The firewall implementation must enforce approved authorizations for controlling the flow of information within the system and its components in accordance with applicable flow control policy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-37051	SRG-NET-000018-FW-000017	SV-48812r1_rule		Low

Description
Information flow control regulates where information is allowed to travel. Flow control mechanisms, such as the firewall, use security attributes to control and restrict information flow. Security attributes (a type of metadata) are information about one or more pieces of data. This information is bound to the data and may include information about the data's purpose, creator, origin, or classification. This control applies to the flow of information within an individual firewall. Internal component communication, such as between the firewall, router, and IPS, is not included in this control. The firewall implementation must restrict information flow within the component to authorized communications. A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, unauthorized commands, functionality, or traffic may be allowed to infiltrate security components, causing corruption or other undesirable conditions. Examples of flow control restrictions include preventing installed applications or functions from accessing security configurations; or preventing unauthorized commands from executing on the firewall. For most network devices, internal information flow control is a product of system design. Verification of this function requires access to the internal programmer's documentation of the firewall manufacturer.

Description

Information flow control regulates where information is allowed to travel. Flow control mechanisms, such as the firewall, use security attributes to control and restrict information flow. Security attributes (a type of metadata) are information about one or more pieces of data. This information is bound to the data and may include information about the data's purpose, creator, origin, or classification. This control applies to the flow of information within an individual firewall. Internal component communication, such as between the firewall, router, and IPS, is not included in this control. The firewall implementation must restrict information flow within the component to authorized communications. A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, unauthorized commands, functionality, or traffic may be allowed to infiltrate security components, causing corruption or other undesirable conditions. Examples of flow control restrictions include preventing installed applications or functions from accessing security configurations; or preventing unauthorized commands from executing on the firewall. For most network devices, internal information flow control is a product of system design. Verification of this function requires access to the internal programmer's documentation of the firewall manufacturer.

STIG	Date
Firewall Security Requirements Guide	2013-04-24

Details

Check Text ( C-45344r2_chk )
Review the vendor documentation and configuration settings to determine if any configuration requirements that are needed to support internal flow control mechanisms are implemented. If the firewall is not configured to enforce internal information flow based on approved authorizations in accordance with applicable policy restrictions, this is a finding.

Fix Text (F-41910r2_fix)
Configure the firewall implementation to enforce approved authorizations for controlling the flow of information within the system and its components in accordance with applicable policy.