UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The ALG must inspect inbound and outbound FTP and FTPS traffic for harmful content.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000512-ALG-000065 SRG-NET-000512-ALG-000065 SRG-NET-000512-ALG-000065_rule Medium
Description
Allowing traffic through the ALG without inspection creates a direct connection between the host in the private network and a host on the outside. This bypasses security measures and places the network and destination endpoint at a greater risk of exploitation. An application layer gateway (also called a proxy or gateway) must be included in the ALG. FTP and FTPS traffic must be inspected for harmful or malformed traffic. Additionally, FTP and FTPS traffic must be inspected for harmful content.
STIG Date
Application Layer Gateway Security Requirements Guide 2014-06-27

Details

Check Text ( C-SRG-NET-000512-ALG-000065_chk )
If the ALG does not proxy FTP or FTPS traffic, this is not a finding.

Review the ALG configuration and verify FTP and FTPS traffic is inspected.

Verify the ALG is configured to perform the following: drop any connections with embedded commands; drop truncated commands; provide command and reply spoofing; drop invalid port negotiations; and protect FTP and FTPS servers from buffer overflow attacks.

If the ALG does not drop FTP and FTPS connections containing harmful or malformed traffic, this is a finding.
Fix Text (F-SRG-NET-000512-ALG-000065_fix)
Configure the ALG to inspect FTP and FTPS traffic and perform the following: drop any connections with embedded commands; drop truncated commands; provide command and reply spoofing; drop invalid port negotiations; and protect FTP and FTPS servers from buffer overflow attacks.

Additionally, inspect FTP and FTPS traffic for harmful content.