The ALG must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance based on organization-defined flow control policies.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000019-ALG-000018	SRG-NET-000019-ALG-000018	SRG-NET-000019-ALG-000018_rule		Medium

Description
Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. This control applies to the flow of information between the ALG and other network devices. Information flow varies based on the specific implementation of the ALG. The flow of all traffic to and from the ALG must be monitored and controlled so this information does not introduce any unacceptable risk to the network or the ALG. Examples of information flow control restrictions include keeping export controlled information from being transmitted in the clear to the Internet or blocking information marked as classified but is being transported to an unapproved destination. The ALG must be configured with policy filters and rule sets that restrict information system services; provide a packet-filtering capability based on header information; and/or perform message-filtering based on message content. The policy filters used depends upon the type of application gateway (e.g., web, email, or SSL).

Description

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. This control applies to the flow of information between the ALG and other network devices. Information flow varies based on the specific implementation of the ALG. The flow of all traffic to and from the ALG must be monitored and controlled so this information does not introduce any unacceptable risk to the network or the ALG. Examples of information flow control restrictions include keeping export controlled information from being transmitted in the clear to the Internet or blocking information marked as classified but is being transported to an unapproved destination. The ALG must be configured with policy filters and rule sets that restrict information system services; provide a packet-filtering capability based on header information; and/or perform message-filtering based on message content. The policy filters used depends upon the type of application gateway (e.g., web, email, or SSL).

STIG	Date
Application Layer Gateway Security Requirements Guide	2014-06-27

Details

Check Text ( C-SRG-NET-000019-ALG-000018_chk )
Verify the ALG is configured with policy filters and rule sets that restrict information system services; provide a packet-filtering capability based on header information; and/or perform message-filtering based on message content. If the ALG is not configured to enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined flow control policies, this is a finding.

Check Text ( C-SRG-NET-000019-ALG-000018_chk )

Verify the ALG is configured with policy filters and rule sets that restrict information system services; provide a packet-filtering capability based on header information; and/or perform message-filtering based on message content.

If the ALG is not configured to enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined flow control policies, this is a finding.

Fix Text (F-SRG-NET-000019-ALG-000018_fix)
Configure the ALG to enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined flow control policies.