The ALG that is part of a CDS must enforce dynamic traffic flow control based on organization-defined policies.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000029-ALG-000079	SRG-NET-000029-ALG-000079	SRG-NET-000029-ALG-000079_rule		Medium

Description
Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changing conditions or mission/operational considerations. Changing conditions include, for example, changes in organizational risk tolerance due to changes in the immediacy of mission/business needs, changes in the threat environment, and detection of potentially harmful or adverse events. Enforcement occurs, for example, in boundary protection devices (e.g., advanced gateways and cross domain solution high assurance guards) that employ rule sets or establish configuration settings that restrict information system services, provide a packet filtering capability based on header information, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics). This control is primarily used by organizations with cross domain solution needs. These solutions require advanced filtering techniques and flow enforcement mechanisms, such as high-assurance guards. Dynamic traffic flow control mechanisms are generally not available in commercial off-the-shelf information technology products.

Description

Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changing conditions or mission/operational considerations. Changing conditions include, for example, changes in organizational risk tolerance due to changes in the immediacy of mission/business needs, changes in the threat environment, and detection of potentially harmful or adverse events. Enforcement occurs, for example, in boundary protection devices (e.g., advanced gateways and cross domain solution high assurance guards) that employ rule sets or establish configuration settings that restrict information system services, provide a packet filtering capability based on header information, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics). This control is primarily used by organizations with cross domain solution needs. These solutions require advanced filtering techniques and flow enforcement mechanisms, such as high-assurance guards. Dynamic traffic flow control mechanisms are generally not available in commercial off-the-shelf information technology products.

STIG	Date
Application Layer Gateway Security Requirements Guide	2014-06-27

Details

Check Text ( C-SRG-NET-000029-ALG-000079_chk )
If the ALG is not part of a CDS, this is not a finding. Verify changes made to the policy filters (e.g., rules sets or content filters) take effect immediately. The change in the filter must be applied to active sessions as well as new sessions without the need for restart of recompiling. If the ALG does not enforce dynamic traffic flow control based on organization-defined policies, this is a finding.

Check Text ( C-SRG-NET-000029-ALG-000079_chk )

If the ALG is not part of a CDS, this is not a finding.

Verify changes made to the policy filters (e.g., rules sets or content filters) take effect immediately. The change in the filter must be applied to active sessions as well as new sessions without the need for restart of recompiling.

If the ALG does not enforce dynamic traffic flow control based on organization-defined policies, this is a finding.

Fix Text (F-SRG-NET-000029-ALG-000079_fix)
Configure the ALG to enforce dynamic flow control traffic flow control based on organization-defined policies.