| SRG-NET-000063-FW-000045 | High | The firewall implementation must be configured to use cryptography to protect the integrity of remote access sessions. | Remote access services enable users outside of the enclave (external interface) to have access to data and services within the private network. In many instances these connections traverse the... |
| SRG-NET-000062-FW-000044 | High | The firewall implementation must use approved cryptography to protect the confidentiality of remote access sessions. | Remote access services enable users outside of the enclave (external interface) to have access to data and services within the private network. In many instances these connections traverse the... |
| SRG-NET-999999-FW-000183 | High | The firewall implementation must restrict traffic destined to the enclave perimeter in accordance with the guidelines contained in DoD Instruction 8551.1 for all ports and protocols required for operational commitments. | ACLs are the first line of defense in a layered security approach. They permit authorized packets and deny unauthorized packets based on port or service type. They enhance the posture of the... |
| SRG-NET-000227-FW-NA | Medium | The network element must issue public key certificates under an appropriate certificate policy or obtain public key certificates under an appropriate certificate policy from an approved service provider. | For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key... |
| SRG-NET-000060-FW-NA | Medium | The network element must allow the association of security attributes with information by authorized system administrators. | If unauthorized individuals have permission to change security attribute information associations, these individuals may compromise information flow and access control attributes, thus adversely... |
| SRG-NET-000272-FW-000159 | Medium | The firewall implementation must identify and respond to potential security-relevant error conditions. | Error messages generated by various components and services of the network devices can indicate a possible security violation or breach. The firewall implementation must detect and respond to... |
| SRG-NET-000273-FW-000160 | Medium | The firewall implementation must generate error messages providing information necessary for corrective actions without revealing organizationally defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited. | The extent to which the firewall is able to identify and handle error conditions is guided by organizational policy and operational requirements. However, these error messages must not reveal... |
| SRG-NET-000132-FW-000081 | Medium | The firewall implementation must be configured to prohibit or restrict the use of organizationally defined functions, ports, protocols, and/or services. | A compromised firewall introduces risk to the entire network infrastructure. A fundamental step in securing each firewall is to disable or restrict the use of functions, ports, protocols, and/or services. |
| SRG-NET-000311-FW-NA | Medium | The network element must provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries. | Per most sources, and NIST in particular, the underlying feature in the major threat associated with DNS forged responses or failures, is the integrity of the DNS data returned in the response.... |
| SRG-NET-000023-FW-000022 | Medium | The firewall implementation must enforce security policies regarding information on interconnected systems. | Transferring information between interconnected information systems of differing security policies introduces the risk of the transfers violating one or more policies. It is imperative for policy... |
| SRG-NET-000191-FW-000117 | Medium | The firewall implementation must protect against or limit the effects of Denial of Service (DoS) attacks. | A DoS attack against the firewall can leave the network without vital intrusion detection and prevention services, leaving the network and devices open to attack. A variety of technologies exist... |
| SRG-NET-000154-FW-000093 | Medium | The firewall implementation must prohibit password reuse for the organizationally defined number of generations. | Authorization for access to any firewall requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must... |
| SRG-NET-000069-FW-NA | Medium | The network element must protect wireless access to the network using authentication. | The security boundary of a Wireless LAN (WLAN) extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most... |
| SRG-NET-000267-FW-000154 | Medium | The firewall implementation must verify the correct operation of security functions, in accordance with organizationally defined conditions and frequency. | Security functional testing involves testing the system for conformance to the application's security function specifications, as well as, compliance with the underlying security model.
The need... |
| SRG-NET-000258-FW-NA | Medium | The network element must prevent non-privileged users from circumventing intrusion detection and prevention capabilities. | IDS and IPS devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor... |
| SRG-NET-000161-FW-000100 | Medium | The firewall implementation must enforce password encryption for transmission. | To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined... |
| SRG-NET-000186-FW-000113 | Medium | The firewall implementation must isolate security functions used to enforce access and information flow control from both non-security functions and from other security functions. | The firewall implementation must be designed and configured to isolate security functions enforcing access and information flow control. Isolation must separate processes that perform security... |
| SRG-NET-000120-FW-000075 | Medium | The firewall implementation must use automated mechanisms to support auditing of the enforcement actions. | Changes to the hardware or software components of the firewall can have significant effects on the overall security of the network. Maintaining audit log records of access events helps to ensure... |
| SRG-NET-000139-FW-000085 | Medium | The firewall implementation must use multifactor authentication for network access to privileged accounts. | Multifactor authentication uses two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g., password/PIN);
(ii) something you have (e.g., cryptographic... |
| SRG-NET-000200-FW-0000124 | Medium | The firewall implementation must enforce strict adherence to protocol format. | Crafted packets not conforming to Institute of Electrical and Electronics Engineers (IEEE) standards can be used by attackers to exploit a host's protocol stack to create a DoS or force a device... |
| SRG-NET-000070-FW-NA | Medium | The network element must protect wireless access to the network using encryption. | The security boundary of a WLAN extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most vulnerable to... |
| SRG-NET-000071-FW-NA | Medium | The network element must monitor for unauthorized connections of mobile devices to information systems. | This control requires access control for portable and mobile devices. Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and... |
| SRG-NET-000244-FW-000152 | Medium | The firewall implementation must employ malicious code protection mechanisms to detect and block malicious code at the network perimeter. | The organization must employ malicious code protection mechanisms at information system entry and exit points. This protection must detect and eradicate malicious code transported by electronic... |
| SRG-NET-000163-FW-000102 | Medium | The firewall implementation must enforce maximum password lifetime restrictions. | To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined... |
| SRG-NET-000190-FW-000116 | Medium | The firewall implementation must prevent unauthorized and unintended information transfer via shared system resources. | The purpose of this control is to prevent information produced by the actions of a prior user, role, or the actions of a process acting on behalf of a prior user or role from being available to... |
| SRG-NET-000150-FW-NA | Medium | The network element must authenticate devices before establishing wireless network connections using bidirectional authentication between cryptographically based devices. | This requirement is for device to device authentication between wireless network devices and the firewall. Without authentication, an unauthorized device may connect to the firewall and intercept... |
| SRG-NET-000280-FW-000164 | Medium | The firewall implementation must enforce information flow control on metadata. | Metadata is information about one or more pieces of data. This may include information about the data's purpose, creator, origin, or classification. Information flow control regulates where... |
| SRG-NET-000164-FW-NA | Medium | The network element must validate certificates used for PKI-based authentication by constructing a certification path with status information to an accepted trust anchor. | A trust anchor is an authoritative entity represented via a public key. Within a chain of trust, the top entity to be trusted is the "root certificate" or "trust anchor" such as a Certification... |
| SRG-NET-000253-FW-NA | Medium | The network element must only update malicious code protection mechanisms when directed by a privileged user. | Malicious code includes viruses, worms, Trojan horses, and spyware. Protection mechanisms that guard against these attacks must be protected against access by unauthorized individuals. Without... |
| SRG-NET-000014-FW-000014 | Medium | The firewall implementation must be configured to dynamically manage account privileges and associated access authorizations. | Dynamic privilege management includes immediate revocation of privileges (not requiring users to terminate and restart the session to reflect changes in privileges). Dynamic privilege management... |
| SRG-NET-000260-FW-NA | Medium | The network element must take an organizationally defined list of least-disruptive actions to terminate suspicious events. | Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. When a compromise, potential compromise, or breach has been... |
| SRG-NET-000192-FW-000118 | Medium | The firewall implementation must restrict the ability of users to launch DoS attacks against other information systems or networks. | The firewall implementation must prevent users from using the firewall to launch a DoS attack. Use of mechanisms that throttle traffic and resources so that attackers cannot generate unlimited... |
| SRG-NET-000193-FW-000119 | Medium | The firewall implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of DoS attacks. | Managing excess capacity ensures that sufficient capacity is available
to counter flooding attacks. Managing excess capacity may include establishing selected usage priorities, quotas, or... |
| SRG-NET-000269-FW-000156 | Medium | The firewall implementation must provide notification of failed automated security tests. | Upon detection of a failure of an automated security self-test, the network element must respond in accordance with organizationally defined responses and alternative actions. Without taking any... |
| SRG-NET-000251-FW-NA | Medium | The network element must automatically update malicious code protection mechanisms and rule definitions. | Malicious code includes viruses, worms, Trojan horses, and spyware. It can be transported by electronic mail, mail attachments, web accesses, removable media, or other common means. Malicious... |
| SRG-NET-000021-FW-000020 | Medium | The firewall implementation must allow authorized administrators to enable/disable organizationally defined security policy filters. | Organizationally defined security policy filters include dirty word filters, file type checking filters, structured data filters, unstructured data filters, metadata content filters, and hidden... |
| SRG-NET-000144-FW-000088 | Medium | The firewall implementation must enforce multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the firewall being accessed. | Single factor authentication poses unnecessary risk to the information system since most single factor authentication methods use only a userid and password. Passwords are, in most cases, easily... |
