UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Firewall Security Requirements Guide


Overview

Date Finding Count (72)
2014-07-07 CAT I (High): 0 CAT II (Med): 72 CAT III (Low): 0
STIG Description
Firewall Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
SRG-NET-000019-FW-000194 Medium The firewall implementation must drop all inbound IPv6 packets containing undefined header extensions/protocol values.
SRG-NET-000019-FW-000195 Medium The firewall implementation must drop fragmented IPv6 packets when any fragment overlaps another.
SRG-NET-000019-FW-000196 Medium The firewall implementation must drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain.
SRG-NET-000019-FW-000197 Medium The firewall implementation must block IPv6 6to4 addresses at the enclave perimeter for inbound and outbound traffic.
SRG-NET-000018-FW-000249 Medium The firewall implementation must restrict the acceptance of any IP packets from the unspecified address (::/128).
SRG-NET-000018-FW-000248 Medium The firewall implementation must block any packet with a source or destination of the IPv6 local host loopback address (::1/128).
SRG-NET-000019-FW-000192 Medium The firewall implementation must drop all inbound IPv6 packets for which the layer 4 protocol and ports (undetermined transport) cannot be located.
SRG-NET-000019-FW-000193 Medium The firewall implementation must drop all inbound IPv6 packets with a Type 0 Routing header.
SRG-NET-000019-FW-000253 Medium The firewall implementation must block IPv6 well-known multicast addresses on the ingress and egress inbound filters, (FF00::/8).
SRG-NET-000019-FW-000252 Medium The firewall implementation must block IPv6 6bone address space on the ingress and egress filters (3FEE::/16).
SRG-NET-000019-FW-000251 Medium The firewall implementation must be configured to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with invalid option type values.
SRG-NET-000019-FW-000250 Medium The firewall implementation must drop all inbound IPv6 packets with a Type 1 or Types 3 through 255 Routing Header.
SRG-NET-000019-FW-000198 Medium The firewall implementation must block IPv6 Site Local Unicast addresses (FEC0::/10) at the enclave perimeter by the ingress and egress filters.
SRG-NET-000019-FW-000199 Medium The firewall implementation must block IPv6 Jumbo Payload hop-by-hop header.
SRG-NET-000019-FW-000255 Medium The firewall implementation must protect against Inbound IP packets using RFC5735, RFC6598, and other network address space allocated by IANA but not assigned by the regional internet registries for ISP and other end-customer use by blocking, denying, or dropping them at the perimeter device.
SRG-NET-000019-FW-000254 Medium The firewall implementation must block IPv6 Unique Local Unicast addresses on the ingress and egress filters, (FC00::/7). Note that this consists of all addresses that begin with FC or FD.
SRG-NET-000402-FW-000247 Medium The firewall implementation must reveal error messages only to the IAO, IAM, and SA.
SRG-NET-000335-FW-000216 Medium The firewall implementation must provide an immediate real time alert to the System Administrator and Information Assurance Officer, at a minimum, of all audit failure events requiring real time alerts.
SRG-NET-000100-FW-000061 Medium The firewall implementation must protect audit logs from unauthorized deletion.
SRG-NET-000192-FW-000234 Medium The firewall implementation must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding.
SRG-NET-000019-FW-000191 Medium The firewall implementation must suppress router advertisements on all external-facing IPv6-enabled interfaces.
SRG-NET-000512-FW-000222 Medium The firewall implementation must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including NSA configuration guides, Communications Tasking Orders (CTOs), and Directive-Type Memorandums (DTMs).
SRG-NET-000391-FW-000244 Medium The firewall implementation must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions.
SRG-NET-000132-FW-000075 Medium The firewall implementation must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
SRG-NET-000131-FW-000224 Medium The firewall implementation's auxiliary port (if present) must be disabled unless it is connected to a secured modem providing encryption and authentication.
SRG-NET-000018-FW-000017 Medium The firewall implementation must enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
SRG-NET-000131-FW-000223 Medium The firewall implementation must not enable the service or feature that automatically contacts the vendor.
SRG-NET-000018-FW-000168 Medium The firewall implementation must implement NAT to ensure endpoint internal IPv4 addresses are not visible to external untrusted networks.
SRG-NET-000078-FW-000051 Medium The firewall implementation must log records for any match of a firewall rule (traffic either allowed or denied).
SRG-NET-000018-FW-000205 Medium The firewall implementation must block any packet with a source or destination of the IPv4 local host loopback address (127.0.0.0/8).
SRG-NET-000018-FW-000207 Medium The firewall implementation must protect server VLAN(s) by controlling the flow of information originating from one server farm segment destined for another server farm segment.
SRG-NET-000018-FW-000206 Medium The firewall implementation must protect server VLAN(s) using a deny-by-default security posture.
SRG-NET-000335-FW-000217 Medium The firewall implementation must make alarm messages identifying a security violation accessible to authorized personnel.
