UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must prevent the installation of organizationally defined critical software programs not signed with an organizationally approved private key.


Overview

Finding ID Version Rule ID IA Controls Severity
V-37116 SRG-NET-000121-FW-000071 SV-48877r1_rule Low
Description
Changes to any software components of the firewall can have significant effects on the overall security of the network. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Software must be obtained from a trusted patch server not from the vendor. The firewall should not have to verify the software again. Self-signed certificates are disallowed by this control. This control does not mandate DoD certificates for this purpose, however, the certificate used to verify the software must be from an approved source.
STIG Date
Firewall Security Requirements Guide 2013-04-24

Details

Check Text ( C-45488r1_chk )
Verify applications and updates installed on the firewall are obtained from an organizationally approved centralized patch server.
Verify the firewall is configured to prevent the installation of software updates or applications which are not signed by an organizationally approved private key.

If the firewall implementation does not prevent the installation of organizationally defined critical applications and updates not digitally signed with an organizationally approved private key, this is a finding.
Fix Text (F-42061r1_fix)
Obtain software updates from an approved trusted patch server.
Configure the firewall implementation components to check for digital signature prior to allowing installation of critical software programs.
Allow only organizationally approved digital signatures.