| SRG-NET-000266-FW-NA | Medium | The network element must detect rogue wireless devices, attack attempts, and potential compromises or breaches to the wireless network. | DoD information could be compromised if wireless monitoring is not performed to identify unauthorized WLAN clients and access points connected to or attempting to connect to the network. A WIDS... |
| SRG-NET-000040-FW-000035 | Medium | The firewall implementation must automatically lock an account after the maximum number of unsuccessful login attempts are exceeded and remain locked for an organizationally defined time period or until released by an administrator. | The firewall implementation must automatically lock the account for an organizationally defined time period or until released by an administrator according to organizational policy. Locking an... |
| SRG-NET-000199-FW-000123 | Medium | The firewall implementation must prevent discovery of specific system components or devices comprising a managed interface. | Allowing neighbor discovery messages to reach external network nodes is dangerous because it provides an attacker a method of obtaining information about the network infrastructure that can be... |
| SRG-NET-000067-FW-000049 | Medium | The firewall implementation must disable use of organizationally defined networking protocols (on the firewall) deemed nonsecure, except for explicitly identified components in support of specific operational requirements. | Some networking protocols that allow remote access may not meet the security requirements to protect data and components. The organization can either make a determination as to the relative... |
| SRG-NET-000177-FW-NA | Medium | The network element must enforce identification and authentication for the establishment of non-local maintenance and diagnostic sessions. | Lack of authentication enables anyone to gain access to the network or possibly a network element, thus providing an opportunity for intruders to compromise resources within the network... |
| SRG-NET-000125-FW-NA | Medium | The network element must employ automated mechanisms to centrally manage configuration settings. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for the firewall... |
| SRG-NET-000250-FW-NA | Medium | The network element must address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. | One of the top concerns of any firewall solution is false positives. Incorrectly identifying valid access and traffic as an attack can result in constant network traffic disruptions,... |
| SRG-NET-000103-FW-NA | Medium | The network element must protect audit tools from unauthorized deletion. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may... |
| SRG-NET-000204-FW-000128 | Medium | The firewall implementation must monitor and enforce filtering of internal addresses posing a threat to external information systems. | Monitoring and filtering the outbound traffic adds a layer of protection to the enclave. Blocking harmful outbound traffic can also prevent the network from being used as the source of an attack. |
| SRG-NET-000035-FW-NA | Medium | The network element must audit the use of privileged accounts when accessing configuration and operational commands enabled for non-privileged accounts. | The concept of least privilege is applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| SRG-NET-000151-FW-000091 | Medium | The firewall implementation must authenticate devices before establishing network connections using bidirectional authentication between cryptographically based devices. | This requirement is for device to device authentication between firewall and other network devices. Without authentication, an unauthorized device may connect to the firewall and intercept... |
| SRG-NET-000028-FW-NA | Medium | The network element must implement security policies for all traffic flows by using security zones at various protection levels as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000264-FW-NA | Medium | The network element must analyze outbound communications traffic at selected interior points within the network as deemed necessary to discover anomalies. | Sensors must be deployed at strategic locations within the network. At a minimum, they must be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering... |
| SRG-NET-000072-FW-NA | Medium | The network element must enforce requirements for the connection of mobile devices to organizational information systems. | This control requires access control for portable and mobile devices. Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and... |
| SRG-NET-000129-FW-NA | Medium | The network element must ensure detected unauthorized security-relevant configuration changes are tracked. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and compromises. Centrally managing configuration changes for the firewall can ensure... |
| SRG-NET-000246-FW-NA | Medium | The network element must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. It... |
| SRG-NET-000064-FW-000046 | Medium | The firewall implementation must route all remote access traffic through managed access control points. | Remote access services enable users outside of the enclave (external interface) to have access to data and services within the private network. In many instances these connections traverse the... |
| SRG-NET-000201-FW-000125 | Medium | The firewall implementation must prevent access into the organization's internal networks except as explicitly permitted and controlled by employing boundary protection devices. | The enclave's internal network contains the servers where mission critical data and applications reside. There should never be connection attempts made to these devices from any host outside of... |
| SRG-NET-000127-FW-NA | Medium | The network element must employ automated mechanisms to centrally verify configuration settings. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for the firewall... |
| SRG-NET-000162-FW-000101 | Medium | The firewall implementation must enforce minimum password lifetime restrictions. | To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined... |
| SRG-NET-000134-FW-NA | Medium | The network element must employ automated mechanisms to detect the addition of unauthorized components or devices. | This requirement addresses configuration management of the network element as well as detection of unauthorized devices on the network. The network element must automatically detect the... |
| SRG-NET-000265-FW-NA | Medium | The network element must detect attack attempts to the wireless network. | DoD information could be compromised if wireless monitoring is not performed to identify unauthorized WLAN clients and access points connected to or attempting to connect to the network.... |
| SRG-NET-000225-FW-NA | Medium | The network element must associate security attributes with information exchanged between information systems. | This control ensures transmitted information includes security attributes. The firewall implementation must include content inspection and filtering of both the data payload and the metadata... |
| SRG-NET-999999-FW-000175 | Medium | The firewall implementation must have only one local account created for use when the network is not available or direct access on the device is needed. | Authentication for administrative access to the device is required at all times. A single account can be created on the device's local database for use in an emergency such as when the... |
| SRG-NET-000026-FW-000024 | Medium | The firewall implementation must uniquely identify destination domains for information transfer. | Identifying source and destination domain addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing... |
| SRG-NET-000057-FW-NA | Medium | The network element must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined. | Dynamic association of security attributes is appropriate whenever the security characteristics of information change over time. Security attributes may change because of information aggregation... |
| SRG-NET-000065-FW-000047 | Medium | The firewall implementation must monitor for unauthorized remote connections to specific information systems on an organizationally defined frequency. | Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring of... |
| SRG-NET-000068-FW-000050 | Medium | The firewall implementation must enforce requirements for remote connections to the network. | Remote access services enable users outside of the enclave (external interface) to have access to data and services within the private network. Enabling access to the network from outside... |
| SRG-NET-000213-FW-000135 | Medium | The firewall implementation must terminate the connection associated with a communications session at the end of the session or after an organizationally defined time period of inactivity. | Terminating network connections associated with communications sessions include, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking... |
| SRG-NET-000187-FW-000114 | Medium | The firewall implementation must implement an isolation boundary to minimize the number of non-security functions included within the boundary containing security functions. | The firewall implementation must be designed and configured to minimize the number of non-security functions included within the boundary containing security functions. An isolation boundary,... |
| SRG-NET-999999-FW-000176 | Medium | The firewall implementation must be configured to use two or more authentication servers for the purpose of granting administrative access. | The use of an authentication server affords the best methods for controlling user access, authorization levels, and activity logging. By enabling an authentication server, the administrators can... |
| SRG-NET-999999-FW-000174 | Medium | The firewall implementation must reject requests for access or services when the source address received by the firewall specifies a loopback address. | A loopback address is used by an Inter-Processor Control (IPC) mechanism that enables the client and server portions of an application running on the same machine to communicate, so the address is... |
| SRG-NET-000181-FW-000111 | Medium | The firewall implementation must be configured to detect the presence of unauthorized software on organizational information systems. | The firewall monitors the network for known vulnerabilities and malicious software, such as Trojan horses, hacker tools, DDoS agents, and spyware. Many of these vulnerabilities may not be detected... |
| SRG-NET-000184-FW-000112 | Medium | The firewall implementation must isolate security functions from non-security functions. | The firewall implementation must be designed and configured to isolate security functions from non-security functions. An isolation boundary is implemented via partitions and domains. This... |
| SRG-NET-000168-FW-000104 | Medium | The firewall implementation must use NIST-validated FIPS 140-2 cryptography to implement authentication encryption mechanisms. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and... |
| SRG-NET-999999-FW-000179 | Medium | The firewall implementation must inspect ingress and egress SMTP and Extended SMTP traffic to detect spam, phishing, and malformed message attacks.
| Creating a filter to allow a port or service through the firewall without a proxy or content inspection, protocol inspection, and flow control creates a direct connection between the host in the... |
| SRG-NET-000033-FW-000029 | Medium | The firewall implementation must enforce information flow control using organizationally defined security policy filters as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so... |
| SRG-NET-000015-FW-000015 | Medium | The firewall implementation must enforce approved authorizations for logical access to the firewall in accordance with applicable policy. | Enforcement of approved authorizations for access control allows granularity of privilege assignments for each administrator and ensures only authorized users have access to certain commands and... |
| SRG-NET-000261-FW-NA | Medium | The network element must protect information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion.
| Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| SRG-NET-000203-FW-000127 | Medium | The firewall implementation must route organizationally defined internal communications traffic to organizationally defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices. | The firewall proxy service (proxy server) is designed to hide the identity of the client when making a connection to a server on the outside of its network, such as a web server, web mail, and... |
| SRG-NET-000210-FW-000133 | Medium | The firewall implementation must protect the confidentiality of transmitted information. | If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it... |
| SRG-NET-000232-FW-000145 | Medium | The firewall implementation must generate a unique session identifier for each session. | Unique session IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers.... |
| SRG-NET-000037-FW-000032 | Medium | The firewall implementation must be configured to automatically disable the monitored device if any of the organizationally defined lists of security violations are detected. | Incident related information can be obtained from a variety of sources including network monitoring. To reduce or eliminate the risk to the network, the firewall implementation must be configured... |
| SRG-NET-000189-FW-000115 | Medium | The firewall implementation must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. | The firewall implementation must be designed and configured to implement security functions as a layered structure. An isolation boundary, using separate partitions and domains, must be used to... |
| SRG-NET-000030-FW-000026 | Medium | All encrypted traffic must be decrypted prior to passing through content inspection and filtering mechanisms. | Allowing traffic to bypass the security checkpoints, such as the firewall and intrusion detection systems, puts the network infrastructure and critical data at risk. Malicious traffic could enter... |
| SRG-NET-000160-FW-000099 | Medium | The firewall implementation must enforce password encryption for storage. | To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined... |
| SRG-NET-000234-FW-000147 | Medium | The firewall implementation must generate unique session identifiers with organizationally defined randomness requirements. | Unique session IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers.... |
| SRG-NET-000263-FW-NA | Medium | The network element must analyze outbound traffic at the external boundary of the network. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| SRG-NET-000058-FW-NA | Medium | The network element must allow the change of security attributes by authorized administrators. | The network element must provide authorized individuals the capability to define or change the value of associated security attributes. The content or assigned values of security attributes can... |
| SRG-NET-000167-FW-000103 | Medium | The firewall implementation must obscure feedback of authentication information during the authentication process to protect the information from possible use by unauthorized individuals. | To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback from the information system shall not provide any information that would... |
| SRG-NET-000288-FW-000167 | Medium | The firewall implementation must prevent the download of prohibited mobile code. | Decisions regarding the use of mobile code within the firewall are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java,... |
| SRG-NET-000308-FW-000170 | Medium | The firewall implementation must employ FIPS-validated or NSA-approved cryptography to implement digital signatures. | Use of weak or untested certificates undermines the purposes of utilizing encryption to protect data. The most common vulnerabilities with cryptographic modules are those associated with poor... |
| SRG-NET-000029-FW-000025 | Medium | The firewall implementation must enforce dynamic traffic flow control based on policy that allows/disallows information flows based on changing threat conditions or operational environment. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-999999-FW-000186 | Medium | The firewall implementation must generate application log records for success or failure of firewall rules as determined by the organization to be relevant to the security of the network infrastructure. | As the firewall rules are applied on each firewall, event log entries are entered into the firewall application log. Firewall event are usually stored on each device and periodically transferred... |
| SRG-NET-000027-FW-NA | Medium | The network element must uniquely authenticate destination domains for information transfer. | Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy... |
| SRG-NET-000197-FW-NA | Medium | The network element must isolate organizationally defined key information security tools, mechanisms, and support components from other internal information system components via physically separate subnets. | To secure the enclave, the site must implement defense-in-depth security. This requires the deployment of various network security elements at strategic locations. The enclave must also be... |
| SRG-NET-000122-FW-000077 | Medium | The firewall implementation must enforce a two-person rule for changes to organizationally defined information system components and system-level information. | Changes to any software components of the firewall can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed... |
| SRG-NET-000228-FW-000141 | Medium | The firewall implementation must implement detection and inspection mechanisms to identify unauthorized mobile code. | Mobile code are programs that can be executed on one or several hosts other than the one they originate from. These programs offer many benefits to the organization; however, decisions regarding... |
| SRG-NET-000133-FW-000082 | Medium | The firewall implementation must employ automated mechanisms to prevent program execution in accordance with organizationally defined specifications. | This control requires automated mechanisms (e.g., such as firewall applications, be used to provide protection against unauthorized program execution. Firewall technologies, such as application... |
| SRG-NET-000016-FW-NA | Medium | The network element must enforce dual authorization based on organizational policies and procedures for organizationally defined privileged commands. | Dual authorization mechanisms require two forms of approval to execute. An organization may determine certain commands or network element configuration changes require dual authorization before... |
| SRG-NET-999999-FW-000178 | Medium | The firewall implementation must inspect inbound and outbound DNS traffic for protocol conformance. | Creating a filter to allow a port or service through the firewall without a proxy or content inspection, protocol inspection, and flow control creates a direct connection between the host in the... |
| SRG-NET-000310-FW-000171 | Medium | The firewall implementation must initiate session audits at system start-up. | Without session level auditing, IA and IT professionals do not have the complete picture, in detail, of what is transpiring on their systems. Without the session level auditing capability, it is... |
| SRG-NET-000025-FW-NA | Medium | The network element must uniquely authenticate source domains for information transfer. | Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy... |
| SRG-NET-000131-FW-000080 | Medium | The firewall implementation must not have unnecessary services and capabilities enabled. | A compromised firewall introduces risk to the entire network infrastructure. A fundamental step in securing each firewall is to identify and disable services and capabilities that are not needed... |
| SRG-NET-000259-FW-NA | Medium | The network element must notify an organizationally defined list of incident response personnel of suspicious events. | Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. When a compromise, potential compromise, or breach has been... |
| SRG-NET-999999-FW-000200 | Medium | The firewall implementation must protect application log information from unauthorized read access. | Event logging is a key component of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity... |
| SRG-NET-999999-FW-000201 | Medium | The firewall implementation must protect the application log information from unauthorized modification. | Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured system.... |
| SRG-NET-999999-FW-000202 | Medium | The firewall implementation must protect application logs from unauthorized deletion. | Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured system.... |
| SRG-NET-000231-FW-000144 | Medium | The firewall implementation must invalidate session identifiers upon user logout or other session termination. | Session IDs are tokens generated by web applications to uniquely identify an application user's session. Applications will make application decisions and execute business logic based on the... |
| SRG-NET-000257-FW-NA | Medium | The network element must provide near real-time alerts when any of the organizationally defined list of compromise or potential compromise indicators occur. | When a compromise, potential compromise, or breach has been discovered by the intrusion detection system, it is critical the appropriate personnel are notified via an alert mechanism. Near... |
| SRG-NET-000119-FW-000074 | Medium | The firewall implementation must use automated mechanisms to enforce access restrictions. | Changes to the hardware or software components of the firewall can have significant effects on the overall security of the network. Therefore, the firewall implementation must be configured to use... |
| SRG-NET-000287-FW-000166 | Medium | The firewall implementation must support organizational requirements to disable the user identifiers after an organizationally defined time period of inactivity.
