The firewall implementation must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000391-FW-000244	SRG-NET-000391-FW-000244	SRG-NET-000391-FW-000244_rule		Medium

Description
Failing to continuously monitor the network leaves the network vulnerable to attack. The Enclave firewall rules and Access Control Lists should be based on authorized applications being used within the Enclave; all non-required ports and services will be blocked by the most restrictive rules possible. This applies to both Wide Area Network (WAN) to Local Area Network (LAN) interfaces and the LAN to LAN interfaces between different security domains/sub-enclaves. The device must be placed at these boundaries and configured to monitor and to only allow specifically authorized traffic. All other traffic is unauthorized and unusual, and therefore prohibited. Although only authorized traffic is permitted by source and destination IP address pair and protocol/port, ACLs and simple firewalls that cannot perform deep packet inspection can be “fooled” by malicious traffic masquerading as legitimate traffic. The ports used by this traffic can be normally used by other applications; this makes identifying this traffic beyond the capabilities of a simple ACL or even stateful firewall. If authorized traffic exhibits unusual traffic volumes, it indicates possible traffic masquerading. Therefore, unusual volumes of traffic must be logged and a notification sent to authorized personnel. This can be accomplished by configuring rate limiters to generate log messages when a threshold is met or exceeded or by using capabilities that monitor and export flow information to a centralized collector or console (e.g. Netflow, j-flow, etc.).

Description

Failing to continuously monitor the network leaves the network vulnerable to attack. The Enclave firewall rules and Access Control Lists should be based on authorized applications being used within the Enclave; all non-required ports and services will be blocked by the most restrictive rules possible. This applies to both Wide Area Network (WAN) to Local Area Network (LAN) interfaces and the LAN to LAN interfaces between different security domains/sub-enclaves. The device must be placed at these boundaries and configured to monitor and to only allow specifically authorized traffic. All other traffic is unauthorized and unusual, and therefore prohibited. Although only authorized traffic is permitted by source and destination IP address pair and protocol/port, ACLs and simple firewalls that cannot perform deep packet inspection can be “fooled” by malicious traffic masquerading as legitimate traffic. The ports used by this traffic can be normally used by other applications; this makes identifying this traffic beyond the capabilities of a simple ACL or even stateful firewall. If authorized traffic exhibits unusual traffic volumes, it indicates possible traffic masquerading. Therefore, unusual volumes of traffic must be logged and a notification sent to authorized personnel. This can be accomplished by configuring rate limiters to generate log messages when a threshold is met or exceeded or by using capabilities that monitor and export flow information to a centralized collector or console (e.g. Netflow, j-flow, etc.).

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000391-FW-000244_chk )
Review the configuration of the firewall implementation. If the device is not configured to continuously monitor outbound communications traffic for unusual or unauthorized activities or conditions, this is a finding. If the device is not continuously operational or highly available (redundancy is provided), this is a finding.

Fix Text (F-SRG-NET-000391-FW-000244_fix)
Configure the firewall implementation to monitor outbound communications traffic for unusual or unauthorized activities or conditions. Implement the device as part of a highly available architecture.