UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must continuously monitor inbound communications traffic for unusual or unauthorized activities or conditions.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000390-FW-000243 SRG-NET-000390-FW-000243 SRG-NET-000390-FW-000243_rule Medium
Description
Failing to continuously monitor the network leaves the network vulnerable to attack. The Enclave firewall rules and Access Control Lists should be based on authorized applications being used within the Enclave; all non-required ports and services will be blocked by the most restrictive rules possible. This applies to both Wide Area Network (WAN) to Local Area Network (LAN) interfaces and the LAN to LAN interfaces between different security domains/sub-enclaves. The device must be placed at these boundaries and configured to monitor and to only allow specifically authorized traffic. All other traffic is unauthorized and unusual and therefore prohibited. Although only authorized traffic is permitted by source and destination IP address pair and protocol/port, ACLs and simple firewalls that cannot perform deep packet inspection can be “fooled” by malicious traffic masquerading as legitimate traffic. The ports used by this traffic can be normally used by other applications; this makes identifying this traffic beyond the capabilities of a simple ACL or even stateful firewall. If authorized traffic exhibits unusual traffic volumes, it indicates possible traffic masquerading. Therefore, unusual volumes of traffic must be logged and a notification sent to authorized personnel. This can be accomplished by configuring rate limiters to generate log messages when a threshold is met or exceeded or by using capabilities that monitor and export flow information to a centralized collector or console (e.g. Netflow, j-flow, etc.).
STIG Date
Firewall Security Requirements Guide 2014-07-07

Details

Check Text ( C-SRG-NET-000390-FW-000243_chk )
Review the configuration of the firewall implementation. If the device is not configured to continuously monitor inbound communications traffic for unusual or unauthorized activities or conditions, this is a finding. If the device is not continuously operational or highly available (redundancy is provided), this is a finding.
Fix Text (F-SRG-NET-000390-FW-000243_fix)
Configure the firewall implementation to monitor inbound communications traffic for unusual or unauthorized activities or conditions. Implement the device as part of a highly available architecture.