UCF STIG Viewer Logo

Firewall Security Requirements Guide


Overview

Date Finding Count (159)
2013-04-24 CAT I (High): 3 CAT II (Med): 84 CAT III (Low): 72
STIG Description
Firewall Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-37052 High The firewall implementation must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.
V-37221 High The firewall implementation must protect against or limit the effects of denial of service attacks.
V-37435 High The firewall implementation must monitor and control traffic at both the external and internal boundary interfaces.
V-37058 Medium The firewall must uniquely authenticate source domains for information transfer.
V-37312 Medium The firewall implementation must protect the confidentiality and integrity of system information at rest.
V-37313 Medium The firewall implementation must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest.
V-37314 Medium The firewall implementation must employ malicious code protection mechanisms to detect and block malicious code at the network perimeter.
V-37315 Medium The firewall implementation must be configured to perform organizationally defined actions in response to malicious code detection.
V-37316 Medium The firewall implementation must verify the correct operation of security functions, in accordance with organizationally identified conditions and frequency.
V-37317 Medium The firewall implementation must respond to security function anomalies in accordance with organizationally defined responses and alternative actions.
V-37181 Medium The firewall implementation must enforce minimum password length.
V-37183 Medium The firewall implementation must prohibit password reuse for the organizationally defined number of generations.
V-37187 Medium The firewall implementation must enforce password complexity by the number of lower case characters used.
V-37301 Medium The firewall implementation must protect the integrity and availability of publicly available information and applications.
V-37197 Medium The firewall implementation must enforce password encryption for transmission.
V-37195 Medium The firewall implementation must enforce password encryption for storage.
V-37299 Medium The firewall implementation must employ cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
V-37199 Medium The firewall implementation must enforce minimum password lifetime restrictions.
V-37329 Medium The firewall implementation must prevent the download of prohibited mobile code.
V-37328 Medium The firewall implementation must support organizational requirements to disable the user identifiers after an organizationally defined time period of inactivity.
V-37327 Medium The firewall implementation must protect the audit records of non-local accesses to privileged accounts and the execution of privileged functions.
V-37321 Medium The firewall implementation must identify and respond to potential security-relevant error conditions.
V-37320 Medium The firewall implementation must detect unauthorized changes to software and information.
V-37322 Medium The firewall implementation must generate error messages providing information necessary for corrective actions without revealing organizationally defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
V-37057 Medium The firewall implementation must uniquely identify source domains for information transfer.
V-37114 Medium The firewall implementation must use automated mechanisms to enforce access restrictions.
V-37115 Medium The firewall implementation must use automated mechanisms to support auditing of the enforcement actions.
V-37059 Medium The firewall implementation must uniquely identify destination domains for information transfer.
V-37233 Medium The firewall implementation must route organizationally defined internal communications traffic destined for organizationally defined external networks through authenticated application firewalls (application proxy servers) at managed interfaces.
V-37232 Medium The firewall implementation must deny network traffic by default and allow network traffic by exception at all interfaces at the network perimeter.
V-37339 Medium The firewall implementation must inspect inbound and outbound DNS traffic for harmful content and protocol conformance.
V-37330 Medium The firewall implementation must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.
V-37331 Medium The firewall implementation must enforce a DAC policy that includes or excludes access to the granularity of a single user.
V-37336 Medium The firewall implementation must have only one local account created for use when the network is not available or direct access on the device is needed.
V-37337 Medium The firewall implementation must be configured to use two or more authentication servers for the purpose of granting administrative access.
V-37167 Medium The firewall implementation must be configured to prohibit or restrict network traffic in accordance with organizationally defined requirements for nonsecure ports, protocols, and/or services.
V-37165 Medium The firewall application must be configured to prohibit or restrict the use of organizationally defined nonsecure ports, protocols, and/or services.
V-37079 Medium The firewall implementation must automatically lock an account after the maximum number of unsuccessful login attempts are exceeded and remain locked for an organizationally defined time period or until released by an administrator.
V-37078 Medium The firewall implementation must enforce the organizationally defined time period over which the number of invalid login attempts are counted.
