The firewall must not utilize any services or capabilities that are not necessary for the administration of the firewall.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3054 | NET0377 | SV-3054r3_rule | Medium |
| Description |
|---|
| The risk of an attack increases with more services enabled on the firewall, since the firewall will listen for these services. If non-firewall services (e.g., DNS servers, e-mail client servers, ftp servers, web servers, etc.) are part of the standard firewall suite and are not necessary for administration of the firewall, they will be uninstalled or disabled. |
| STIG | Date |
|---|---|
| Firewall Security Technical Implementation Guide | 2017-12-07 |
Details
| Check Text ( C-3672r3_chk ) |
|---|
| Have the Firewall Administrator display the services running on the firewall appliance or underlying OS. CAVEAT: Anti-virus software running on the firewall's OS would be an exception to the above requirement. It is recommended that anti-virus software be implemented on any non-appliance firewall if supported. However, it is not a finding if anti-virus software has not been implemented. If services that are not necessary for the administration of the firewall are found to be running on the firewall, this is a finding. |
| Fix Text (F-3079r2_fix) |
|---|
| The Firewall Administrator will only utilize services related to the operation of the firewall. Any unnecessary services, even if they are part of the firewall standard suite, must be uninstalled or disabled. |