The ALG that proxies HTTP traffic must inspect inbound and outbound HTTP and HTTPS traffic for harmful content.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000512-ALG-000066	SRG-NET-000512-ALG-000066	SRG-NET-000512-ALG-000066_rule		Medium

Description
Allowing traffic through the ALG without inspection creates a direct connection between the host in the private network and a host on the outside. This bypasses security measures and places the network and destination endpoint at a greater risk of exploitation.

STIG	Date
Application Layer Gateway Security Requirements Guide	2014-06-27

Details

Check Text ( C-SRG-NET-000512-ALG-000066_chk )
If the ALG does not proxy HTTP or HTTPS traffic, this is not a finding. Review the ALG configuration for both inbound and outbound traffic for harmful content and protocol conformance. Verify inspection of HTTP and HTTPS traffic destined for servers residing in the enclave. Verify inspection of HTTP and HTTPS traffic from clients and servers in the enclave to servers outside the enclave. If the ALG does not inspect inbound and outbound HTTP and HTTPS traffic for harmful content, this is a finding.

Check Text ( C-SRG-NET-000512-ALG-000066_chk )

If the ALG does not proxy HTTP or HTTPS traffic, this is not a finding.

Review the ALG configuration for both inbound and outbound traffic for harmful content and protocol conformance.
Verify inspection of HTTP and HTTPS traffic destined for servers residing in the enclave.

Verify inspection of HTTP and HTTPS traffic from clients and servers in the enclave to servers outside the enclave.

If the ALG does not inspect inbound and outbound HTTP and HTTPS traffic for harmful content, this is a finding.

Fix Text (F-SRG-NET-000512-ALG-000066_fix)
Configure the ALG to inspect inbound and outbound HTTP and HTTPS traffic for harmful content.