The SA will configure the firewall for the minimum content and protocol inspection requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-14643	NET0366	SV-15269r1_rule	DCCS-2 ECSC-1	Medium

Description
Creating a filter to allow a port or service through the firewall without a proxy or content inspection, protocol inspection, and flow control creates a direct connection between the host in the private network and a host on the outside; thereby, bypassing additional security measures that could be provided. This places the internal host at a greater risk of exploitation that could make the entire network vulnerable to an attack.

Description

Creating a filter to allow a port or service through the firewall without a proxy or content inspection, protocol inspection, and flow control creates a direct connection between the host in the private network and a host on the outside; thereby, bypassing additional security measures that could be provided. This places the internal host at a greater risk of exploitation that could make the entire network vulnerable to an attack.

STIG	Date
Firewall Security Technical Implementation Guide - Cisco	2013-10-08

Details

Check Text ( C-12659r1_chk )
Review the firewall configuration and verify that both ingress and egress traffic is being inspected for the following: DNS Inspection: Protocol conformance, malformed packets, message length and domain name integrity. Query ID and port randomization for DNS query traffic must be enabled. SMTP Inspection: SMTP and Extended SMTP inspection will be configured to detect spam, phishing and malformed message attacks. FTP Inspection: FTP is not a recommended file transfer solution. Reference the Enclave STIG for conditional guidance on FTP. The firewall should inspect FTP traffic and drop connections with embedded commands, truncated commands, provide command and reply spoofing, drop invalid port negotiations, and protect FTP servers from buffer overflow. HTTP Inspection: Inspection of HTTP traffic to servers residing in the enclave is required. Inspection of HTTP traffic from clients and servers in the enclave to servers outside the enclave is also required. HTTP inspection will be configured to filter Java applets and ActiveX objects to meet the enclave security policy. Review the security policy with the Information Assurance Officer and look for Java and ActiveX filters if the security policy requires restrictions.

Check Text ( C-12659r1_chk )

Review the firewall configuration and verify that both ingress and egress traffic is being inspected for the following:

DNS Inspection: Protocol conformance, malformed packets, message length and domain name integrity. Query ID and port randomization for DNS query traffic must be enabled.

SMTP Inspection: SMTP and Extended SMTP inspection will be configured to detect spam, phishing and malformed message attacks.

FTP Inspection: FTP is not a recommended file transfer solution. Reference the Enclave STIG for conditional guidance on FTP. The firewall should inspect FTP traffic and drop connections with embedded commands, truncated commands, provide command and reply spoofing, drop invalid port negotiations, and protect FTP servers from buffer overflow.

HTTP Inspection: Inspection of HTTP traffic to servers residing in the enclave is required. Inspection of HTTP traffic from clients and servers in the enclave to servers outside the enclave is also required. HTTP inspection will be configured to filter Java applets and ActiveX objects to meet the enclave security policy. Review the security policy with the Information Assurance Officer and look for Java and ActiveX filters if the security policy requires restrictions.

Fix Text (F-14103r1_fix)
Ensure the firewall has implemented proxies for all services that need to traverse the firewall. If the firewall does not have proxy capability ensure the firewall is configured to meet the minimum content, protocol and flow control inspection.