UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must not have unnecessary services and functions enabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-37119 SRG-NET-000131-FW-000074 SV-48880r1_rule Medium
Description
Information systems are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The organization must determine which functions and services are required to perform the content filtering and other necessary core functionality for each component of the firewall implementation. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The primary functionality of a firewall is the monitoring of internal and external perimeters of the network, allowing or disallowing access based on content filtering. The firewall application suite may integrate related content filtering and analysis services and tools (e.g., IPS, proxy, malware inspection, or VPN). Services and capabilities which are unrelated to this primary functionality must not be installed (e.g., DNS, email client or server, ftp server, or web server). Next Generation Firewalls (NGFW) and Unified Threat Management (UTM) firewalls integrate functions which have been traditionally separated. These products integrate content filtering features to provide more granular policy filtering. As with hybrid firewall devices, there are operational drawbacks to combining these services into one device. Another issue is that NGFW and UTM products vary greatly with no current definitive industry standard. The malware or application layer protection provided in a separate product is often superior to that provided in a combined product. Use of these products should not preclude additional defense-in-depth measures such as placing additional specialized content filtering devices at critical network boundaries such as server farms and DMZs.
STIG Date
Firewall Security Requirements Guide 2013-04-24

Details

Check Text ( C-45491r1_chk )
Review the firewall configuration to determine if services or functions not required for operation, or not related to firewall functionality (e.g., DNS, email client or server, ftp server, or web server) are enabled.

If unnecessary services and functions are enabled on the firewall, this is a finding.
Fix Text (F-42064r1_fix)
Remove unneeded services and functions from the firewall. Removal is recommended since the service or function may be inadvertently enabled. However, if removal is not possible, disable the service or function.