| Inactive user accounts pose a risk to systems and applications. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Attackers that are able... |
| SRG-NET-000175-FW-NA | Medium | The network element must protect non-local maintenance sessions by separating the maintenance session from other network sessions with the device, by using either physically separated communications paths, or logically separated communications paths based upon encryption. | Non-local maintenance and diagnostic activities are those activities
conducted by individuals communicating through a network; either an external network (e.g., the Internet) or an internal... |
| SRG-NET-000153-FW-000092 | Medium | The firewall implementation must enforce minimum password length. | Authorization for access to any firewall requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must... |
| SRG-NET-000031-FW-000027 | Medium | The firewall implementation must enforce organizationally defined limitations on the embedding of data types within other data types. | Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks,... |
| SRG-NET-000022-FW-000021 | Medium | The firewall implementation must provide the capability for a privileged administrator to configure the organizationally defined security policy filters to support different security policies. | The firewall implementation must be configured to restrict management access according to the privilege level the user has been granted. Authorization to configure security policies requires the... |
| SRG-NET-000176-FW-NA | Medium | The network element must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications. | Non-local maintenance and diagnostic activities are those activities
conducted by individuals communicating through a network; either an external network (e.g., the Internet) or an internal... |
| SRG-NET-000198-FW-000122 | Medium | The firewall implementation must route all management traffic through a dedicated management interface. | Although the firewall is not responsible for routing all network management traffic to the management network, it must route all outgoing communications through the OOBM interface. If management... |
| SRG-NET-000018-FW-000017 | Medium | The firewall implementation must enforce approved authorizations for controlling the flow of information within the system and its components in accordance with applicable policy. | Information flow control regulates where information is allowed to travel. This control applies to the flow of information within an individual firewall. Internal component communication, such as... |
| SRG-NET-000128-FW-NA | Medium | The network element must employ automated mechanisms to respond to unauthorized changes to organizationally defined configuration settings. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and compromises. Centrally managing configuration changes for the firewall can ensure... |
| SRG-NET-000106-FW-000067 | Medium | The firewall implementation must use cryptographic mechanisms to protect the integrity of audit log information. | Without the use of mechanisms, such as a signed hash using asymmetric cryptography, the integrity of the collected audit data is not fully protected. The application level audit trail log stores... |
| SRG-NET-000286-FW-000165 | Medium | The firewall implementation must protect the audit records of non-local accesses to privileged accounts and the execution of privileged functions. | Auditing may not be reliable when performed by the network element to which the user being audited has privileged access. The privileged user may inhibit auditing or modify audit records. This... |
| SRG-NET-999999-FW-000198 | Medium | The firewall implementation must be configured to send an alert to designated personnel in the event the application log fails to function. | Firewall implementation event logging is a key component of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource... |
| SRG-NET-000019-FW-000018 | Medium | The firewall implementation must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy. | Information flow controls are mechanisms which regulates where information is allowed to travel between interconnected systems. This control applies to the flow of information between the firewall... |
| SRG-NET-000178-FW-000109 | Medium | The firewall implementation must terminate all sessions when non-local maintenance is completed. | In the event the remote node has abnormally terminated or an upstream link from the managed device is down, the management session will be terminated. Thereby, freeing device resources and... |
| SRG-NET-999999-FW-000191 | Medium | The firewall implementation must produce application log records containing sufficient information to establish the source of the event. | Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured firewall. If... |
| SRG-NET-000156-FW-000095 | Medium | The firewall implementation must enforce password complexity by the number of lower case characters used. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that... |
| SRG-NET-000195-FW-000121 | Medium | The firewall implementation must check inbound traffic to ensure the communications are coming from an authorized source and routed to an authorized destination. | Spoofing source addresses occurs when a malicious user outside the network has created packets with a source address belonging to the private address space of the target network. This is done in... |
| SRG-NET-000271-FW-000158 | Medium | The firewall implementation must detect unauthorized changes to software and information. | The firewall implementation must employ integrity verification tools to detect unauthorized changes to software and firmware are used on the firewall. Anomalous behavior and unauthorized changes... |
| SRG-NET-000219-FW-000137 | Medium | The firewall implementation must employ cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. | The most common vulnerabilities with cryptographic modules are those associated with poor implementation. Using cryptographic modules complying with applicable federal laws, Executive Orders,... |
| SRG-NET-000224-FW-000139 | Medium | The firewall implementation must protect the integrity and availability of publicly available information and applications. | Public-facing servers enable access to information by clients outside of the enclave. These servers are subject to greater exposure to attacks. It is imperative that the integrity of the data is... |
| SRG-NET-000038-FW-000033 | Medium | The firewall implementation must enforce the organizationally defined maximum number of consecutive invalid login attempts. | The firewall implementation must limit the number of times an account may consecutively fail at login. By limiting the number of failed login attempts, the risk of unauthorized system access by... |
| SRG-NET-000165-FW-NA | Medium | The network element must enforce authorized access to the corresponding private key for PKI-based authentication. | The principle factor of PKI implementation is the private key used to encrypt or digitally sign information. If the private key is discovered, an attacker can use the key to authenticate as an... |
| SRG-NET-000211-FW-000134 | Medium | The firewall implementation must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission, unless otherwise protected by alternative physical measures. | If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it... |
| SRG-NET-000214-FW-000136 | Medium | The firewall implementation must establish a trusted communications path between the user and organizationally defined security functions within the information system. | The firewall user interface must provide an unspoofable and faithful communication channel between the user and any entity trusted to manipulate authorities on the user's behalf. To safeguard... |
| SRG-NET-000312-FW-000172 | Medium | The firewall implementation must check the validity of data inputs. | Invalid input occurs when a user, or system acting on behalf of a user, inserts data or characters into an application's data entry fields and the application is unprepared to process that data.... |
| SRG-NET-000313-FW-000173 | Medium | The firewall implementation must only reveal error messages to authorized personnel. | If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise if the information is available to non authorized personnel.... |
| SRG-NET-000170-FW-000105 | Medium | The firewall implementation must employ automated mechanisms to assist in the tracking of security incidents. | Despite the investment in perimeter defense technologies, enclaves are still faced with detecting, analyzing, and remediating network breaches and exploits that have made it past the firewall. An... |
| SRG-NET-000118-FW-000073 | Medium | The firewall implementation must enforce access restrictions associated with changes to the system components. | Changes to the hardware or software components of the firewall can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be... |
| SRG-NET-000123-FW-000078 | Medium | The firewall implementation must limit privileges to change software resident within software libraries, including privileged programs. | Changes to any software components of the firewall can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed... |
| SRG-NET-000158-FW-000097 | Medium | The firewall implementation must enforce password complexity by the number of special characters used. | To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined... |
| SRG-NET-000174-FW-000108 | Medium | The firewall implementation must protect non-local maintenance sessions through the use of multifactor authentication which is tightly bound to the user. | The firewall implementation must protect non-local maintenance sessions through the use of a strong authenticator which is tightly bound to the user. Non-local maintenance and diagnostic... |
| SRG-NET-000141-FW-000086 | Medium | The firewall implementation must use multifactor authentication for local access to privileged accounts. | Single factor authentication poses unnecessary risk to the information system since most single factor authentication methods use only a userid and password. Passwords are, in most cases, easily... |
| SRG-NET-999999-FW-000182 | Medium | The firewall implementation must reject requests for access or services when the source IP address specifies a loopback address. | A loopback address is used by an Inter-Processor Control (IPC) mechanism that enables the client and server portions of an application running on the same machine to communicate, so address is... |
| SRG-NET-999999-FW-000181 | Medium | The firewall implementation must inspect inbound and outbound HTTP traffic for protocol conformance. | Creating a filter to allow a port or service through the firewall without a proxy or content inspection, protocol inspection, and flow control creates a direct connection between the host in the... |
| SRG-NET-999999-FW-000180 | Medium | The firewall implementation must drop FTP connections containing harmful or malformed traffic. | Creating a filter to allow a port or service through the firewall without a proxy or content inspection, protocol inspection, or flow control creates a direct connection between the host in the... |
| SRG-NET-999999-FW-000187 | Medium | The firewall implementation must prevent log processing failures by rejecting or delaying network traffic generated above configurable traffic volume thresholds as defined by the organization. | If the firewall implementation becomes unable to write events to the application events log, a critical resource needed for event analysis would be lost. One method of exploiting this... |
| SRG-NET-000239-FW-000151 | Medium | The firewall implementation must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest. | This requirement is intended to address the confidentiality and integrity of system information at rest (e.g., firewall rule sets or ACLs) when it is located on a storage device within the... |
| SRG-NET-999999-FW-000184 | Medium | A firewall located behind the premise router must be configured to block all outbound management traffic. | The management network must still have its own subnet in order to enforce control and access boundaries provided by Layer 3 network nodes such as routers and firewalls. Management traffic between... |
| SRG-NET-000143-FW-000087 | Medium | The firewall implementation must support the organizational requirement to ensure individuals are authenticated with an individual authenticator prior to using a group authenticator.
