The firewall implementation must isolate security functions used to enforce access and information flow control from both non-security functions and from other security functions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000186-FW-000113	SRG-NET-000186-FW-000113	SRG-NET-000186-FW-000113_rule		Medium

Description
The firewall implementation must be designed and configured to isolate security functions enforcing access and information flow control. Isolation must separate processes that perform security functions from those performing non-security functions. An isolation boundary is implemented via partitions and domains. This boundary must provide access control and integrity protection of the hardware, software, and firmware of the firewall. The firewall application must maintain a separate execution domain (e.g., use of separate address space) for each executing process to minimize the risk of leakage or corruption of privileged information. This control is normally a function of the firewall application design and is usually not a configurable setting; however, there may be settings in some firewall applications that must be configured to optimize function isolation.

Description

The firewall implementation must be designed and configured to isolate security functions enforcing access and information flow control. Isolation must separate processes that perform security functions from those performing non-security functions. An isolation boundary is implemented via partitions and domains. This boundary must provide access control and integrity protection of the hardware, software, and firmware of the firewall. The firewall application must maintain a separate execution domain (e.g., use of separate address space) for each executing process to minimize the risk of leakage or corruption of privileged information. This control is normally a function of the firewall application design and is usually not a configurable setting; however, there may be settings in some firewall applications that must be configured to optimize function isolation.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000186-FW-000113_chk )
Verify an isolation boundary (e.g., use of separate address space) is used for each executing process. If security functions used to enforce access and information flow control are not isolated from both non-security functions and other security functions, this is a finding.

Fix Text (F-SRG-NET-000186-FW-000113_fix)
Enable settings that isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.