Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-37339 | SRG-NET-999999-FW-000169 | SV-49100r1_rule | Medium |
Description |
---|
Allowing traffic through the firewall without inspection creates a direct connection between the host in the private network and a host on the outside. This bypasses security measures and places the network and destination endpoint at a greater risk of exploitation. |
STIG | Date |
---|---|
Firewall Security Requirements Guide | 2013-04-24 |
Check Text ( C-45587r1_chk ) |
---|
Review the firewall configuration and verify both outbound and inbound traffic is inspected for the following: - Protocol conformance, malformed packets, message length, and domain name integrity. - Query ID and port randomization for DNS query traffic must be enabled. If the firewall implementation does not inspect inbound and outbound DNS traffic for protocol conformance, this is a finding. |
Fix Text (F-42264r1_fix) |
---|
Configure the firewall implementation with a DNS proxy. If the firewall implementation does not have proxy capability, configure the firewall to meet the minimum content, protocol, and flow control inspection as follows: - Inspect for protocol conformance, malformed packets, message length, and domain name integrity. - Enable query ID and port randomization for DNS query traffic. |