The ALG that provide CDS must use source and destination security attributes associated with organization-defined information, source, and/or destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000323-ALG-000067	SRG-NET-000323-ALG-000067	SRG-NET-000323-ALG-000067_rule		Medium

Description
If information flow is not enforced based on approved authorizations, the system may become compromised. A mechanism to detect and prevent unauthorized communication flow must be configured and used to filter information flow across security boundaries protected by the ALG. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. Security attributes may be used to manage information flow control. Information flow enforcement mechanisms compare security attributes associated with information (data content and data structure) and/or source/destination objects. The ALG uses the result of the attribute-object comparison to take an organization-defined action based on configured rules. Security attributes most often include source and destination addresses.

Description

If information flow is not enforced based on approved authorizations, the system may become compromised. A mechanism to detect and prevent unauthorized communication flow must be configured and used to filter information flow across security boundaries protected by the ALG. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. Security attributes may be used to manage information flow control. Information flow enforcement mechanisms compare security attributes associated with information (data content and data structure) and/or source/destination objects. The ALG uses the result of the attribute-object comparison to take an organization-defined action based on configured rules. Security attributes most often include source and destination addresses.

STIG	Date
Application Layer Gateway Security Requirements Guide	2014-06-27

Details

Check Text ( C-SRG-NET-000323-ALG-000067_chk )
If the ALG is not part of a CDS, this is not a finding. Verify the ALG is configured to use source and destination security attributes associated with organization-defined information, source, and destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions. If the ALG is not configured to use source and destination security attributes associated with organization-defined information, source, and/or destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions, this is a finding.

Check Text ( C-SRG-NET-000323-ALG-000067_chk )

If the ALG is not part of a CDS, this is not a finding.

Verify the ALG is configured to use source and destination security attributes associated with organization-defined information, source, and destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions.

If the ALG is not configured to use source and destination security attributes associated with organization-defined information, source, and/or destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions, this is a finding.

Fix Text (F-SRG-NET-000323-ALG-000067_fix)
Configure the ALG to use source and destination security attributes associated with organization-defined information, source, and/or destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions.