The firewall implementation must route organizationally defined internal communications traffic to organizationally defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000203-FW-000127	SRG-NET-000203-FW-000127	SRG-NET-000203-FW-000127_rule		Medium

Description
The firewall proxy service (proxy server) is designed to hide the identity of the client when making a connection to a server on the outside of its network, such as a web server, web mail, and chat rooms. This prevents any hackers on the outside from learning IP addresses within the private network. With a proxy acting as the mediator, the client does not interact directly with the servers it is connecting to. The proxy server is in the middle, handling both sides of the session. Hence, all routing devices must forward traffic to the appropriate proxy to filter the traffic and initiate the sessions with the external server.

Description

The firewall proxy service (proxy server) is designed to hide the identity of the client when making a connection to a server on the outside of its network, such as a web server, web mail, and chat rooms. This prevents any hackers on the outside from learning IP addresses within the private network. With a proxy acting as the mediator, the client does not interact directly with the servers it is connecting to. The proxy server is in the middle, handling both sides of the session. Hence, all routing devices must forward traffic to the appropriate proxy to filter the traffic and initiate the sessions with the external server.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000203-FW-000127_chk )
Consult the organization's security plan documentation for the firewall for a list of organizationally defined internal communications traffic which must be inspected by the proxy if destined for external networks. Review the firewall configuration for the interface associated with the identified egress traffic. Verify the interface is configured to inspect the identified traffic for inspection by the firewall proxy. If organizationally defined internal communications traffic destined to organizationally defined external networks are not routed through authenticated proxy servers within the managed interfaces of the perimeter firewall, this is a finding.

Check Text ( C-SRG-NET-000203-FW-000127_chk )

Consult the organization's security plan documentation for the firewall for a list of organizationally defined internal communications traffic which must be inspected by the proxy if destined for external networks.
Review the firewall configuration for the interface associated with the identified egress traffic.
Verify the interface is configured to inspect the identified traffic for inspection by the firewall proxy.

If organizationally defined internal communications traffic destined to organizationally defined external networks are not routed through authenticated proxy servers within the managed interfaces of the perimeter firewall, this is a finding.

Fix Text (F-SRG-NET-000203-FW-000127_fix)
Configure proxies for all services that need to traverse the firewall. Configure the organizationally defined external firewall interfaces to route organizationally defined internal communications traffic through authenticated proxy servers within the managed interfaces of the perimeter firewall.