The firewall implementation must enforce dynamic traffic flow control based on policy that allows/disallows information flows based on changing threat conditions or operational environment.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000029-FW-000025	SRG-NET-000029-FW-000025	SRG-NET-000029-FW-000025_rule		Medium

Description
Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Firewall ACLs or policy filters allowing or disallowing traffic based upon traffic types or rates is an example of enforcing this requirement. ACLs or policy filters may be triggered by changes in organizational risk tolerance based on the operational environment, mission needs, threat conditions, or detection of potentially harmful events.

Description

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Firewall ACLs or policy filters allowing or disallowing traffic based upon traffic types or rates is an example of enforcing this requirement. ACLs or policy filters may be triggered by changes in organizational risk tolerance based on the operational environment, mission needs, threat conditions, or detection of potentially harmful events.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000029-FW-000025_chk )
Verify changes in traffic flow controls are added/updated to the firewall zones, ACLs, or policy. When changes are made, these changes must take effect immediately and the firewall should begin applying the new ACL or security policy. If the firewall is not configured to enforce restrictions for traffic flow based on types and level of traffic, this is a finding. If the policy is not based on changing threat conditions or operational environment, this is a finding.

Check Text ( C-SRG-NET-000029-FW-000025_chk )

Verify changes in traffic flow controls are added/updated to the firewall zones, ACLs, or policy.
When changes are made, these changes must take effect immediately and the firewall should begin applying the new ACL or security policy.

If the firewall is not configured to enforce restrictions for traffic flow based on types and level of traffic, this is a finding. If the policy is not based on changing threat conditions or operational environment, this is a finding.

Fix Text (F-SRG-NET-000029-FW-000025_fix)
Create and implement firewall ACLs or policy filters to dynamically enforce information flow control policy. ACLs or policy filters must dynamically adjust flow based on changes to the operational environment or threat conditions.