The firewall implementation must be configured to automatically disable the monitored device if any of the organizationally defined lists of security violations are detected.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000037-FW-000032 | SRG-NET-000037-FW-000032 | SRG-NET-000037-FW-000032_rule | Medium |
| Description |
|---|
| Incident related information can be obtained from a variety of sources including network monitoring. To reduce or eliminate the risk to the network, the firewall implementation must be configured to disable the network or monitored devices when an organizationally defined list of events is detected. Monitored devices may include workstations, hosts, or other devices registered with the firewall. Since the firewall is a major part of the network's protection and defense system, a compromised firewall may allow malicious attacks to bypass the network's controls. For the purpose of this requirement, disabling is not considered the same as blocking or dropping of the traffic to or from the device. Disabling the network or monitored device is one action that may be selected when implementing CCI-001670. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2012-12-10 |
Details
| Check Text ( C-SRG-NET-000037-FW-000032_chk ) |
|---|
| Review the firewall configuration to determine if the system automatically disables the network or any monitored device identified for this action based on an organizationally defined list of security violations. If the firewall is not configured to disable the network or monitored device upon detecting events identified on an organizationally defined list of security events, this is a finding. |
| Fix Text (F-SRG-NET-000037-FW-000032_fix) |
|---|
| Configure the firewall implementation to automatically disable the network or monitored device if any of the organizationally defined lists of security violations are detected. |