The firewall must not utilize any services or capabilities other than firewall software (e.g., DNS servers, e-mail client servers, ftp servers, web servers, etc.), and if these services are part of the standard firewall suite, they will be either uninstalled or disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3054	NET0377	SV-3054r2_rule	ECSC-1	Medium

Description
The more services that the firewall has enabled increases the risk for an attack since the firewall will listen for these services.

STIG	Date
Firewall Security Technical Implementation Guide	2015-09-18

Details

Check Text ( C-3672r2_chk )
Have the FA display the services running on the firewall appliance or underlying OS.CAVEAT: Anti-virus software running on the firewall's OS would be an exception to the above requirement. In fact, it is recommended that anti-virus software be implemented on any non-appliance firewall if supported. However, it is not a finding if anti-virus software has not been implemented. If unnecessary services are found to be running on the firewall, this is a finding.

Check Text ( C-3672r2_chk )

Have the FA display the services running on the firewall appliance or underlying OS.CAVEAT: Anti-virus software running on the firewall's OS would be an exception to the above requirement. In fact, it is recommended that anti-virus software be implemented on any non-appliance firewall if supported. However, it is not a finding if anti-virus software has not been implemented.

If unnecessary services are found to be running on the firewall, this is a finding.

Fix Text (F-3079r1_fix)
The Firewall Administrator will only utilize services related to the operation of the firewall and even if they are part of the firewall standard suite, they will be uninstalled or disabled.