The firewall implementation must restrict traffic destined to the enclave perimeter in accordance with the guidelines contained in DoD Instruction 8551.1 for all ports and protocols required for operational commitments.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-999999-FW-000183	SRG-NET-999999-FW-000183	SRG-NET-999999-FW-000183_rule		High

Description
ACLs are the first line of defense in a layered security approach. They permit authorized packets and deny unauthorized packets based on port or service type. They enhance the posture of the network by not allowing packets to even reach a potential target within the security domain. The PPS Vulnerability Assessment report contains a list of highly susceptible ports and services that should be blocked or limited as much as possible without adversely affecting customer requirements. Auditing packets attempting to penetrate the network, but that are stopped by an ACL, will allow network administrators to broaden their protective ring and more tightly define the scope of operation. If the perimeter devices are in a deny-by-default posture and what is allowed through the filter is IAW DoD Instruction 8551.1, and if the permit rule is defined with explicit ports and protocols allowed, then all requirements related to PPS being blocked would be satisfied. It is the responsibility of the enclave owner to have the applications the enclave uses registered in the PPSM database. This requirement is usually implemented by the router, firewall, and/or the IDPS working jointly to ensure perimeter defense.

Description

ACLs are the first line of defense in a layered security approach. They permit authorized packets and deny unauthorized packets based on port or service type. They enhance the posture of the network by not allowing packets to even reach a potential target within the security domain. The PPS Vulnerability Assessment report contains a list of highly susceptible ports and services that should be blocked or limited as much as possible without adversely affecting customer requirements. Auditing packets attempting to penetrate the network, but that are stopped by an ACL, will allow network administrators to broaden their protective ring and more tightly define the scope of operation. If the perimeter devices are in a deny-by-default posture and what is allowed through the filter is IAW DoD Instruction 8551.1, and if the permit rule is defined with explicit ports and protocols allowed, then all requirements related to PPS being blocked would be satisfied. It is the responsibility of the enclave owner to have the applications the enclave uses registered in the PPSM database. This requirement is usually implemented by the router, firewall, and/or the IDPS working jointly to ensure perimeter defense.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-999999-FW-000183_chk )
Review the configuration of the firewalls and verify that the filters are IAW DoD 8551. Review the PPS Vulnerability Assessment report of all port allowed into the enclave. Configure all mitigations required by the report. If the firewall implementation does not restrict traffic to the perimeter based on DoD PPS guidance, this is a finding.

Fix Text (F-SRG-NET-999999-FW-000183_fix)
Configure the firewall implementation to restrict traffic in accordance with the guidelines contained in DOD Instruction 8551.1 for all services and protocols required for operational commitments.