| To assure individual accountability and prevent unauthorized access, organizational users (and any processes acting on behalf of users) must be individually identified and authenticated. Sharing... |
| SRG-NET-000152-FW-NA | Medium | The network element must dynamically manage identifiers, attributes, and associated access authorizations. | This control addresses dynamic management of account identifiers. Identifiers identify an individual, group, role, or device. Common device identifiers include, for example, media access control... |
| SRG-NET-000208-FW-000132 | Medium | The firewall implementation must use cryptographic mechanisms to protect the integrity of information while in transit, unless otherwise protected by alternative physical measures. | This control applies to communications across internal and external networks, unless the information is protected by a physical security solution (e.g., PDS or physical access control) while in... |
| SRG-NET-000032-FW-000028 | Medium | The firewall implementation must enforce organizationally defined one-way traffic flows. | The flow of all network traffic must be controlled, so it does not introduce any unacceptable risk to the network infrastructure or data. Information flow control regulates where information is... |
| SRG-NET-000172-FW-000106 | Medium | The firewall implementation must use automated mechanisms to restrict the use of maintenance tools to authorized personnel only. | This requirement addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools... |
| SRG-NET-000039-FW-000034 | Medium | The firewall implementation must enforce the organizationally defined time period over which the number of invalid login attempts are counted. | To reduce the risk of successful malicious login attempts, the firewall implementation must define the time period over which the number of failed login attempts (CCI-000044) is counted before... |
| SRG-NET-000146-FW-000089 | Medium | The firewall implementation must use organizationally defined replay-resistant authentication mechanisms for network access to privileged accounts. | All authentication credentials must be maintained on an authentication server. Messages between the authenticator and the firewall validating user credentials must not be vulnerable to a replay... |
| SRG-NET-000207-FW-000131 | Medium | The firewall implementation must protect the integrity of transmitted information. | Integrity protection mechanisms must be used to facilitate the detection of changes made to transmitted information unless the transmission is otherwise protected by alternative physical measures.... |
| SRG-NET-000229-FW-000142 | Medium | The firewall implementation must take corrective action when unauthorized mobile code is identified. | Mobile code is a program that can be executed on one or several hosts other than the one they originate from. These programs offer many benefits to the organization; however, decisions regarding... |
| SRG-NET-000226-FW-000140 | Medium | The firewall implementation must validate the integrity of security attributes exchanged between information systems. | This control ensures the integrity of security attributes. The firewall implementation must include content inspection and filtering of both the data payload and the metadata (security attributes)... |
| SRG-NET-000059-FW-NA | Medium | The network element must maintain the binding of security attributes to information with sufficient assurance that the information to attribute association can be used as the basis for automated policy actions. | This control addresses the binding of organizationally defined attribute association (marking). These attributes are bound to the files and data stored, processed, or transmitted by the components... |
| SRG-NET-000180-FW-000110 | Medium | The firewall implementation must employ cryptographic mechanisms to protect information in storage. | When data is written to digital media, there is the risk of loss of data along with integrity and data confidentiality. An organizational assessment of risk guides the selection of media and... |
| SRG-NET-000002-FW-000002 | Medium | The firewall implementation must automatically terminate temporary accounts after an organizationally defined time period for each type of account. | Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. If temporary... |
| SRG-NET-000121-FW-000076 | Medium | The firewall implementation must prevent the installation of organizationally defined critical software programs not signed with an organizationally approved private key. | Changes to any software components of the firewall can have significant effects on the overall security of the network. Verifying the authenticity of the software prior to installation validates... |
| SRG-NET-000020-FW-000019 | Medium | The firewall implementation must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so... |
| SRG-NET-000194-FW-000120 | Medium | The firewall implementation must limit the use of resources by priority. | Priority protection helps prevent a lower priority process from delaying or interfering with the information system servicing any higher-priority process. If priority protection is not... |
| SRG-NET-000279-FW-000163 | Medium | The firewall implementation must prevent access to organizationally defined security-relevant information except during secure, non-operable system states. | Security relevant information is any information within the information system that can potentially impact the operation of security functions in a manner that could result in failure to enforce... |
| SRG-NET-000124-FW-000079 | Medium | The firewall implementation must automatically implement organizationally defined safeguards and countermeasures if security functions or mechanisms are changed inappropriately.
| Changes to any software components of the firewall can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals are allowed... |
| SRG-NET-000024-FW-000023 | Medium | The firewall implementation must uniquely identify source domains for information transfer. | Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy... |
| SRG-NET-000256-FW-NA | Medium | The network element must monitor inbound and outbound communications for unusual or unauthorized activities or conditions. | IDS or IPS must be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. Monitoring outbound traffic enables the network... |
| SRG-NET-000205-FW-000129 | Medium | The firewall implementation must monitor and control traffic at both the external and internal boundary interfaces. | Monitoring and controlling both inbound and outbound network traffic adds a layer of protection to the enclave. Blocking harmful inbound and outbound traffic can also prevent the network from... |
| SRG-NET-000220-FW-000138 | Medium | The firewall implementation must employ FIPS-validated cryptography to protect unclassified information. | Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing... |
| SRG-NET-000166-FW-NA | Medium | The network element must map the authenticated identity to the user account for PKI-based authentication. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account must be... |
| SRG-NET-000233-FW-000146 | Medium | The firewall implementation must allow only system generated session identifiers. | Unique session IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers,... |
| SRG-NET-000249-FW-000153 | Medium | The firewall implementation must be configured to perform organizationally defined actions in response to malicious code detection. | Organizations may determine that in response to malicious code detection, different actions may be warranted for different situations. For example, the firewall may send different alerts, block... |
| SRG-NET-000268-FW-000155 | Medium | The firewall implementation must respond to security function anomalies in accordance with organizationally defined responses and alternative actions. | Verification of security functionality is necessary to ensure the system's defenses are enabled. These anomalies are detected by running self-tests on each component in the firewall. For those... |
| SRG-NET-000289-FW-NA | Medium | The network element must prevent the execution of prohibited mobile code. | The mobile code paradigm encompasses programs that can be executed on one or several hosts other than the one they originate from. Mobility of such programs implies some built-in capability for... |
| SRG-NET-000061-FW-000043 | Medium | The firewall implementation must employ automated mechanisms to facilitate the monitoring and control of remote access methods. | Remote access services enable users outside (external firewall interface) of the enclave to have access to data and services within the private network. In many instances these connections... |
| SRG-NET-000149-FW-NA | Low | The network element must authenticate devices before establishing remote network connections using bidirectional authentication between cryptographically based devices. | This requirement addresses device to device authentication during remote network management sessions used to manage the firewall. A remote connection is any connection with a device communicating... |
| SRG-NET-000278-FW-NA | Low | The network element must display security attributes in human readable form on each object output from the system to system output devices to identify an organizationally identified set of special dissemination, handling, or distribution instructions using organizationally identified human readable, standard naming conventions. | When applications generate or output data, the associated security attributes need to be displayed. Security attributes are abstractions representing the basic properties or characteristics of an... |
| SRG-NET-000247-FW-NA | Low | The network element must employ malicious code protection mechanisms to perform periodic monitoring of the information system on an organizationally defined frequency. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. It... |
| SRG-NET-000303-FW-NA | Low | The network element must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service. | A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients. Authoritative DNS servers... |
| SRG-NET-000252-FW-NA | Low | The network element must prevent non-privileged users from circumventing malicious code protection capabilities. | It is critical the protection mechanisms used to detect and contain malicious code are not accessed by unauthorized individuals.
This control pertains to anti-virus products which are out of scope. |
| SRG-NET-000006-FW-000006 | Low | The firewall implementation must notify the appropriate individuals when accounts are created. | Because the accounts used to access the firewall components are privileged or system level accounts, account management is vital to the security of the system. In order to detect and respond to... |
| SRG-NET-000212-FW-NA | Low | The network element must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission. | If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it... |
| SRG-NET-000100-FW-000066 | Low | The firewall implementation must protect audit logs from unauthorized deletion. | Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured system.... |
| SRG-NET-000282-FW-NA | Low | The network element must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms when transferring information between different security domains. | Information must be decomposed into policy-relevant subcomponents, so the applicable policies and filters can be applied when information is being transferred between different security domains.... |
| SRG-NET-000245-FW-NA | Low | The network element must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. It... |
| SRG-NET-000281-FW-NA | Low | The network element must identify information flows by data type specification and usage when transferring information between different security domains. | Traffic flows must be identified by types and traffic rates when information is being transferred between different security domains.
Data transfer requirements are not a firewall function. This... |
| SRG-NET-000078-FW-000055 | Low | The firewall implementation must produce audit log records containing sufficient information to determine if the event was a success or failure. | It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment.... |
| SRG-NET-000096-FW-000062 | Low | The firewall implementation must use internal system clocks to generate timestamps for audit records. | In order to determine what is happening within the network infrastructure or to resolve and trace an attack, the firewall implementation must support the organization's capability to correlate the... |
| SRG-NET-000003-FW-000003 | Low | The firewall implementation must automatically terminate emergency accounts after an organizationally defined time period. | Emergency accounts are established in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization... |
| SRG-NET-000237-FW-NA | Low | The network element must include components that proactively seek to identify web based malicious code.
| A honey pot simulates multiple platforms and services used to attract and contain attackers. To the attacker, it appears to be part of a production network providing services. A honey pot can be... |
| SRG-NET-000090-FW-NA | Low | The network element must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. | Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the network element becomes unable to write events to the audit log,... |
| SRG-NET-000138-FW-NA | Low | The network element must enforce the identification and authentication of all organizational users. | Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Access to the network must be categorized as administrator, user,... |
| SRG-NET-000093-FW-NA | Low | Audit log reduction must be enabled on the network element. | Log reduction is the capability of a system to consolidate, archive, and compress audit logs. This process saves space when saving these logs over a long time period. Log entries must not be... |
| SRG-NET-000255-FW-NA | Low | The network element must interconnect and configure individual intrusion detection tools into a system-wide intrusion detection system using common protocols. | IDS or IPS must be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic... |
| SRG-NET-000241-FW-NA | Low | The network element must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission. | Information can be subjected to unauthorized changes (e.g., malicious or unintentional modification) at information aggregation or protocol transformation points.
