UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must prevent access to organizationally defined security-relevant information except during secure, non-operable system states.


Overview

Finding ID Version Rule ID IA Controls Severity
V-37325 SRG-NET-000279-FW-000155 SV-49086r1_rule Low
Description
Security relevant information is any information within the information system that can potentially impact the operation of security functions in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Organizations may define specific security relevant information that requires protection. Examples: firewall ACLs or policy filters, cryptographic key management information, key configuration parameters for security services, and access control lists. Secure, non-operable system states are states in which the firewall is not performing mission or business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown). Access to these types of data is to be prevented unless the system is in a maintenance mode or has otherwise been brought off-line. The goal is to minimize the potential that a security configuration or data may be dynamically and perhaps maliciously overwritten or changed without going through a formal system change process that can document the changes.
STIG Date
Firewall Security Requirements Guide 2013-04-24

Details

Check Text ( C-45573r1_chk )
Verify when the firewall is off-line, the configuration files, log files, account information, and other security information are not accessible without proper authentication.

If the system does not prevent access when the system is in a state where the security policy and auditing cannot be enforced, this is a finding.

Fix Text (F-42250r1_fix)
Configure the firewall implementation to prevent administrator access when the audit and privilege policies cannot be enforced.