The firewall implementation must provide the capability for a privileged administrator to configure the organizationally defined security policy filters to support different security policies.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000022-FW-000021	SRG-NET-000022-FW-000021	SRG-NET-000022-FW-000021_rule		Medium

Description
The firewall implementation must be configured to restrict management access according to the privilege level the user has been granted. Authorization to configure security policies requires the highest privilege level. Authorization of user accounts is usual performed using the authentication server, however, on some firewalls, this is done on the device itself, regardless of where the account resides. The access control configuration must provide the capability to assign firewall administrators to tiered groups containing required privilege levels. If system administrators cannot be configured with different security policy filters, then need-to-know cannot be enforced.

Description

The firewall implementation must be configured to restrict management access according to the privilege level the user has been granted. Authorization to configure security policies requires the highest privilege level. Authorization of user accounts is usual performed using the authentication server, however, on some firewalls, this is done on the device itself, regardless of where the account resides. The access control configuration must provide the capability to assign firewall administrators to tiered groups containing required privilege levels. If system administrators cannot be configured with different security policy filters, then need-to-know cannot be enforced.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000022-FW-000021_chk )
Verify the firewall provides the system administrators the ability to configure security policy filters (e.g., creating groups with different authorizations and privileges). Verify the system has the capability to assign security levels to groups and individual users as needed. If the firewall implementation does not provide the capability to configure security policy filters, this is a finding.

Fix Text (F-SRG-NET-000022-FW-000021_fix)
Create security policy filters by creating security groups or use pre-existing groups. Assign privileges to each group based on varying need-for-access. Assign system administrators as group members to each group based on level of access required.