The firewall must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services on the network segment in accordance as defined in the Ports, Protocols, and Services Management (PPSM) CAL and vulnerability assessments.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-79417	SRG-NET-000132-FW-000026	SV-94123r1_rule		Medium

Description
Some ports, protocols, or services have well-known exploits or security weaknesses that can be leveraged in an attack against the enclave and put it at immediate risk. These ports, protocols, and services must be prohibited or restricted in the packet or stateful filtering firewall configuration in accordance with DoD policy. Policy filters restrict traffic destined to the enclave perimeter as defined in the PPSM CAL and vulnerability assessments.

Description

Some ports, protocols, or services have well-known exploits or security weaknesses that can be leveraged in an attack against the enclave and put it at immediate risk. These ports, protocols, and services must be prohibited or restricted in the packet or stateful filtering firewall configuration in accordance with DoD policy. Policy filters restrict traffic destined to the enclave perimeter as defined in the PPSM CAL and vulnerability assessments.

STIG	Date
Firewall Security Requirements Guide	2018-03-21

Details

Check Text ( C-79031r1_chk )
Verify the firewall is configured to disable or restrict the use of functions, ports, protocols, and/or services on the network segment that are not allowed by the PPSM CAL and vulnerability assessments. Verify all applications used in the enclave are registered in the PPSM database. Review the vulnerability assessment for each port, protocol, and service allowed into the enclave and apply all appropriate mitigations defined in the Vulnerability Assessment report for that port, protocol, and service. Compare enabled functions, ports, and services with the PPSM requirements. If prohibited functions, ports, protocols, and services are enabled, this is a finding.

Check Text ( C-79031r1_chk )

Verify the firewall is configured to disable or restrict the use of functions, ports, protocols, and/or services on the network segment that are not allowed by the PPSM CAL and vulnerability assessments.

Verify all applications used in the enclave are registered in the PPSM database.

Review the vulnerability assessment for each port, protocol, and service allowed into the enclave and apply all appropriate mitigations defined in the Vulnerability Assessment report for that port, protocol, and service.

Compare enabled functions, ports, and services with the PPSM requirements.

If prohibited functions, ports, protocols, and services are enabled, this is a finding.

Fix Text (F-86189r1_fix)
SCAs must review the vulnerability assessment for each port, protocol, and service allowed into the enclave and apply all appropriate mitigations defined in the Vulnerability Assessment report. Register only ports, protocols, and functions allowed into the enclave in the PPSM database. The enclave owner must register the applications used in the PPSM database. Consult the packet/stateful firewall knowledge base and configuration guides to determine the commands for disabling each port, protocol, service, or function that is not in compliance.

Fix Text (F-86189r1_fix)

SCAs must review the vulnerability assessment for each port, protocol, and service allowed into the enclave and apply all appropriate mitigations defined in the Vulnerability Assessment report. Register only ports, protocols, and functions allowed into the enclave in the PPSM database. The enclave owner must register the applications used in the PPSM database.

Consult the packet/stateful firewall knowledge base and configuration guides to determine the commands for disabling each port, protocol, service, or function that is not in compliance.