The firewall implementation must check the validity of data inputs.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000312-FW-000172	SRG-NET-000312-FW-000172	SRG-NET-000312-FW-000172_rule		Medium

Description
Invalid input occurs when a user, or system acting on behalf of a user, inserts data or characters into an application's data entry fields and the application is unprepared to process that data. Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Prescreening inputs prior to passing to interpreters prevent the content from being unintentionally interpreted as commands. The integrity of the firewall ACL, rule sets, and security zone data is essential for controlling network access. Input validation helps ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.

Description

Invalid input occurs when a user, or system acting on behalf of a user, inserts data or characters into an application's data entry fields and the application is unprepared to process that data. Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Prescreening inputs prior to passing to interpreters prevent the content from being unintentionally interpreted as commands. The integrity of the firewall ACL, rule sets, and security zone data is essential for controlling network access. Input validation helps ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000312-FW-000172_chk )
Review the firewall to determine if data input validation occurs. This is usually part of the system design. Input several commands with invalid syntax and verify that the commands are rejected. If the firewall implementation does not perform validity checks for commands and data entered into the system, this is a finding.

Fix Text (F-SRG-NET-000312-FW-000172_fix)
Ensure the firewall is designed to check the validity of data inputs.