V-37173 Medium The firewall implementation must use multifactor authentication for local access to privileged accounts.
V-37175 Medium The firewall implementation must support the organizational requirement to ensure individuals are authenticated with an individual authenticator prior to using a group authenticator.
V-37220 Medium The firewall implementation must prevent unauthorized and unintended information transfer via shared system resources.
V-37223 Medium The firewall implementation must limit the use of resources by priority.
V-37229 Medium The firewall implementation must prevent access into the organizations internal networks except as explicitly permitted and controlled by employing boundary protection devices.
V-37177 Medium The firewall implementation must use organizationally defined replay-resistant authentication mechanisms for network access to privileged accounts.
V-37070 Medium The firewall implementation must uniquely authenticate destination domains for information transfer.
V-37077 Medium The firewall implementation must enforce the organizationally defined maximum number of consecutive invalid login attempts.
V-37348 Medium The firewall implementation must produce application log records containing sufficient information to establish where the events occurred.
V-37347 Medium The firewall implementation must produce application event log records containing sufficient information to establish when the events occurred.
V-37171 Medium The firewall implementation must use multifactor authentication for network access to privileged accounts.
V-37345 Medium The firewall implementation must generate application log records for success or failure of firewall rule, as determined by the organization to be relevant to the security of the network infrastructure.
V-37343 Medium A firewall located behind the premise router must be configured to block all outbound management traffic.
V-37342 Medium The firewall implementation must inspect inbound and outbound HTTP traffic for harmful content and protocol conformance.
V-37341 Medium The firewall implementation must inspect inbound and outbound FTP traffic for harmful content and protocol conformance.
V-37340 Medium The firewall implementation must inspect inbound and out bound SMTP and Extended SMTP traffic for harmful content and protocol conformance.
V-37213 Medium The firewall implementation must be configured to detect the presence of unauthorized software on organizational information systems.
V-37295 Medium The firewall implementation must protect the confidentiality of transmitted information.
V-37294 Medium The firewall implementation must use cryptographic mechanisms to detect changes to information during transmission, unless otherwise protected by alternative physical measures.
V-37297 Medium The firewall implementation must terminate the connection associated with a communications session at the end of the session or after an organizationally defined time period of inactivity.
V-37296 Medium The firewall implementation must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission, unless otherwise protected by alternative physical measures.
V-37358 Medium The firewall implementation must protect application log information from unauthorized read access.
V-37359 Medium The firewall implementation must protect the application log information from unauthorized modification.
V-37293 Medium The firewall implementation must protect the integrity of transmitted information.
V-37356 Medium The firewall implementation must be configured to send an alert to designated personnel in the event the application log fails to function.
V-37357 Medium The firewall implementation must be configured to stop generating application log records or overwrite the oldest log records when a log failure occurs.
V-37346 Medium The firewall implementation must produce application event log records that contain sufficient information to establish what type of event occurred.
V-37209 Medium The firewall implementation must terminate all sessions when non-local maintenance is completed.
V-37203 Medium The firewall implementation must use NIST-validated FIPS 140-2 cryptography to implement authentication encryption mechanisms.
V-37200 Medium The firewall implementation must enforce maximum password lifetime restrictions.
V-37201 Medium The firewall implementation must obscure feedback of authentication information during the authentication process to protect the information from possible use by unauthorized individuals.
V-37204 Medium The firewall implementation must employ automated mechanisms to assist in the tracking of security incidents.
V-37369 Medium The firewall implementation must ensure the IPv6 Jumbo Payload hop-by-hop header is blocked.
V-37368 Medium The firewall implementation must ensure IPv6 Site Local Unicast addresses are not used.
V-37361 Medium The firewall implementation must suppress router advertisements for traffic destined for external IPv6-enabled interfaces.
V-37360 Medium The firewall implementation must protect application logs from unauthorized deletion.
V-37363 Medium The firewall implementation must drop all inbound IPv6 packets containing a Type 0 Routing Header unless the packet also contains an IPSec AH or IPSec ESP header.
V-37365 Medium The firewall implementation must drop IPv6 drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering, cannot be determined.
