For physical security protections of transmission =
medium, see Section 9.3.11.4, Access Control for Transmission Medium =
(PE-4).
>=20
> This control applies to both internal and external networks and all =
types of information system components from which information can be =
transmitted (e.g., servers, mobile devices, notebook computers, =
printers, copiers, scanners, fax machines).
>=20
> Sent from my iPad
>=20
> On Apr 2, 2015, at 2:15 PM, Hunt, Fred - DCF =
<Fred.Hunt@wisconsin.gov<mailto:Fred.Hunt@wisconsin.gov>> wrote:
>=20
> Does anyone have previous experience meeting IRS requirements for the =
encrypted transmission of FTI across a LAN and WAN, specifically the =
requirements called for in IRS Publication 1075?
> The IRS tests for the following:
> All FTI data in transit is encrypted when moving across a Wide Area =
Network (WAN) and within the agency's Local Area Network (LAN). If FTI =
is transmitted over a LAN or WAN it is encrypted with FIPS 140-2 =
validated encryption, using at least a 128-bit encryption key.
>=20
> MACsec is what we are looking at right now. I'm wondering if anyone =
who has been through such an implementation could share lessons learned, =
gotchas, etc.
>=20
> Any input is appreciated?
>=20
> Fred
--Apple-Mail=_FD40E756-1028-40DD-B1A5-F64B5B6BF974
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="signature.asc"
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQEVAwUBVR3+D59ieig10VPpAQJqMAf/QccJxlTOxica1SCpQXhK2nRY3QCADaSA
KWhYk4MrZtWEUehz2nXDfMoZwUVQNAYru7zAn0IA1NU6IAc96EfSBK+llWalPEC6
kNmkPUIt0f6xAHg+fnHvOJajlfhg9bL1zrWChW9T5AmK5y+mscTwzaH2s+zpFX6f
HsULY6W4SnC/1E7pAUPNx01UmoMDVSM7QcUzWFYruVX5w6o5yFm1zvk7nc+m5MxV
mOXl+KUirEWDDCikbfw40zSbDdR3w1eIzMhkF1qkzHQI0s8kDNTBV4X+IMoPAbSy
kDJwe1TvXoMMk4c9QfzPkY3LecLRNW443H/Jol085VWJT4oIFKk9Gg==
=Qtd+
-----END PGP SIGNATURE-----
--Apple-Mail=_FD40E756-1028-40DD-B1A5-F64B5B6BF974--
