The firewall implementation must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000202-FW-000118	SRG-NET-000202-FW-000118	SRG-NET-000202-FW-000118_rule		Medium

Description
Failing to identify and prohibit unauthorized traffic leaves the enclave vulnerable to attack. The initial defense for the internal network is for protection measures to block any traffic at the perimeter that is attempting to make a connection (or otherwise establish a traffic flow) to a host in the internal network. However, threats can be introduced into the enclave through non-network means, such as compromised computer media, and compromised hosts then attempt to use the internal network to attack both other internal hosts and external networks. Therefore, all expected traffic must be identified by application, endpoints, protocol, and port and rulesets/ACLs used to only allow the authorized traffic. This requirement applies to network traffic originating either from inside or outside the enclave. The firewall or other device implementing an Access Control List must only allow traffic through that is explicitly permitted. Only those connections (or traffic flows) which are essential and approved must be allowed. All other inbound and outbound traffic must be denied by default.

Description

Failing to identify and prohibit unauthorized traffic leaves the enclave vulnerable to attack. The initial defense for the internal network is for protection measures to block any traffic at the perimeter that is attempting to make a connection (or otherwise establish a traffic flow) to a host in the internal network. However, threats can be introduced into the enclave through non-network means, such as compromised computer media, and compromised hosts then attempt to use the internal network to attack both other internal hosts and external networks. Therefore, all expected traffic must be identified by application, endpoints, protocol, and port and rulesets/ACLs used to only allow the authorized traffic. This requirement applies to network traffic originating either from inside or outside the enclave. The firewall or other device implementing an Access Control List must only allow traffic through that is explicitly permitted. Only those connections (or traffic flows) which are essential and approved must be allowed. All other inbound and outbound traffic must be denied by default.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000202-FW-000118_chk )
Review the configuration of the firewall implementation and verify that it is explicitly configured to allow essential and approved traffic flows and all other traffic is denied by default. A statement at the end of the rule set or ACL that denies all traffic from all sources to all destinations (such as “deny ip any any log”) must be present. If it is not configured in a deny-by-default posture for all inbound and outbound traffic, this is a finding.

Check Text ( C-SRG-NET-000202-FW-000118_chk )

Review the configuration of the firewall implementation and verify that it is explicitly configured to allow essential and approved traffic flows and all other traffic is denied by default. A statement at the end of the rule set or ACL that denies all traffic from all sources to all destinations (such as “deny ip any any log”) must be present. If it is not configured in a deny-by-default posture for all inbound and outbound traffic, this is a finding.

Fix Text (F-SRG-NET-000202-FW-000118_fix)
Configure the inbound and outbound firewall interfaces to deny network traffic by default and allow network traffic by exception at all interfaces at the network perimeter.