Protecting the integrity of... |
| SRG-NET-000094-FW-NA | Low | The network element must provide a report generation capability for the audit log. | Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the network element becomes unable to write events to the audit log,... |
| SRG-NET-000102-FW-NA | Low | The network element must protect audit tools from unauthorized modification. | Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the firewall becomes unable to write events to the audit log, this is... |
| SRG-NET-000290-FW-NA | Low | The network element must prevent the automatic execution of mobile code in organizationally defined software applications and require organizationally defined actions prior to executing the code. | Decisions regarding the employment of mobile code within the network element are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies... |
| SRG-NET-000262-FW-NA | Low | The network element must ensure all encrypted traffic is visible to network monitoring tools. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| SRG-NET-000041-FW-000036 | Low | The firewall implementation must display an approved system use notification message (or banner) before granting access to the system. | All network devices must present a DoD-approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear... |
| SRG-NET-000157-FW-000096 | Low | The firewall implementation must enforce password complexity by the number of numeric characters used. | To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined... |
| SRG-NET-000110-FW-NA | Low | The network element must compile audit records from multiple components into a system-wide audit trail that is time-correlated to within an organizationally defined level of tolerance for the relationship between timestamps of individual records in the audit trail. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event... |
| SRG-NET-999999-FW-000190 | Low | The firewall implementation must produce application log records containing sufficient information to establish where the events occurred. | Logging network location information for each detected event provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly... |
| SRG-NET-000009-FW-000009 | Low | The firewall implementation must automatically audit account disabling actions. | Account management, as a whole, ensures access to the firewall is being controlled in a secured manner by granting access to only authorized personnel. Auditing account disabling actions will... |
| SRG-NET-000087-FW-NA | Low | The network element must reject or delay network traffic generated above configurable traffic volume thresholds, as defined by the organization. | Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the network element becomes unable to write events to the audit log,... |
| SRG-NET-000008-FW-000008 | Low | The firewall implementation must notify the organizationally identified individuals when accounts are modified. | Because the accounts used to access the firewall components are privileged or system level accounts, account management is vital to the security of the system. In order to respond to events... |
| SRG-NET-000171-FW-NA | Low | The network element must invoke a system shutdown in the event of a log failure, unless an alternative audit capability exists. | It is critical that when a network device is at risk of failing to process audit logs as required, action is taken to mitigate the failure. If the device were to continue processing without... |
| SRG-NET-000084-FW-NA | Low | The network element must provide a warning when the logging storage capacity reaches an organizationally defined percentage of maximum allocated audit record storage capacity. | The central audit server configuration must include an allocation of space sufficient for the network element audit trail log. The audit server must generate an alert when the capacity reaches an... |
| SRG-NET-000113-FW-000070 | Low | The firewall implementation must provide audit record generation capability for organizationally defined auditable events occurring within the firewall. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| SRG-NET-000088-FW-000060 | Low | The firewall implementation must be configured to send an alert to designated personnel in the event of an audit processing failure. | Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the firewall becomes unable to write events to the audit log, this is... |
| SRG-NET-000196-FW-NA | Low | The network element must implement host based boundary protection mechanisms. | A host-based boundary protection mechanism is a host based firewall. Host based boundary protection mechanisms are employed on devices to protect the asset where the data resides and to inspect... |
| SRG-NET-000083-FW-NA | Low | The network element logging function must be configured to reduce the likelihood of audit log record capacity being exceeded. | Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network... |
| SRG-NET-000011-FW-000011 | Low | The firewall implementation must automatically audit account termination. | Account management, as a whole, ensures access to the firewall is being controlled in a secured manner by granting access to only authorized personnel. Auditing account termination will support... |
| SRG-NET-000242-FW-NA | Low | The network element must be configured to automatically check for security updates to the application software on an organizationally defined frequency. | Security relevant software updates must be installed promptly and updated in order to mitigate the exploitation of known vulnerabilities. Flaws discovered during security assessments, continuous... |
| SRG-NET-000095-FW-NA | Low | The network element must provide the capability to automatically process audit log records for events of interest based upon selectable event criteria. | Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the network element becomes unable to write events to the audit log,... |
| SRG-NET-000285-FW-NA | Low | The network element must prohibit the transfer of unsanctioned information in accordance with the security policy when transferring information between different security domains. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so... |
| SRG-NET-000001-FW-000001 | Low | The firewall implementation must provide automated support for account management functions. | Account management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or... |
| SRG-NET-000105-FW-NA | Low | The network element must backup system level audit event log records on an organizationally defined frequency onto a different system or media. | Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity... |
| SRG-NET-000140-FW-NA | Low | The network element must use multifactor authentication for network access to non-privileged accounts. | Single factor authentication poses unnecessary risk to the information system since most single factor authentication methods use only a userid and password. Passwords are, in most cases, easily... |
| SRG-NET-000221-FW-NA | Low | The network element must employ NSA-approved cryptography to protect classified information. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| SRG-NET-000236-FW-000149 | Low | The firewall implementation must preserve organizationally defined system state information in the event of a system failure. | Failure to a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality,... |
| SRG-NET-000056-FW-NA | Low | The network element must support and maintain the binding of organizationally defined security attributes to information in transmission. | This control requires the support and maintenance of organizationally defined attribute association (marking). These attributes are bound to the information in process on the components of the... |
| SRG-NET-000081-FW-000058 | Low | The firewall implementation must transmit audit events to the organization's central audit log server. | The organization must centrally manage the content of audit records generated by the firewall. Centrally managing audit data captured by the central firewall provides for easier management of... |
| SRG-NET-000091-FW-NA | Low | The network element must centralize the review and analysis of audit records from multiple network elements within the network. | Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the network element becomes unable to write events to the audit log,... |
| SRG-NET-000243-FW-NA | Low | The network element must be configured to implement automated patch management tools to facilitate flaw remediation to network components. | It is imperative that the organization promptly install security relevant software updates from an authorized patch management server to mitigate the risk of new vulnerabilities. Flaws discovered... |
| SRG-NET-000050-FW-NA | Low | The network element must notify the user of the number of successful login attempts occurring during an organizationally defined time period. | Users must be aware of access activity regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any... |
| SRG-NET-000049-FW-000040 | Low | Upon successful login, the firewall implementation must notify the user of the number of unsuccessful login attempts since the last successful login. | Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to... |
| SRG-NET-000218-FW-NA | Low | The network element must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key. | The most secure algorithm is rendered useless if the keys cannot be kept secured. Left unprotected, keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a... |
| SRG-NET-000073-FW-NA | Low | The network element must be configured to disable functionality that provides the capability for automatic execution of code on mobile devices without user direction. | Auto execution vulnerabilities can result in malicious programs being executed that can be used to cause a denial of service on the device and hence disrupt network services.
Examples of... |
| SRG-NET-999999-FW-000177 | Low | The firewall implementation must implement NAT to ensure endpoint internal IPv4 addresses are not visible to external untrusted networks. | Network Address Translation (NAT) works well with the implementation of RFC 1918 addressing scheme. It also has the privacy benefit of hiding real internal addresses. An attacker can learn more... |
| SRG-NET-000254-FW-NA | Low | The network element must not allow users to introduce removable media into the information system. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. It... |
| SRG-NET-000066-FW-000048 | Low | The firewall implementation must audit remote sessions for accessing an organizationally defined list of security functions and security-relevant information. | Remote access services enable users outside of the enclave (external interface) to have access to data and services within the private network. In many instances these connections traverse the... |
| SRG-NET-000085-FW-000059 | Low | The firewall implementation must provide a real-time alert when organizationally defined audit failure events occur. | Auditing and logging are key components of any security architecture. System administrators need to be notified as soon as possible of possible events which may have adverse security implications.... |
| SRG-NET-000142-FW-NA | Low | The network element must use multifactor authentication for local access to non-privileged accounts. | Single factor authentication poses unnecessary risk on the information system since most single factor authentication methods use only a userid and password. Passwords are, in most cases, easily... |
| SRG-NET-000079-FW-000056 | Low | The firewall implementation must capture and log sufficient information to establish the identity of user accounts associated with the audit event. | Log record content that may be necessary to satisfy this requirement includes timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications,... |
| SRG-NET-000183-FW-NA | Low | The network element must prevent the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users. | Information system management-related functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user... |
| SRG-NET-000112-FW-NA | Low | The network element must produce a system-wide audit trail composed of log records in a standardized format. | Centrally logging the firewall information provides a central location to store, view, analyze, and produce detailed reports on alerts. Auditing of account use and user actions is a critical part... |
| SRG-NET-000004-FW-000004 | Low | The firewall implementation must automatically disable inactive accounts after an organizationally defined time period of inactivity. | Since the accounts in the firewall are privileged or system level accounts, account management is vital to the security of the firewall. Inactive accounts could be reactivated or compromised by... |
| SRG-NET-000092-FW-NA | Low | The network element must use automated mechanisms to alert security personnel to an organizationally defined list of inappropriate or unusual activities with security implications. | Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the network element becomes unable to write events to the audit log,... |
| SRG-NET-000080-FW-000057 | Low | The firewall implementation must capture and log organizationally defined additional information (identified by type, location, or subject) to the audit records for audit events. | Audit record content that may be necessary to satisfy this requirement includes timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail... |
| SRG-NET-000309-FW-NA | Low | The network element must protect against unauthorized physical connections across the boundary protections implemented at an organizationally defined list of managed interfaces. | Local access to the network can easily be accomplished by merely connecting a workstation or laptop to any available wall plate or a wireless connection to a nearby access point. Eliminating... |
| SRG-NET-000005-FW-000005 | Low | The firewall implementation must automatically audit the creation of accounts. | Upon gaining access to a system, an attacker will often first attempt to create a persistent method of re-establishing access. One way to accomplish this is to create a new account. Notification... |
| SRG-NET-000053-FW-000042 | Low | The firewall implementation must limit the number of concurrent sessions for each account to an organizationally defined number. | This requirement addresses concurrent sessions for a given information system account and does not address concurrent sessions by a single user via multiple accounts. In many products, this value... |
| SRG-NET-999999-FW-000203 | Low | The firewall implementation must backup application log records at an organizationally defined frequency onto a different system or media. | Firewall application event logging is a key component of any security architecture. An attack may cause corruption or delete the active events log. Maintaining a backup of the logs will minimize... |
