The firewall implementation must isolate security functions from non-security functions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-37214	SRG-NET-000184-FW-000105	SV-48975r1_rule		Low

Description
The firewall implementation must be designed and configured to isolate security functions from non-security functions. An isolation boundary is implemented via partitions and domains. This boundary must provide separation between processes having different security levels. These processes are used by the hardware, software, and firmware of the firewall to perform various functions. The firewall application must maintain a separate execution domain (e.g., address space) for each executing process to minimize the risk of leakage or corruption of privileged information. This control is normally a function of the firewall application design and is usually not a configurable setting; however, there may be settings in some firewall applications that must be configured to optimize function isolation. For most network devices, this function is a product of system design. Verification of this function requires access to the internal programmer's documentation of the firewall manufacturer.

Description

The firewall implementation must be designed and configured to isolate security functions from non-security functions. An isolation boundary is implemented via partitions and domains. This boundary must provide separation between processes having different security levels. These processes are used by the hardware, software, and firmware of the firewall to perform various functions. The firewall application must maintain a separate execution domain (e.g., address space) for each executing process to minimize the risk of leakage or corruption of privileged information. This control is normally a function of the firewall application design and is usually not a configurable setting; however, there may be settings in some firewall applications that must be configured to optimize function isolation. For most network devices, this function is a product of system design. Verification of this function requires access to the internal programmer's documentation of the firewall manufacturer.

STIG	Date
Firewall Security Requirements Guide	2013-04-24

Details

Check Text ( C-45524r2_chk )
Verify the application is designed to separate security functions from non-security functions (i.e., separate address space) for executing processes. Verify settings needed to enable or optimize this security feature are enabled and configured. If the system is not designed to isolate security functions from non-security functions, this is a finding. If settings needed to enable or optimize this security feature are not enabled or configured, this is a finding.

Check Text ( C-45524r2_chk )

Verify the application is designed to separate security functions from non-security functions (i.e., separate address space) for executing processes.
Verify settings needed to enable or optimize this security feature are enabled and configured.

If the system is not designed to isolate security functions from non-security functions, this is a finding.
If settings needed to enable or optimize this security feature are not enabled or configured, this is a finding.

Fix Text (F-42152r2_fix)
Enable settings that isolate security functions from non-security functions.