UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must inspect inbound and outbound HTTP traffic for harmful content and protocol conformance.


Overview

Finding ID Version Rule ID IA Controls Severity
V-37342 SRG-NET-999999-FW-000172 SV-49103r1_rule Medium
Description
Allowing traffic through the firewall without inspection creates a direct connection between the host in the private network and a host on the outside. This bypasses security measures and places the network and destination endpoint at a greater risk of exploitation. An application firewall (also called a proxy or gateway) must be included in the firewall implementation. HTTP traffic must be inspected for harmful or malformed traffic. Additionally, HTTP traffic must be inspected for protocol conformance.
STIG Date
Firewall Security Requirements Guide 2013-04-24

Details

Check Text ( C-45590r1_chk )
Review the firewall configuration for both inbound and outbound traffic for both harmful content and protocol conformance.
Verify inspection of HTTP traffic destined for servers residing in the enclave.
Verify inspection of HTTP traffic from clients and servers in the enclave to servers outside the enclave.
Verify the firewall is configured to filter Java applets and ActiveX objects to meet the enclave security policy.
Review the security policy with the Information Assurance Officer and look for Java and ActiveX filters if the security policy requires restrictions.

If the firewall implementation does not inspect inbound and outbound HTTP traffic for protocol conformance, this is a finding.
Fix Text (F-42267r1_fix)
Configure the firewall implementation to inspect inbound and outbound HTTP traffic for both harmful content and protocol conformance.