The firewall implementation must prevent the installation of organizationally defined critical software programs not signed with an organizationally approved private key.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-37116 | SRG-NET-000121-FW-000071 | SV-48877r1_rule | Low |
| Description |
|---|
| Changes to any software components of the firewall can have significant effects on the overall security of the network. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Software must be obtained from a trusted patch server not from the vendor. The firewall should not have to verify the software again. Self-signed certificates are disallowed by this control. This control does not mandate DoD certificates for this purpose, however, the certificate used to verify the software must be from an approved source. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2013-04-24 |
Details
| Check Text ( C-45488r1_chk ) |
|---|
| Verify applications and updates installed on the firewall are obtained from an organizationally approved centralized patch server. Verify the firewall is configured to prevent the installation of software updates or applications which are not signed by an organizationally approved private key. If the firewall implementation does not prevent the installation of organizationally defined critical applications and updates not digitally signed with an organizationally approved private key, this is a finding. |
| Fix Text (F-42061r1_fix) |
|---|
| Obtain software updates from an approved trusted patch server. Configure the firewall implementation components to check for digital signature prior to allowing installation of critical software programs. Allow only organizationally approved digital signatures. |