The firewall implementation must enforce approved authorizations for controlling the flow of information within the system and its components in accordance with applicable policy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000018-FW-000017	SRG-NET-000018-FW-000017	SRG-NET-000018-FW-000017_rule		Medium

Description
Information flow control regulates where information is allowed to travel. This control applies to the flow of information within an individual firewall. Internal component communication, such as between the firewall, router, and IPS, is not included in this control. The firewall implementation must restrict information flow within the component to authorized communications. A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, unauthorized commands, functionality, or traffic may be allowed to infiltrate security components, causing corruption or other undesirable conditions. Examples of flow control restrictions include preventing installed applications or functions from accessing security configurations; or preventing unauthorized commands from executing on the firewall. For most network devices, internal information flow control is a product of system design. However, this control can also be mitigated with a policy to control and prevent the installation of unauthorized tools.

Description

Information flow control regulates where information is allowed to travel. This control applies to the flow of information within an individual firewall. Internal component communication, such as between the firewall, router, and IPS, is not included in this control. The firewall implementation must restrict information flow within the component to authorized communications. A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, unauthorized commands, functionality, or traffic may be allowed to infiltrate security components, causing corruption or other undesirable conditions. Examples of flow control restrictions include preventing installed applications or functions from accessing security configurations; or preventing unauthorized commands from executing on the firewall. For most network devices, internal information flow control is a product of system design. However, this control can also be mitigated with a policy to control and prevent the installation of unauthorized tools.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000018-FW-000017_chk )
View the documentation for each component. Verify any configuration requirements that are needed to support internal flow control mechanisms are implemented. If the firewall is not configured to enforce internal information flow based on approved authorizations in accordance with applicable policy restrictions, this is a finding.

Fix Text (F-SRG-NET-000018-FW-000017_fix)
Configure the firewall implementation to enforce approved authorizations for controlling the flow of information within the system and its components in accordance with applicable policy.