The firewall implementation must prevent access to organizationally defined security-relevant information except during secure, non-operable system states.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000279-FW-000163	SRG-NET-000279-FW-000163	SRG-NET-000279-FW-000163_rule		Medium

Description
Security relevant information is any information within the information system that can potentially impact the operation of security functions in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Organizations may define specific security relevant information that requires protection. Examples: firewall ACLs or policy filters, cryptographic key management information, key configuration parameters for security services, and access control lists. Secure, non-operable system states are states in which the firewall is not performing mission or business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown). Access to these types of data is to be prevented unless the system is in a maintenance mode or has otherwise been brought off-line. The goal is to minimize the potential that a security configuration or data may be dynamically and perhaps maliciously overwritten or changed without going through a formal system change process that can document the changes.

Description

Security relevant information is any information within the information system that can potentially impact the operation of security functions in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Organizations may define specific security relevant information that requires protection. Examples: firewall ACLs or policy filters, cryptographic key management information, key configuration parameters for security services, and access control lists. Secure, non-operable system states are states in which the firewall is not performing mission or business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown). Access to these types of data is to be prevented unless the system is in a maintenance mode or has otherwise been brought off-line. The goal is to minimize the potential that a security configuration or data may be dynamically and perhaps maliciously overwritten or changed without going through a formal system change process that can document the changes.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000279-FW-000163_chk )
Verify when the firewall is off-line, the configuration files, log files, account information, and other security information are not accessible without proper authentication. If the system does not prevent access when the system is in a state where the security policy and auditing cannot be enforced, this is a finding.

Fix Text (F-SRG-NET-000279-FW-000163_fix)
Configure the firewall implementation to prevent administrator access when the audit and privilege policies cannot be enforced.