The ALG must inspect inbound and outbound FTP and FTPS traffic for harmful content.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000512-ALG-000065 | SRG-NET-000512-ALG-000065 | SRG-NET-000512-ALG-000065_rule | Medium |
| Description |
|---|
| Allowing traffic through the ALG without inspection creates a direct connection between the host in the private network and a host on the outside. This bypasses security measures and places the network and destination endpoint at a greater risk of exploitation. An application layer gateway (also called a proxy or gateway) must be included in the ALG. FTP and FTPS traffic must be inspected for harmful or malformed traffic. Additionally, FTP and FTPS traffic must be inspected for harmful content. |
| STIG | Date |
|---|---|
| Application Layer Gateway Security Requirements Guide | 2014-06-27 |
Details
| Check Text ( C-SRG-NET-000512-ALG-000065_chk ) |
|---|
| If the ALG does not proxy FTP or FTPS traffic, this is not a finding. Review the ALG configuration and verify FTP and FTPS traffic is inspected. Verify the ALG is configured to perform the following: drop any connections with embedded commands; drop truncated commands; provide command and reply spoofing; drop invalid port negotiations; and protect FTP and FTPS servers from buffer overflow attacks. If the ALG does not drop FTP and FTPS connections containing harmful or malformed traffic, this is a finding. |
| Fix Text (F-SRG-NET-000512-ALG-000065_fix) |
|---|
| Configure the ALG to inspect FTP and FTPS traffic and perform the following: drop any connections with embedded commands; drop truncated commands; provide command and reply spoofing; drop invalid port negotiations; and protect FTP and FTPS servers from buffer overflow attacks. Additionally, inspect FTP and FTPS traffic for harmful content. |