The firewall implementation must drop FTP connections containing harmful or malformed traffic.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-999999-FW-000180 | SRG-NET-999999-FW-000180 | SRG-NET-999999-FW-000180_rule | Medium |
| Description |
|---|
| Creating a filter to allow a port or service through the firewall without a proxy or content inspection, protocol inspection, or flow control creates a direct connection between the host in the private network and a host on the outside. This bypasses security measures and places the internal host at a greater risk of exploitation that could make the entire network vulnerable to an attack. FTP is not a recommended file transfer solution. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2012-12-10 |
Details
| Check Text ( C-SRG-NET-999999-FW-000180_chk ) |
|---|
| Review the firewall configuration and verify FTP traffic is inspected. Verify the firewall is configured to perform the following: drop any connections with embedded commands; drop truncated commands; provide command and reply spoofing; drop invalid port negotiations; and protect FTP servers from buffer overflow attacks. If the firewall implementation does not drop FTP connections containing harmful or malformed traffic, this is a finding. |
| Fix Text (F-SRG-NET-999999-FW-000180_fix) |
|---|
| Configure the firewall implementation to inspect FTP traffic and perform the following: drop any connections with embedded commands; drop truncated commands; provide command and reply spoofing; drop invalid port negotiations; and protect FTP servers from buffer overflow attacks. |