The firewall implementation must block both inbound and outbound communications traffic between organization-defined communication clients that are independently configured by end users and external service providers.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000366-FW-000240	SRG-NET-000366-FW-000240	SRG-NET-000366-FW-000240_rule		Medium

Description
Various communication services such as public VoIP and Instant Messaging services route messages over their own networks and are stored on their own servers; therefore, that traffic can be accessed at any time by the provider and potentially intercepted. These applications may also contain vulnerabilities and can be used as an attack vector against DoD Information Systems. Communication clients independently configured by end users and external service providers include, for example, instant messaging clients. They can be configured by third parties or users without the authorization, or even the knowledge, of security personnel. Public hosting places the data on servers and networks that are beyond the control of the DoD. This design provides a much broader base of users; however, the data is more vulnerable to attacks. Public hosting architectures must not be deployed within the DoD. Some of these applications use the Peer-to-Peer (P2P) model. There are two types of P2P networks, pure and hybrid. Pure P2P networks operate with peers acting as equals and merge the roles of clients and server. Pure P2P has no central server managing the network, while hybrid P2P has a central server that keeps information on peers and responds to requests for that information. Peers are responsible for hosting available resources and for letting the central server know what resources they want to share, and for making its shareable resources available to peers that request it. Examples of these applications are P2PChat and Bit Torrent Chat. Pure and hybrid P2P instant messaging architectures are prohibited, since they bypass the security policies within the enclave. This does not apply to authorized communication clients that are configured by organizations to perform authorized functions. Those applications must be authorized, secured in accordance with all applicable security guidance, and the ports, protocols, and endpoints identified. The firewall or other device implementing an Access Control List must deny both inbound and outbound communications traffic of unauthorized communications clients.

Description

Various communication services such as public VoIP and Instant Messaging services route messages over their own networks and are stored on their own servers; therefore, that traffic can be accessed at any time by the provider and potentially intercepted. These applications may also contain vulnerabilities and can be used as an attack vector against DoD Information Systems. Communication clients independently configured by end users and external service providers include, for example, instant messaging clients. They can be configured by third parties or users without the authorization, or even the knowledge, of security personnel. Public hosting places the data on servers and networks that are beyond the control of the DoD. This design provides a much broader base of users; however, the data is more vulnerable to attacks. Public hosting architectures must not be deployed within the DoD. Some of these applications use the Peer-to-Peer (P2P) model. There are two types of P2P networks, pure and hybrid. Pure P2P networks operate with peers acting as equals and merge the roles of clients and server. Pure P2P has no central server managing the network, while hybrid P2P has a central server that keeps information on peers and responds to requests for that information. Peers are responsible for hosting available resources and for letting the central server know what resources they want to share, and for making its shareable resources available to peers that request it. Examples of these applications are P2PChat and Bit Torrent Chat. Pure and hybrid P2P instant messaging architectures are prohibited, since they bypass the security policies within the enclave. This does not apply to authorized communication clients that are configured by organizations to perform authorized functions. Those applications must be authorized, secured in accordance with all applicable security guidance, and the ports, protocols, and endpoints identified. The firewall or other device implementing an Access Control List must deny both inbound and outbound communications traffic of unauthorized communications clients.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000366-FW-000240_chk )
Review the system documentation and the configuration of the firewall implementation; if either inbound or outbound traffic is allowed for any unauthorized communication clients that are independently configured by end users and external service providers, this is a finding.

Fix Text (F-SRG-NET-000366-FW-000240_fix)
Configure the firewall implementation to block both inbound and outbound communications traffic between unauthorized communication clients that are independently configured by end users and external service providers.