The firewall implementation must inspect inbound and outbound HTTP traffic for protocol conformance.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-999999-FW-000181	SRG-NET-999999-FW-000181	SRG-NET-999999-FW-000181_rule		Medium

Description
Creating a filter to allow a port or service through the firewall without a proxy or content inspection, protocol inspection, and flow control creates a direct connection between the host in the private network and a host on the outside, thereby bypassing additional security measures that could be provided. This places the internal host at a greater risk of exploitation that could make the entire network vulnerable to an attack.

Description

Creating a filter to allow a port or service through the firewall without a proxy or content inspection, protocol inspection, and flow control creates a direct connection between the host in the private network and a host on the outside, thereby bypassing additional security measures that could be provided. This places the internal host at a greater risk of exploitation that could make the entire network vulnerable to an attack.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-999999-FW-000181_chk )
Review the firewall configuration for both ingress and egress traffic. Inspection of HTTP traffic to servers residing in the enclave is required. Inspection of HTTP traffic from clients and servers in the enclave to servers outside the enclave is also required. HTTP inspection will be configured to filter Java applets and ActiveX objects to meet the enclave security policy. Review the security policy with the Information Assurance Officer and look for Java and ActiveX filters if the security policy requires restrictions. If the firewall implementation does not inspect inbound and outbound HTTP traffic for protocol conformance, this is a finding.

Check Text ( C-SRG-NET-999999-FW-000181_chk )

Review the firewall configuration for both ingress and egress traffic.
Inspection of HTTP traffic to servers residing in the enclave is required. Inspection of HTTP traffic from clients and servers in the enclave to servers outside the enclave is also required. HTTP inspection will be configured to filter Java applets and ActiveX objects to meet the enclave security policy.
Review the security policy with the Information Assurance Officer and look for Java and ActiveX filters if the security policy requires restrictions.

If the firewall implementation does not inspect inbound and outbound HTTP traffic for protocol conformance, this is a finding.

Fix Text (F-SRG-NET-999999-FW-000181_fix)
Configure the firewall implementation to inspect inbound and outbound HTTP traffic for protocol conformance.