The firewall implementation must authenticate an organizationally defined list of specific devices by device type before establishing a connection.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000148-FW-000090	SRG-NET-000148-FW-000090	SRG-NET-000148-FW-000090_rule		Low

Description
A firewall implementation must have a level of trust with any node wanting to connect to it. Device authentication prevents an authorized user from connecting to perform privileged functions using a device which may contain security issues which may provide a vector for compromising the firewall. Communications to the firewall implementation must be carefully restricted. Today's devices may need to communicate with the firewall, router, SYSLOG server, other firewall, and management clients. This control requires the organization to define these devices specifically and to identify these approved devices by type (e.g., firewall, router, remote PC, etc.). Thus, the authentication decision must take the device type, not just the user's authorization into account when allowing access. For example, a system administrator may be authorized access; however, access must also be from an authorized device.

Description

A firewall implementation must have a level of trust with any node wanting to connect to it. Device authentication prevents an authorized user from connecting to perform privileged functions using a device which may contain security issues which may provide a vector for compromising the firewall. Communications to the firewall implementation must be carefully restricted. Today's devices may need to communicate with the firewall, router, SYSLOG server, other firewall, and management clients. This control requires the organization to define these devices specifically and to identify these approved devices by type (e.g., firewall, router, remote PC, etc.). Thus, the authentication decision must take the device type, not just the user's authorization into account when allowing access. For example, a system administrator may be authorized access; however, access must also be from an authorized device.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000148-FW-000090_chk )
Verify communications to other network elements (e.g., sensors, routers, SYSLOG servers, and forensics servers) are configured to establish authentication using a unique identifier. Verify authentication is based on an organizationally defined list of authorized device types. If devices not included on the organizationally defined list of authorized device types are allowed to connect, this is a finding.

Check Text ( C-SRG-NET-000148-FW-000090_chk )

Verify communications to other network elements (e.g., sensors, routers, SYSLOG servers, and forensics servers) are configured to establish authentication using a unique identifier.
Verify authentication is based on an organizationally defined list of authorized device types.

If devices not included on the organizationally defined list of authorized device types are allowed to connect, this is a finding.

Fix Text (F-SRG-NET-000148-FW-000090_fix)
Configure the firewall implementation to authenticate based on an organizationally defined list of authorized device types.