The firewall implementation must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000189-FW-000115	SRG-NET-000189-FW-000115	SRG-NET-000189-FW-000115_rule		Medium

Description
The firewall implementation must be designed and configured to implement security functions as a layered structure. An isolation boundary, using separate partitions and domains, must be used to minimize interactions between layers of the design. The lower layers of the design should not depend upon the upper layers. If one layer experiences an error in functionality or security, this should not impact the function of the remaining layers. This layered design minimizes the risk of leakage or corruption of privileged information. This control is normally a function of the firewall application design and is usually not a configurable setting; however, in some applications, there may be settings that must be configured to optimize function isolation.

Description

The firewall implementation must be designed and configured to implement security functions as a layered structure. An isolation boundary, using separate partitions and domains, must be used to minimize interactions between layers of the design. The lower layers of the design should not depend upon the upper layers. If one layer experiences an error in functionality or security, this should not impact the function of the remaining layers. This layered design minimizes the risk of leakage or corruption of privileged information. This control is normally a function of the firewall application design and is usually not a configurable setting; however, in some applications, there may be settings that must be configured to optimize function isolation.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000189-FW-000115_chk )
Review the vendor documentation configuration settings to determine if the firewall application is designed to separate security functions from non-security functions (e.g., use of separate address space). Verify security functions are implemented as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. If the firewall application does not implement security functions as a layered structure minimizing interactions between layers of the design, this is a finding.

Check Text ( C-SRG-NET-000189-FW-000115_chk )

Review the vendor documentation configuration settings to determine if the firewall application is designed to separate security functions from non-security functions (e.g., use of separate address space).
Verify security functions are implemented as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.

If the firewall application does not implement security functions as a layered structure minimizing interactions between layers of the design, this is a finding.

Fix Text (F-SRG-NET-000189-FW-000115_fix)
Enable settings that implement security functions as a layered structure minimizing interactions between layers of the design.