V-37364 Medium The firewall implementation must drop all inbound IPv6 packets containing undefined header extensions/protocol values.
V-37349 Medium The firewall implementation must produce application log records containing sufficient information to establish the source of the event.
V-37366 Medium The firewall implementation must drop IPv6 drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain.
V-37367 Medium The firewall implementation must ensure IPv6 6-to-4 addresses are dropped at the enclave perimeter for inbound and outbound traffic.
V-37087 Medium The firewall implementation must employ automated mechanisms to monitor and control remote access methods.
V-37088 Medium The firewall implementation must route all remote access traffic through managed access control points.
V-37089 Medium The firewall implementation must monitor for unauthorized remote connections to specific information systems on an organizationally defined frequency.
V-37370 Medium The firewall implementation must ensure interfaces supporting IPv4 in NAT-PT architecture do not receive IPv6 traffic.
V-37118 Medium The firewall implementation must limit privileges to change software resident within software libraries, including privileged programs.
V-37119 Medium The firewall implementation must not have unnecessary services and functions enabled.
V-37035 Low The firewall implementation must provide automated support for account management functions.
V-37037 Low The firewall implementation must automatically terminate emergency accounts after an organizationally defined time period.
V-37036 Low The firewall implementation must automatically terminate temporary accounts after an organizationally defined time period for each type of account.
V-37110 Low The firewall implementation must provide audit record generation capability for organizationally defined auditable events occurring within the firewall.
V-37305 Low The firewall implementation must provide mechanisms to protect the authenticity of communications sessions.
V-37039 Low The firewall implementation must automatically audit the creation of accounts.
V-37038 Low The firewall implementation must automatically disable inactive accounts after an organizationally defined time period of inactivity.
V-37310 Low The firewall implementation must fail to an organizationally defined known state for organizationally defined types of failures.
V-37311 Low The firewall implementation must preserve organizationally defined system state information in the event of a system failure.
V-37185 Low The firewall implementation must enforce password complexity by the number of upper case characters used.
V-37101 Low The firewall implementation must be capable of taking organizationally defined actions upon audit failure.
V-37100 Low The firewall implementation must be configured to send an alert to designated personnel in the event of an audit processing failure.
V-37103 Low The firewall implementation must synchronize internal system clocks on an organizationally defined frequency with an organizationally defined authoritative time source.
V-37102 Low The firewall implementation must use internal system clocks to generate timestamps for audit records.
V-37105 Low The firewall implementation must protect audit log information from unauthorized modification.
V-37104 Low The firewall implementation must protect audit log information from unauthorized read access.
V-37106 Low The firewall implementation must protect audit logs from unauthorized deletion.
V-37109 Low The firewall must protect against an individual falsely denying having performed a particular action.
V-37194 Low The firewall implementation must enforce the number of characters changed when passwords are changed.
V-37193 Low The firewall implementation must enforce password complexity by the number of special characters used.
V-37190 Low The firewall implementation must enforce password complexity by the number of numeric characters used.
V-37325 Low The firewall implementation must prevent access to organizationally defined security-relevant information except during secure, non-operable system states.
V-37324 Low The firewall implementation must block network access by unauthorized devices and must log the information as a security violation.
V-37323 Low The firewall implementation must activate an organizationally defined alarm when a system component failure is detected.
V-37051 Low The firewall implementation must enforce approved authorizations for controlling the flow of information within the system and its components in accordance with applicable flow control policy.
V-37050 Low The firewall implementation must implement organizationally defined nondiscretionary access control policies over organizationally defined users and resources.
V-37116 Low The firewall implementation must prevent the installation of organizationally defined critical software programs not signed with an organizationally approved private key.
V-37112 Low The firewall implementation must generate audit log events for a locally developed list of auditable events.
V-37113 Low The firewall implementation must enforce access restrictions associated with changes to the system components.
V-37111 Low The firewall implementation must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system.
V-37338 Low The firewall implementation must implement NAT to ensure endpoint internal IPv4 addresses are not visible to external untrusted networks.
V-37044 Low The firewall implementation must notify the organizationally identified individuals when the account has been disabled.
