The firewall implementation must prevent discovery of specific system components or devices composing the enclave protection devices.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000199-FW-000238	SRG-NET-000199-FW-000238	SRG-NET-000199-FW-000238_rule		Medium

Description
If the devices protecting the enclave can be discovered, they can be probed and attacked. These devices must be protected from discovery and reconnaissance by hostile actors or malware since information gained from a successful reconnaissance can be used to develop attacks against the system. The boundary protection devices, along with the other components of the network, are assigned IP addresses that are on the management network, which is a separate subnet. Safeguards must be implemented for containment of management and production traffic boundaries. The subnet(s) that are assigned to these devices must be segregated from other IP address subnets, and traffic to and from the management network must be restricted. This prevents these devices from being discovered and attacked.

Description

If the devices protecting the enclave can be discovered, they can be probed and attacked. These devices must be protected from discovery and reconnaissance by hostile actors or malware since information gained from a successful reconnaissance can be used to develop attacks against the system. The boundary protection devices, along with the other components of the network, are assigned IP addresses that are on the management network, which is a separate subnet. Safeguards must be implemented for containment of management and production traffic boundaries. The subnet(s) that are assigned to these devices must be segregated from other IP address subnets, and traffic to and from the management network must be restricted. This prevents these devices from being discovered and attacked.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000199-FW-000238_chk )
Review the network diagrams, system documentation, and the configuration of the firewall implementation; verify that IP addresses assigned to the boundary protection devices (managed interface) are segregated and filtered. The rule set or ACL must prevent discovery of the boundary protection devices (managed interface). If the IP addresses assigned to the boundary protection devices (managed interface) are not segregated and filtered or it is possible for someone not on the management network to discover the boundary protection devices, this is a finding.

Check Text ( C-SRG-NET-000199-FW-000238_chk )

Review the network diagrams, system documentation, and the configuration of the firewall implementation; verify that IP addresses assigned to the boundary protection devices (managed interface) are segregated and filtered. The rule set or ACL must prevent discovery of the boundary protection devices (managed interface). If the IP addresses assigned to the boundary protection devices (managed interface) are not segregated and filtered or it is possible for someone not on the management network to discover the boundary protection devices, this is a finding.

Fix Text (F-SRG-NET-000199-FW-000238_fix)
Configure the firewall implementation so that it prevents discovery of the boundary protection devices.