The firewall implementation must enforce dynamic traffic flow control based on policy that allows/disallows information flows based on changing threat conditions or operational environment.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000029-FW-000025 | SRG-NET-000029-FW-000025 | SRG-NET-000029-FW-000025_rule | Medium |
| Description |
|---|
| Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Firewall ACLs or policy filters allowing or disallowing traffic based upon traffic types or rates is an example of enforcing this requirement. ACLs or policy filters may be triggered by changes in organizational risk tolerance based on the operational environment, mission needs, threat conditions, or detection of potentially harmful events. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2012-12-10 |
Details
| Check Text ( C-SRG-NET-000029-FW-000025_chk ) |
|---|
| Verify changes in traffic flow controls are added/updated to the firewall zones, ACLs, or policy. When changes are made, these changes must take effect immediately and the firewall should begin applying the new ACL or security policy. If the firewall is not configured to enforce restrictions for traffic flow based on types and level of traffic, this is a finding. If the policy is not based on changing threat conditions or operational environment, this is a finding. |
| Fix Text (F-SRG-NET-000029-FW-000025_fix) |
|---|
| Create and implement firewall ACLs or policy filters to dynamically enforce information flow control policy. ACLs or policy filters must dynamically adjust flow based on changes to the operational environment or threat conditions. |