UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).


Overview

Finding ID Version Rule ID IA Controls Severity
V-206694 SRG-NET-000202-FW-000039 SV-206694r604133_rule High
Description
To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known sources and only those ports, protocols, or services that are permitted and operationally necessary. As a managed boundary interface, the firewall must block all inbound and outbound network traffic unless a filter is installed to explicitly allow it. The allow filters must comply with the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessment (VA).
STIG Date
Firewall Security Requirements Guide 2022-09-12

Details

Check Text ( C-6951r297861_chk )
Determine the default security policies on the firewall for traffic from one zone to another zone (inter-zone).

The default policy must be a "Deny" policy that blocks all inter-zone traffic by default. Ensure no policy that circumvents the default "Deny" inter-zone policy is allowed. Traffic through the firewall is filtered so that only the specific traffic that is approved and registered in the PPSM CAL and VAs for the enclave. Verify rules or access control statements containing "any" for either the host, destination, protocol, or port are not used.

If the firewall does not deny all network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception), this is a finding.
Fix Text (F-6951r297862_fix)
Configure the firewall with a "Deny" inter-zone policy which, by default, blocks traffic between zones and allows network communications traffic by exception (i.e., deny all, permit by exception) in accordance with PPSM CAL and VAs for the enclave.