The ALG that is part of a CDS must enable/disable organization-defined security policy filters under organization-defined conditions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000021-ALG-000068	SRG-NET-000021-ALG-000068	SRG-NET-000021-ALG-000068_rule		Medium

Description
Configuration and enforcement of administrator privileges ensures only authorized users have access to certain commands and functions on the network element. The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A crucial part of any flow control solution is the ability to enable and disable policy filters. Policy filters serve to enact and enforce the organizational policy as it pertains to controlling data flow. Security policy filters can address data structures and content. These filters may include dirty word filters, file type checking filters, structured data filters, unstructured data filters, metadata content filters, and hidden content filters. This control can be met by assigning the privilege to enable or disable security policy filters to privilege groups and then assigning users to these groups (role-based access control). Authorization to add, modify, or delete security policy filters must require the highest privilege level. If system administrators cannot be configured with different security privileges, then need-to-know cannot be enforced.

Description

Configuration and enforcement of administrator privileges ensures only authorized users have access to certain commands and functions on the network element. The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A crucial part of any flow control solution is the ability to enable and disable policy filters. Policy filters serve to enact and enforce the organizational policy as it pertains to controlling data flow. Security policy filters can address data structures and content. These filters may include dirty word filters, file type checking filters, structured data filters, unstructured data filters, metadata content filters, and hidden content filters. This control can be met by assigning the privilege to enable or disable security policy filters to privilege groups and then assigning users to these groups (role-based access control). Authorization to add, modify, or delete security policy filters must require the highest privilege level. If system administrators cannot be configured with different security privileges, then need-to-know cannot be enforced.

STIG	Date
Application Layer Gateway Security Requirements Guide	2014-06-27

Details

Check Text ( C-SRG-NET-000021-ALG-000068_chk )
If the ALG is not part of a CDS, this is not a finding. Verify the ALG is configured to allow a privileged administrator to enable/disable organization-defined security policy filters under organization-defined conditions. If the ALG is not configured to allow a privileged administrator to enable/disable organization-defined security policy filters under organization-defined conditions, this is a finding.

Check Text ( C-SRG-NET-000021-ALG-000068_chk )

If the ALG is not part of a CDS, this is not a finding.

Verify the ALG is configured to allow a privileged administrator to enable/disable organization-defined security policy filters under organization-defined conditions.

If the ALG is not configured to allow a privileged administrator to enable/disable organization-defined security policy filters under organization-defined conditions, this is a finding.

Fix Text (F-SRG-NET-000021-ALG-000068_fix)
Configure the ALG to allow a privileged administrator to enable/disable organization-defined security policy filters under organization-defined conditions.