V-37045 Low The firewall implementation must automatically audit account termination.
V-37046 Low The firewall implementation must notify the organizationally identified individuals for account termination.
V-37168 Low The firewall implementation must support organizational requirements to conduct backups of system level information contained in the information system per organizationally defined frequency.
V-37040 Low The firewall implementation must notify the organizationally identified individuals when accounts are created.
V-37041 Low The firewall implementation must automatically audit account modification.
V-37042 Low The firewall implementation must notify the organizationally identified individuals when accounts are modified.
V-37043 Low The firewall implementation must automatically audit account disabling actions.
V-37049 Low The firewall implementation must enforce approved authorizations for logical access to firewall information and system resources in accordance with applicable access control policy.
V-37178 Low The firewall implementation must authenticate an organizationally defined list of specific devices by device type before establishing a connection.
V-37075 Low The firewall implementation must implement separation of duties through assigned information system access authorizations.
V-37344 Low The firewall implementation must be configured to log any attempt to a port, protocol, or service that is denied.
V-37169 Low The firewall implementation must support organizational requirements to conduct backups of information system documentation, including security-related documentation, per an organizationally defined frequency that is consistent with recovery time and recovery point objectives.
V-37047 Low The firewall implementation must monitor for unusual usage of accounts.
V-37214 Low The firewall implementation must isolate security functions from non-security functions.
V-37211 Low The firewall implementation must employ cryptographic mechanisms to protect information in storage.
V-37292 Low The firewall implementation must connect to external networks only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture.
V-37354 Low The firewall implementation application event logging function must reduce the likelihood of log record capacity being exceeded.
V-37355 Low The firewall implementation must provide a warning when the application event logging storage capacity reaches an organizationally defined maximum capacity.
V-37350 Low The firewall implementation must produce application log records containing sufficient information to determine if the event was a success or failure.
V-37351 Low The firewall implementation must produce application log records that capture sufficient information to establish the identity of any user account associated with the events detected by the firewall application.
V-37352 Low The firewall implementation must produce application log records that capture organizationally defined additional information (identified by type, location, or subject) to the records for the events detected by the firewall application.
V-37353 Low The firewall implementation must allocate firewall application log record storage capacity.
V-37093 Low The firewall implementation must produce audit log records containing sufficient information to establish where the events occurred.
V-37092 Low The firewall implementation must produce audit log records containing sufficient information to establish when the events occurred.
V-37091 Low The firewall implementation must produce audit log records that contain sufficient information to establish what type of event occurred.
V-37090 Low The firewall implementation must audit remote sessions for accessing an organizationally defined list of security functions and security-relevant information.
V-37097 Low The firewall implementation must capture and log organizationally defined additional information (identified by type, location, or subject) to the audit records for audit events.
V-37096 Low The firewall implementation must capture and log sufficient information to establish the identity of user accounts associated with the audit event.
V-37095 Low The firewall implementation must produce audit log records containing sufficient information to determine if the event was a success or failure.
V-37094 Low The firewall implementation must produce audit log records containing sufficient information to establish the source of the event.
V-37099 Low The firewall implementation must provide a real-time alert when organizationally defined audit failure events occur.
V-37098 Low The firewall implementation must transmit audit events to the organizations central audit log server.
V-37206 Low The firewall implementation must log non-local maintenance and diagnostic sessions.
V-37362 Low The firewall implementation must drop IPv6 packets for which the layer 4 protocol and ports cannot be detected.
V-37080 Low The firewall implementation must display an approved system use notification message (or banner) before granting access to the system.
V-37081 Low The firewall implementation must display the notification message on the screen until the administrator takes explicit action to acknowledge the message.
V-37082 Low The firewall implementation must display a DoD-approved system use notification message or banner before granting access to the device.
V-37083 Low Upon successful login, the firewall implementation must notify the user of the date and time of the last login.
V-37086 Low The firewall implementation must limit the number of concurrent sessions for each account to an organizationally defined number.
V-37371 Low The firewall implementation must backup application log records at an organizationally defined frequency onto a different system or media.