The firewall implementation must inspect inbound and outbound DNS traffic for protocol conformance.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-999999-FW-000178 | SRG-NET-999999-FW-000178 | SRG-NET-999999-FW-000178_rule | Medium |
| Description |
|---|
| Creating a filter to allow a port or service through the firewall without a proxy or content inspection, protocol inspection, and flow control creates a direct connection between the host in the private network and a host on the outside, thereby bypassing additional security measures that could be provided. This places the internal host at a greater risk of exploitation that could make the entire network vulnerable to an attack. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2012-12-10 |
Details
| Check Text ( C-SRG-NET-999999-FW-000178_chk ) |
|---|
| Review the firewall configuration and verify both ingress and egress traffic is inspected for the following: Protocol conformance, malformed packets, message length, and domain name integrity. Query ID and port randomization for DNS query traffic must be enabled. If the firewall implementation does not inspect inbound and outbound DNS traffic for protocol conformance, this is a finding. |
| Fix Text (F-SRG-NET-999999-FW-000178_fix) |
|---|
| Implement proxies for all services that need to traverse the firewall. If the firewall implementation does not have proxy capability, configure the firewall to meet the minimum content, protocol and flow control inspection. Protocol conformance, malformed packets, message length, and domain name integrity. Enable query ID and port randomization for DNS query traffic. |