The firewall implementation must route organizationally defined internal communications traffic destined for organizationally defined external networks through authenticated application firewalls (application proxy servers) at managed interfaces.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-37233	SRG-NET-000203-FW-000119	SV-48994r1_rule		Medium

Description
This control requires that identified traffic destined for certain external networks be inspected before being allowed through externally facing interfaces. The firewall implementation must support logging individual Transmission Control Protocol (TCP) sessions. It must also support blocking or restricting based on, at a minimum, Uniform Resource Locators (URLs), domain names, IP addresses or IP ranges, and lists of authorized or unauthorized websites. Not all network traffic or applications are required to be directed to an application firewall or other proxy-type service. With an application firewall or proxy-type service acting as the intermediary, the client does not interact directly with external networks or servers. However, when dedicated application firewalls or proxy-type services are available, routing services on the client or network must be configured to forward traffic to the appropriate server or service before the traffic is allowed though the outbound perimeter firewall or router interfaces. To comply with this policy, the firewall implementation must include application firewalls or other proxy-type devices with application awareness. These devices allow or disallow traffic based on an examination of traffic content. This type of content filtering is most effective when placed logically close to the internal boundary where the traffic is being generated, thus a distributed firewall implementation architecture which includes a combination of the following content filtering devices or services is often necessary: packet and deep packet inspection firewall; application firewall/gateway; proxy service or proxy server; Web or SSL application firewall/gateway; and Network Address Translation (NAT) server or service. The firewall implementation must support logging individual TCP sessions and blocking specific URLs, domain names, and IP addresses, and lists of authorized and unauthorized websites.

Description

This control requires that identified traffic destined for certain external networks be inspected before being allowed through externally facing interfaces. The firewall implementation must support logging individual Transmission Control Protocol (TCP) sessions. It must also support blocking or restricting based on, at a minimum, Uniform Resource Locators (URLs), domain names, IP addresses or IP ranges, and lists of authorized or unauthorized websites. Not all network traffic or applications are required to be directed to an application firewall or other proxy-type service. With an application firewall or proxy-type service acting as the intermediary, the client does not interact directly with external networks or servers. However, when dedicated application firewalls or proxy-type services are available, routing services on the client or network must be configured to forward traffic to the appropriate server or service before the traffic is allowed though the outbound perimeter firewall or router interfaces. To comply with this policy, the firewall implementation must include application firewalls or other proxy-type devices with application awareness. These devices allow or disallow traffic based on an examination of traffic content. This type of content filtering is most effective when placed logically close to the internal boundary where the traffic is being generated, thus a distributed firewall implementation architecture which includes a combination of the following content filtering devices or services is often necessary: packet and deep packet inspection firewall; application firewall/gateway; proxy service or proxy server; Web or SSL application firewall/gateway; and Network Address Translation (NAT) server or service. The firewall implementation must support logging individual TCP sessions and blocking specific URLs, domain names, and IP addresses, and lists of authorized and unauthorized websites.

STIG	Date
Firewall Security Requirements Guide	2013-04-24

Details

Check Text ( C-45537r1_chk )
Consult the organization's security documentation to obtain a list of organizationally defined, internal communications traffic which must be inspected by the application firewall (or application proxy server). Verify that an application firewall or other proxy-type server/service is implemented that examines each type of outbound communications traffic that requires inspection. Examine each external interface to ensure the traffic type is examined for compliance with the configured outbound security policy. If organizationally defined internal communications traffic destined to organizationally defined external networks are not routed through authenticated application firewalls (or application proxy servers) at the managed interfaces, this is a finding.

Check Text ( C-45537r1_chk )

Consult the organization's security documentation to obtain a list of organizationally defined, internal communications traffic which must be inspected by the application firewall (or application proxy server).
Verify that an application firewall or other proxy-type server/service is implemented that examines each type of outbound communications traffic that requires inspection.
Examine each external interface to ensure the traffic type is examined for compliance with the configured outbound security policy.

If organizationally defined internal communications traffic destined to organizationally defined external networks are not routed through authenticated application firewalls (or application proxy servers) at the managed interfaces, this is a finding.

Fix Text (F-42172r1_fix)
Configure the firewall implementation to route organizationally defined internal communications traffic destined for organizationally defined external networks through authenticated application firewalls (application proxy servers) at managed interfaces.