The firewall implementation must provide the capability for a privileged administrator to configure the organizationally defined security policy filters to support different security policies.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000022-FW-000021 | SRG-NET-000022-FW-000021 | SRG-NET-000022-FW-000021_rule | Medium |
| Description |
|---|
| The firewall implementation must be configured to restrict management access according to the privilege level the user has been granted. Authorization to configure security policies requires the highest privilege level. Authorization of user accounts is usual performed using the authentication server, however, on some firewalls, this is done on the device itself, regardless of where the account resides. The access control configuration must provide the capability to assign firewall administrators to tiered groups containing required privilege levels. If system administrators cannot be configured with different security policy filters, then need-to-know cannot be enforced. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2012-12-10 |
Details
| Check Text ( C-SRG-NET-000022-FW-000021_chk ) |
|---|
| Verify the firewall provides the system administrators the ability to configure security policy filters (e.g., creating groups with different authorizations and privileges). Verify the system has the capability to assign security levels to groups and individual users as needed. If the firewall implementation does not provide the capability to configure security policy filters, this is a finding. |
| Fix Text (F-SRG-NET-000022-FW-000021_fix) |
|---|
| Create security policy filters by creating security groups or use pre-existing groups. Assign privileges to each group based on varying need-for-access. Assign system administrators as group members to each group based on level of access required. |