SRG-NET-000075-FW-000048 Medium The firewall implementation must produce log records containing sufficient information to establish when (date and time) the events occurred.
SRG-NET-000102-FW-000220 Medium The firewall implementation must protect audit tools from unauthorized modification.
SRG-NET-000511-FW-000214 Medium The firewall implementation must write log records to centralized, redundant log servers in real time and those records backed up weekly.
SRG-NET-000074-FW-000047 Medium The firewall implementation must produce audit log records that contain sufficient information to establish what type of event occurred.
SRG-NET-000365-FW-000239 Medium The firewall implementation must fail securely in the event of an operational failure.
SRG-NET-000099-FW-000060 Medium The firewall implementation must protect audit log information from unauthorized modification.
SRG-NET-000362-FW-000231 Medium The firewall implementation must drop half-open TCP connections through filtering thresholds or timeout periods.
SRG-NET-000362-FW-000232 Medium The firewall implementation must protect against "Ping of Death" (oversized ICMP echo request) attacks.
SRG-NET-000362-FW-000233 Medium The firewall implementation must protect against or limit the effects of all types of Denial of Service (DoS) attacks directed against the device itself by employing security safeguards.
SRG-NET-000019-FW-000257 Medium The firewall implementation must block, deny, or drop inbound IP packets using an RFC 1918 address space (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) at the perimeter device.
SRG-NET-000019-FW-000208 Medium The firewall implementation must maintain a current configuration that enforces dynamic information flow control based on organization-defined policies.
SRG-NET-000202-FW-000118 Medium The firewall implementation must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
SRG-NET-000019-FW-000256 Medium The firewall implementation must block, deny, or drop inbound IPv4 packets using a link-local address space (169.254.0.0/16) at the perimeter device.
SRG-NET-000088-FW-000215 Medium The firewall implementation must automatically generate an alert to notify the administrator when log storage reaches seventy-five percent or more of its maximum capacity.
SRG-NET-000362-FW-000230 Medium The firewall implementation must protect against TCP SYN floods.
SRG-NET-000131-FW-000074 Medium The firewall implementation must not have unnecessary services and functions enabled.
SRG-NET-000362-FW-000229 Medium The firewall implementation must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing security safeguards.
SRG-NET-000334-FW-000201 Medium The firewall implementation must write log records to centralized, redundant log servers and those records backed up to a different system or media.
SRG-NET-000273-FW-000152 Medium The firewall implementation must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
SRG-NET-000088-FW-000055 Medium The firewall implementation must be configured to send an alert to designated personnel in the event of a logging failure.
SRG-NET-000103-FW-000221 Medium The firewall implementation must protect audit tools from unauthorized deletion.
SRG-NET-000193-FW-000235 Medium The firewall implementation must manage excess bandwidth to limit the effects of packet flooding types of Denial of Service (DoS) attacks.
SRG-NET-000098-FW-000059 Medium The firewall implementation must protect audit log information from unauthorized read access.
SRG-NET-000113-FW-000065 Medium The firewall implementation must generate a log record for any traffic to a port, protocol, or service that is denied.
SRG-NET-000015-FW-000015 Medium The firewall implementation must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
SRG-NET-000333-FW-000213 Medium The firewall implementation must support centralized management and configuration of the content to be captured in log records.
SRG-NET-000101-FW-000219 Medium The firewall implementation must protect audit tools from unauthorized access.
SRG-NET-000366-FW-000240 Medium The firewall implementation must block both inbound and outbound communications traffic between organization-defined communication clients that are independently configured by end users and external service providers.
SRG-NET-000364-FW-000237 Medium The firewall implementation must only allow incoming communications from authorized sources routed to authorized destinations.
SRG-NET-000077-FW-000050 Medium The firewall implementation must produce log records containing sufficient information to establish the source of the event.
SRG-NET-000205-FW-000121 Medium The firewall implementation must apply ingress filters entering the network to the external interface in the inbound direction.
SRG-NET-000205-FW-000122 Medium The firewall implementation must apply egress filters leaving the network to the internal interface in the inbound direction.
SRG-NET-000390-FW-000243 Medium The firewall implementation must continuously monitor inbound communications traffic for unusual or unauthorized activities or conditions.
SRG-NET-000089-FW-000056 Medium In the event of a logging failure, the firewall implementation must overwrite the oldest log records.
SRG-NET-000199-FW-000238 Medium The firewall implementation must prevent discovery of specific system components or devices composing the enclave protection devices.
SRG-NET-000273-FW-000258 Medium The firewall implementation must block all inbound traceroutes to prevent network discovery by unauthorized users.
SRG-NET-000019-FW-000018 Medium The firewall implementation must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
SRG-NET-000401-FW-000246 Medium The firewall implementation must properly reassemble incoming fragmented packets before configured policies are applied to them or drop fragmented packets.
SRG-NET-000076-FW-000049 Medium The firewall implementation must produce log records containing sufficient information to establish where the events occurred.