Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The firewall implementation must drop FTP connections containing harmful or malformed traffic.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-999999-FW-000180 | SRG-NET-999999-FW-000180 | SRG-NET-999999-FW-000180_rule | Medium |
| Description |
|---|
| Creating a filter to allow a port or service through the firewall without a proxy or content inspection, protocol inspection, or flow control creates a direct connection between the host in the private network and a host on the outside. This bypasses security measures and places the internal host at a greater risk of exploitation that could make the entire network vulnerable to an attack. FTP is not a recommended file transfer solution. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2012-12-10 |
Details
| Check Text ( C-SRG-NET-999999-FW-000180_chk ) |
|---|
| Review the firewall configuration and verify FTP traffic is inspected. Verify the firewall is configured to perform the following: drop any connections with embedded commands; drop truncated commands; provide command and reply spoofing; drop invalid port negotiations; and protect FTP servers from buffer overflow attacks. If the firewall implementation does not drop FTP connections containing harmful or malformed traffic, this is a finding. |
| Fix Text (F-SRG-NET-999999-FW-000180_fix) |
|---|
| Configure the firewall implementation to inspect FTP traffic and perform the following: drop any connections with embedded commands; drop truncated commands; provide command and reply spoofing; drop invalid port negotiations; and protect FTP servers from buffer overflow attacks. |