Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The firewall implementation must inspect inbound and outbound DNS traffic for harmful content and protocol conformance.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-37339 | SRG-NET-999999-FW-000169 | SV-49100r1_rule | Medium |
| Description |
|---|
| Allowing traffic through the firewall without inspection creates a direct connection between the host in the private network and a host on the outside. This bypasses security measures and places the network and destination endpoint at a greater risk of exploitation. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2013-04-24 |
Details
| Check Text ( C-45587r1_chk ) |
|---|
| Review the firewall configuration and verify both outbound and inbound traffic is inspected for the following: - Protocol conformance, malformed packets, message length, and domain name integrity. - Query ID and port randomization for DNS query traffic must be enabled. If the firewall implementation does not inspect inbound and outbound DNS traffic for protocol conformance, this is a finding. |
| Fix Text (F-42264r1_fix) |
|---|
| Configure the firewall implementation with a DNS proxy. If the firewall implementation does not have proxy capability, configure the firewall to meet the minimum content, protocol, and flow control inspection as follows: - Inspect for protocol conformance, malformed packets, message length, and domain name integrity. - Enable query ID and port randomization for DNS query traffic. |