| SRG-NET-000202-FW-000126 | Low | The firewall implementation must deny network traffic by default and allow network traffic by exception at all interfaces at the network perimeter. | All inbound and outbound traffic must be denied by default. The firewall and perimeter routers must only allow traffic that is explicitly permitted. Similarly, allowing unknown or undesirable... |
| SRG-NET-000054-FW-NA | Low | The network element implementation must support and maintain the binding of organizationally defined security attributes to information in storage. | This control requires the support and maintenance of organizationally defined attribute association (marking). These attributes are bound to the files and data stored on the components of the... |
| SRG-NET-000305-FW-NA | Low | The network element that collectively provides name/address resolution service for an organization must implement internal/external role separation. | A domain name system (DNS) server is an example of an information system that provides name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are... |
| SRG-NET-000304-FW-NA | Low | The network element that collectively provides name/address resolution service for an organization must be fault-tolerant. | A domain name system (DNS) server is an example of an information system that provides name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are... |
| SRG-NET-000115-FW-000072 | Low | The firewall implementation must generate audit log events for a locally developed list of auditable events. | Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack; recognize resource utilization or capacity... |
| SRG-NET-000284-FW-NA | Low | The network element must detect unsanctioned information when transferring information between different security domains. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled, so... |
| SRG-NET-000043-FW-000038 | Low | The firewall implementation must display a DoD-approved system use notification message or banner before granting access to the device. | All network devices must present a DoD-approved warning banner before granting access to the device. The banner shall be formatted in accordance with the DoD policy "Use of DoD Information Systems... |
| SRG-NET-000147-FW-NA | Low | The network element must use organizationally defined replay-resistant authentication mechanisms for network access to non-privileged accounts. | Authorization for access to any network element requires an approved and assigned individual account identifier. The authenticator must be a separate device than the target device for which the... |
| SRG-NET-000052-FW-NA | Low | The network element must notify the user of organizationally defined security related changes to the user's account occurring during the organizationally defined time period. | Providing users with information regarding organizationally defined security related changes to the user's account occurring during the organizationally defined time period, allows the user to... |
| SRG-NET-000145-FW-NA | Low | The network element must enforce multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the firewall being accessed. | Single factor authentication poses unnecessary risk to the information system since most single factor authentication methods use only a userid and password. Passwords are, in most cases, easily... |
| SRG-NET-000082-FW-NA | Low | The network element must allocate audit record storage capacity. | The network element must allocate storage capacity to contain audit log records. Log records are critical because if space is not available the firewall may malfunction. The site would lose... |
| SRG-NET-000179-FW-NA | Low | The network element must use cryptographic mechanisms to protect and restrict access to information on portable digital media. | When data is written to portable digital media, there is the risk of loss of data along with integrity and data confidentiality. An organizational assessment of risk guides the selection of media... |
| SRG-NET-999999-FW-000195 | Low | The firewall implementation must allocate firewall application log record storage capacity. | The firewall implementation must allocate enough storage capacity to contain log records. If the log storage capacity is exceeded, the firewall may malfunction or shutdown. The site would lose... |
| SRG-NET-000048-FW-000039 | Low | Upon successful login, the firewall implementation must notify the user of the date and time of the last login. | Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to... |
| SRG-NET-000099-FW-000065 | Low | The firewall implementation must protect audit log information from unauthorized modification. | Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured system.... |
| SRG-NET-000159-FW-000098 | Low | The firewall implementation must enforce the number of characters changed when passwords are changed. | To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organizationally defined... |
| SRG-NET-000055-FW-NA | Low | The network element must support and maintain the binding of organizationally defined security attributes to information in process. | This control requires the support and maintenance of organizationally defined attribute association (marking). These attributes are bound to the information in process on the components of the... |
| SRG-NET-000089-FW-000061 | Low | The firewall implementation must be capable of taking organizationally defined actions upon audit failure. | Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the firewall becomes unable to write events to the audit log, this is... |
| SRG-NET-000137-FW-000084 | Low | The firewall implementation must support organizational requirements to conduct backups of information system documentation, including security-related documentation, per an organizationally defined frequency that is consistent with recovery time and recovery point objectives. | Information system backup is a critical step in maintaining data assurance and availability. Information system and security related documentation contains information pertaining to system... |
| SRG-NET-000306-FW-000168 | Low | The firewall implementation must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights. | Access control policies (e.g., identity-based policies, role-based policies) and access enforcement mechanisms (e.g., access control lists, policy maps, and cryptography) are used to control... |
| SRG-NET-000126-FW-NA | Low | The network element must employ automated mechanisms to centrally apply configuration settings. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for the firewall... |
| SRG-NET-000036-FW-000031 | Low | The firewall implementation must provide finer-grained allocation of account privileges through the use of separate processing domains. | This control applies the concept of least privilege to information system processes. Processes must operate at privilege levels no higher than necessary to accomplish the required function or... |
| SRG-NET-000012-FW-000012 | Low | The firewall implementation must notify the organizationally identified individuals for account termination. | Account management by a designated authority ensures access to the firewall is being controlled by granting access only to authorized personnel with the necessary privileges. Automatic... |
| SRG-NET-000222-FW-NA | Low | The network element must employ FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| SRG-NET-000010-FW-000010 | Low | The firewall implementation must notify the organizationally identified individuals when the account has been disabled. | Account management by a designated authority ensures access to the firewall is controlled in a secured manner by granting access to only authorized personnel with the necessary privileges.... |
| SRG-NET-999999-FW-000192 | Low | The firewall implementation must produce application log records containing sufficient information to determine if the event was a success or failure. | Denied traffic must be logged. There may also be some instances where a packet that was permitted or other successful event (i.e., logon) should be logged to establish and correlate the series of... |
| SRG-NET-999999-FW-000193 | Low | The firewall implementation must capture and log sufficient information to establish the identity of any user accounts associated with the firewall application event. | Log records content that may be necessary to satisfy the requirement of this control includes: timestamps, source and destination addresses, user/process identifiers, event descriptions,... |
| SRG-NET-999999-FW-000194 | Low | The firewall implementation must capture and log organizationally defined additional information (identified by type, location, or subject) to the records for firewall application events. | Firewall application logs must be configured to capture all organizationally defined information deemed necessary for possible event investigation and traceability. This additional information may... |
| SRG-NET-000230-FW-000143 | Low | The firewall implementation must provide mechanisms to protect the authenticity of communications sessions. | This requirement addresses communications protection at the session, versus
packet level (e.g., sessions in service-oriented architectures providing web-based services). Maintaining the... |
| SRG-NET-999999-FW-000196 | Low | The firewall implementation application event logging function must reduce the likelihood of log record capacity being exceeded. | Event logging is a key function of the firewall implementation. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity... |
| SRG-NET-999999-FW-000197 | Low | The firewall implementation must provide a warning when the application event logging storage capacity reaches an organizationally defined maximum capacity. | It is imperative the firewall implementation be configured to allocate storage capacity to contain event log records and an alert be generated when the capacity reaches an organizationally defined... |
| SRG-NET-000248-FW-NA | Low | The network element must be configured to perform real-time monitoring of files from external sources as they are downloaded and prior to being opened or executed. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. It... |
| SRG-NET-000148-FW-000090 | Low | The firewall implementation must authenticate an organizationally defined list of specific devices by device type before establishing a connection. | A firewall implementation must have a level of trust with any node wanting to connect to it. Device authentication prevents an authorized user from connecting to perform privileged functions using... |
| SRG-NET-000215-FW-NA | Low | The network element must produce, control, and distribute symmetric cryptographic keys, using NIST-approved key management technology and processes. | The most secure algorithm is rendered useless if the keys cannot be kept secured. Left unprotected, keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a... |
| SRG-NET-000098-FW-000064 | Low | The firewall implementation must protect audit log information from unauthorized read access. | Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the firewall becomes unable to write events to the audit log, this is... |
| SRG-NET-000270-FW-000157 | Low | The firewall implementation must provide automated support for the management of distributed security testing. | The need to verify security functionality is necessary to ensure the firewall's defense is enabled. To scale the deployment of the verification process, the firewall implementation must provide... |
| SRG-NET-000173-FW-000107 | Low | The firewall implementation must log non-local maintenance and diagnostic sessions. | This requirement pertains to the use of privileged access when establishing a diagnostic session connecting non-locally (i.e., from the network or using an auxiliary port) to perform session on... |
| SRG-NET-000114-FW-000071 | Low | The firewall implementation must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system. | Logging the actions of specific events provides a way to investigate an attack, recognize resource utilization or capacity thresholds, or to identify an improperly configured network element. If... |
| SRG-NET-000307-FW-000169 | Low | The firewall implementation must enforce a DAC policy that includes or excludes access to the granularity of a single user. | Access control policies (e.g., identity-based policies and role-based policies) and access enforcement mechanisms (e.g., access control lists, policy maps, cryptography) are employed by... |
| SRG-NET-000007-FW-000007 | Low | The firewall implementation must automatically audit account modification. | Since the accounts in the firewall are privileged or system level accounts, account management is vital to the security of the firewall. Account management by a designated authority ensures access... |
| SRG-NET-000235-FW-000148 | Low | The firewall implementation must fail to an organizationally defined known state for organizationally defined types of failures. | Failure to a known state can address safety or security in accordance with the mission needs of the organization. Failure to a state that is known to be secure helps prevent the loss of... |
| SRG-NET-000302-FW-NA | Low | The network element must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems. | A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients. Authoritative DNS servers... |
| SRG-NET-000301-FW-NA | Low | The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains. | A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients. Authoritative DNS servers... |
| SRG-NET-000209-FW-NA | Low | The network element must maintain the integrity of information during aggregation and encapsulation in preparation for transmission. | This control applies to communications across internal and external networks. The network element must employ cryptographic mechanisms to recognize changes to information while preparing... |
| SRG-NET-000017-FW-000016 | Low | The firewall implementation must implement organizationally defined nondiscretionary access control policies over organizationally defined users and resources. | When nondiscretionary access control mechanisms are implemented, security labels are assigned to securable objects and users are granted access to the objects only if their level of access matches... |
| SRG-NET-000076-FW-000053 | Low | The firewall implementation must produce audit log records containing sufficient information to establish where the events occurred. | It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment.... |
| SRG-NET-000283-FW-NA | Low | The network element must implement policy filters that constrain data structure and content to organizationally defined information security policy requirements when transferring information between different security domains. | It is imperative that when information is being moved from one security domain to another, policy filters be applied to the data to enforce the organization's security policy requirements.
