The firewall implementation must implement detection and inspection mechanisms to identify unauthorized mobile code.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000228-FW-000141	SRG-NET-000228-FW-000141	SRG-NET-000228-FW-000141_rule		Medium

Description
Mobile code are programs that can be executed on one or several hosts other than the one they originate from. These programs offer many benefits to the organization; however, decisions regarding the use of mobile code must also include consideration of which types of mobile code are not authorized for use. Malicious mobile code can be used to install malware on a computer. The code can be transmitted through interactive Web applications such as Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. While the firewall cannot replace the anti-virus and host based IDS (HIDS) protection installed on the network's endpoints, vendor or locally created firewall ACLs or policy filters can be implemented which provide preemptive defense against both known and zero day vulnerabilities. Many of the protections may provide defenses before vulnerabilities are discovered and ACLs or policy filters or blacklist updates are distributed by anti-virus or malicious code solution vendors.

Description

Mobile code are programs that can be executed on one or several hosts other than the one they originate from. These programs offer many benefits to the organization; however, decisions regarding the use of mobile code must also include consideration of which types of mobile code are not authorized for use. Malicious mobile code can be used to install malware on a computer. The code can be transmitted through interactive Web applications such as Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. While the firewall cannot replace the anti-virus and host based IDS (HIDS) protection installed on the network's endpoints, vendor or locally created firewall ACLs or policy filters can be implemented which provide preemptive defense against both known and zero day vulnerabilities. Many of the protections may provide defenses before vulnerabilities are discovered and ACLs or policy filters or blacklist updates are distributed by anti-virus or malicious code solution vendors.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000228-FW-000141_chk )
Verify ACLs or policy filters exist that monitor for unauthorized mobile code as it traverses the network. If the firewall is not configured to monitor network traffic for unauthorized mobile code, this is a finding.

Fix Text (F-SRG-NET-000228-FW-000141_fix)
Install and configure ACLs or policy filters to inspect network traffic on segments for unauthorized mobile code.