The firewall implementation must provide finer-grained allocation of account privileges through the use of separate processing domains.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000036-FW-000031	SRG-NET-000036-FW-000031	SRG-NET-000036-FW-000031_rule		Low

Description
This control applies the concept of least privilege to information system processes. Processes must operate at privilege levels no higher than necessary to accomplish the required function or unauthorized access to security functionality may result. Providing separate processing domains for finer-grained allocation of account privileges includes the following examples. (i) Using virtualization techniques to allow additional privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying actual machine; (ii) Employing hardware and/or software domain separation mechanisms; and (iii) Implementing separate physical domains. One method of accomplishing this would be firewall administrator roles. The roles are assigned granular access to the commands needed to perform the given role. The commands for each role are executed in separate processing domains. Domains are separated using one of the methods discussed above.

Description

This control applies the concept of least privilege to information system processes. Processes must operate at privilege levels no higher than necessary to accomplish the required function or unauthorized access to security functionality may result. Providing separate processing domains for finer-grained allocation of account privileges includes the following examples. (i) Using virtualization techniques to allow additional privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying actual machine; (ii) Employing hardware and/or software domain separation mechanisms; and (iii) Implementing separate physical domains. One method of accomplishing this would be firewall administrator roles. The roles are assigned granular access to the commands needed to perform the given role. The commands for each role are executed in separate processing domains. Domains are separated using one of the methods discussed above.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000036-FW-000031_chk )
Verify the firewall implementation provides separate processing domains for finer-grained allocation of account privileges. If the firewall implementation does not provide separate processing domains for finer-grained allocation of account privileges, this is a finding.

Fix Text (F-SRG-NET-000036-FW-000031_fix)
Configure the firewall implementation to provide finer-grained allocation of account privileges through the use of separate processing domains.