UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The SA will configure the firewall for the minimum content and protocol inspection requirements.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14643 NET0366 SV-15269r1_rule DCCS-2 ECSC-1 Medium
Description
Creating a filter to allow a port or service through the firewall without a proxy or content inspection, protocol inspection, and flow control creates a direct connection between the host in the private network and a host on the outside; thereby, bypassing additional security measures that could be provided. This places the internal host at a greater risk of exploitation that could make the entire network vulnerable to an attack.
STIG Date
Firewall Security Technical Implementation Guide - Cisco 2013-10-08

Details

Check Text ( C-12659r1_chk )
Review the firewall configuration and verify that both ingress and egress traffic is being inspected for the following:

DNS Inspection: Protocol conformance, malformed packets, message length and domain name integrity. Query ID and port randomization for DNS query traffic must be enabled.

SMTP Inspection: SMTP and Extended SMTP inspection will be configured to detect spam, phishing and malformed message attacks.

FTP Inspection: FTP is not a recommended file transfer solution. Reference the Enclave STIG for conditional guidance on FTP. The firewall should inspect FTP traffic and drop connections with embedded commands, truncated commands, provide command and reply spoofing, drop invalid port negotiations, and protect FTP servers from buffer overflow.

HTTP Inspection: Inspection of HTTP traffic to servers residing in the enclave is required. Inspection of HTTP traffic from clients and servers in the enclave to servers outside the enclave is also required. HTTP inspection will be configured to filter Java applets and ActiveX objects to meet the enclave security policy. Review the security policy with the Information Assurance Officer and look for Java and ActiveX filters if the security policy requires restrictions.
Fix Text (F-14103r1_fix)
Ensure the firewall has implemented proxies for all services that need to traverse the firewall. If the firewall does not have proxy capability ensure the firewall is configured to meet the minimum content, protocol and flow control inspection.