Data... |
| SRG-NET-000101-FW-NA | Low | The network element must protect audit tools from unauthorized access.
| Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network... |
| SRG-NET-000034-FW-000030 | Low | The firewall implementation must implement separation of duties through assigned information system access authorizations.
| Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. An example of separation of duties within the firewall... |
| SRG-NET-000217-FW-NA | Low | The network element must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material. | The most secure algorithm is rendered useless if the keys cannot be kept secured. Left unprotected keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a key... |
| SRG-NET-000135-FW-NA | Low | The network element must support organizational requirements to conduct backups of user level information contained in the device per organizationally defined frequency that is consistent with recovery time and recovery point objectives. | User information contained on a network element is associated to the user's account and the resources the user is authorized to access. If this information becomes corrupted by hardware failures... |
| SRG-NET-999999-FW-000188 | Low | The firewall implementation must produce application event log records that contain sufficient information to establish what type of event occurred. | Associating event types with detected events in the firewall application logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying... |
| SRG-NET-000300-FW-NA | Low | The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains when operating as part of a distribution. | This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the... |
| SRG-NET-000206-FW-0000130 | Low | The firewall implementation must connect to external networks only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture. | The firewall will build a state to allow return traffic for all initiated traffic that was allowed outbound. Monitoring and filtering the outbound traffic adds a layer of protection to the... |
| SRG-NET-999999-FW-000185 | Low | The firewall implementation must be configured to log any attempt to a port, protocol, or service that is denied. | Auditing and logging are key components of any security architecture. It is essential security personnel know what is being done, attempted to be done, and by whom in order to compile an accurate... |
| SRG-NET-000075-FW-000052 | Low | The firewall implementation must produce audit log records containing sufficient information to establish when the events occurred. | It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment.... |
| SRG-NET-000277-FW-000162 | Low | The firewall implementation must disable network access by unauthorized devices and must log the information as a security violation. | Local access to the private network can easily be accomplished by merely connecting a workstation or laptop to any available wall plate or a wireless connection to a nearby access point. Remote... |
| SRG-NET-000155-FW-000094 | Low | The firewall implementation must enforce password complexity by the number of upper case characters used. | Authorization for access to any firewall requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must... |
| SRG-NET-000097-FW-000063 | Low | The firewall implementation must synchronize internal system clocks on an organizationally defined frequency with an organizationally defined authoritative time source. | The various components within the network infrastructure providing the log records must have their clocks synchronized using a common time reference, so the events can be correlated in exact order... |
| SRG-NET-000104-FW-NA | Low | The network element must produce audit records on hardware-enforced write-once media. | It is imperative the collected log data from the various the network element is secured and stored on write-once media for safekeeping.
This is not applicable to the firewall. Firewall logs are... |
| SRG-NET-999999-FW-000189 | Low | The firewall implementation must produce application event log records containing sufficient information to establish when the events occurred. | Logging the date and time of each detected event provides a means to investigate an attack; recognize resource utilization or capacity thresholds; or identify an improperly configured firewall. In... |
| SRG-NET-999999-FW-000199 | Low | The firewall implementation must be configured to stop generating application log records or overwrite the oldest log records when a log failure occurs. | Firewall implementation logging is a key component of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or... |
| SRG-NET-000051-FW-000041 | Low | The firewall implementation must notify the user of the number of unsuccessful login attempts occurring during an organizationally defined time period. | Providing users with information regarding the number of unsuccessful login attempts to the local device that have occurred over an organizationally defined time period. Without this information,... |
| SRG-NET-000042-FW-000037 | Low | The firewall implementation must display the notification message on the screen until the administrator takes explicit action to acknowledge the message. | All network devices must present a DoD-approved warning banner prior to a system administrator logging on. The banner should be acknowledged by the user prior to allowing the user access to the... |
| SRG-NET-000182-FW-NA | Low | The network element must separate user functionality (including user interface services) from information system management functionality. | The firewall implementation must prevent the presentation of information system management functionality at an interface for general (i.e., non-privileged) users. The intent of this control... |
| SRG-NET-000136-FW-000083 | Low | The firewall implementation must support organizational requirements to conduct backups of system level information contained in the information system per organizationally defined frequency. | System level information includes default and customized settings and security attributes, as well as software required for the execution and operation of the device. Information system backup is... |
| SRG-NET-000074-FW-000051 | Low | The firewall implementation must produce audit log records that contain sufficient information to establish what type of event occurred. | It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment.... |
| SRG-NET-000274-FW-000161 | Low | The firewall implementation must activate an organizationally defined alarm when a system component failure is detected. | Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining the system's security fail to function, the system could continue... |
| SRG-NET-000238-FW-000150 | Low | The firewall implementation must protect the confidentiality and integrity of system information at rest. | This requirement is intended to address the confidentiality and integrity of system information at rest (e.g., firewall rule sets or ACLs) when it is located on a storage device within the... |
| SRG-NET-000108-FW-000069 | Low | The firewall must protect against an individual falsely denying having performed a particular action. | This requirement supports non-repudiation of actions taken by an administrator and is required in order to maintain the integrity of the configuration management process. All configuration changes... |
| SRG-NET-000013-FW-000013 | Low | The firewall implementation must monitor for unusual usage of accounts. | Atypical account usage is behavior that is not part of normal usage cycles (e.g., large amounts of user account activity occurring after hours or on weekends). A comprehensive account management... |
| SRG-NET-000077-FW-000054 | Low | The firewall implementation must produce audit log records containing sufficient information to establish the source of the event. | It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment.... |
| SRG-NET-000216-FW-NA | Low | The network element must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes. | The most secure algorithm is rendered useless if the keys cannot be kept secured. Left unprotected keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a key... |
| SRG-NET-000107-FW-000068 | Low | The firewall implementation must use cryptography to protect the integrity of audit tools. | Audit tools provide services, such as audit reduction, reporting, and analysis. Without mechanisms, such as a signed hash using asymmetric cryptography, the integrity of these audit tools used for... |
| SRG-NET-000086-FW-NA | Low | The network element must enforce configurable traffic volume thresholds representing audit logging capacity for network traffic to be logged. | Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the network element becomes unable to write events to the audit log,... |
| SRG-NET-000169-FW-NA | Low | The network element must uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. | Non-organizational users will be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use... |
