The ALG must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000202-ALG-000124 | SRG-NET-000202-ALG-000124 | SRG-NET-000202-ALG-000124_rule | Medium |
| Description |
|---|
| A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. As a managed interface, the ALG must block all inbound and outbound network communications traffic to the application being managed and controlled unless a policy filter is installed to explicitly allow the traffic. The allow policy filters must comply with the site's security policy. A deny all, permit by exception network communications traffic policy ensures that only those connections which are essential and approved, are allowed. This requirement applies to both inbound and outbound network communications traffic. All inbound and outbound traffic must be denied by default. |
| STIG | Date |
|---|---|
| Application Layer Gateway Security Requirements Guide | 2014-06-27 |
Details
| Check Text ( C-SRG-NET-000202-ALG-000124_chk ) |
|---|
| Examine the policy filters installed on the ALG. Verify the policy filters are configured to deny all network communications traffic inbound and outbound from the application controlled by ALG. If the application gateway is configured to deny inbound and outbound application traffic by default, this is a finding. |
| Fix Text (F-SRG-NET-000202-ALG-000124_fix) |
|---|
| Configure the policy filters to deny all network communication traffic and permit traffic only when allowed by explicit policy filter based on security policy. |