All encrypted traffic must be decrypted prior to passing through content inspection and filtering mechanisms.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000030-FW-000026 | SRG-NET-000030-FW-000026 | SRG-NET-000030-FW-000026_rule | Medium |
| Description |
|---|
| Allowing traffic to bypass the security checkpoints, such as the firewall and intrusion detection systems, puts the network infrastructure and critical data at risk. Malicious traffic could enter the network undetected and attack a key firewall or the server farm. Hence, it is imperative all encrypted traffic entering the network is decrypted prior to the content checking devices. With the exception of remote access or enclave site-to-site where the tunnel termination point is a VPN gateway residing in the DMZ, encrypted traffic must not traverse the firewall. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2012-12-10 |
Details
| Check Text ( C-SRG-NET-000030-FW-000026_chk ) |
|---|
| Review the firewall configuration to verify all encrypted traffic is disallowed or forwarded to an authorized decryption device (e.g., VPN gateway). If all encrypted traffic is not decrypted prior to passing through the firewall's content inspection and filtering mechanisms, this is a finding. |
| Fix Text (F-SRG-NET-000030-FW-000026_fix) |
|---|
| Configure the firewall implementation to perform one of the following actions in accordance with organizationally defined requirements: reject encrypted traffic; forward to a properly configured VPN device; or install and configure a decryption mechanism. |