The network element must address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000250-FW-NA	SRG-NET-000250-FW-NA	SRG-NET-000250-FW-NA_rule		Medium

Description
One of the top concerns of any firewall solution is false positives. Incorrectly identifying valid access and traffic as an attack can result in constant network traffic disruptions, inappropriately dropped packets, or unnecessary administrator alerts. Critical business activities can be delayed and additional IT resources needed to investigate and determine the nature of the false positives. Mechanisms which examine the traffic in context (stateful) or look for application and usage patterns are used by firewall solutions to minimize false positives. Addressing false positives for malicious code detection is beyond the scope of the firewall functionality.

Description

One of the top concerns of any firewall solution is false positives. Incorrectly identifying valid access and traffic as an attack can result in constant network traffic disruptions, inappropriately dropped packets, or unnecessary administrator alerts. Critical business activities can be delayed and additional IT resources needed to investigate and determine the nature of the false positives. Mechanisms which examine the traffic in context (stateful) or look for application and usage patterns are used by firewall solutions to minimize false positives. Addressing false positives for malicious code detection is beyond the scope of the firewall functionality.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000250-FW-NA_chk )
This requirement is NA for firewall. No fix required.

Fix Text (F-SRG-NET-000250-FW-NA_fix)
This requirement is NA for firewall. No fix required.