Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-24975 | WIR-WMS-GD-004 | SV-30812r2_rule | ECSC-1 | High |
Description |
---|
A smartphone user could get access to unauthorized network resources (application and content servers, etc.) if the smartphone management server host firewall is not set up as required. |
STIG | Date |
---|---|
Good Mobility Suite Server (Android OS) Security Technical Implementation Guide | 2011-12-14 |
Check Text ( C-31229r2_chk ) |
---|
The Good server host-based or appliance firewall must be configured as required. The Good server firewall is configured with the following rules: - Deny all except when explicitly authorized. - Internal traffic from the Good server is limited to internal systems used to host the smartphone services (e.g., email and LDAP servers) and approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized. - Internet traffic from the Good server is limited to only those specified smartphone services (e.g., Good NOC server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the Good server and/or service. - Firewall settings listed in the STIG/ISCG Technology Overview will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trusted IP addresses and subnets. Note: At a minimum, the IP address of the site Internet proxy server must be listed so the Good secure browser can connect to the Internet. Note: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above. Check Procedures: -Verify the firewall configuration meets approved architecture configuration requirements (or have the Network Reviewer do the review of the firewall). -Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers the Good server connects to should be included on this list. -Mark as a finding if a list of trusted networks by IP address is not configured on the Good server host-based firewall. |
Fix Text (F-27616r2_fix) |
---|
Install the smartphone management server host-based or appliance firewall and configure as required. |