Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-24975 | WIR-WMS-GD-004 | SV-30812r2_rule | ECSC-1 | High |
Description |
---|
A mobile device user could get access to unauthorized network resources (application and content servers, etc.) via the communications link between the mobile device and mobile management server if the server host firewall is not set up as required. HBSS is usually used to satisfy this requirement. |
STIG | Date |
---|---|
Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG) | 2013-05-08 |
Check Text ( C-31229r7_chk ) |
---|
The host server host-based or appliance firewall must be configured as required. The server firewall is configured with the following rules: -Deny all except when explicitly authorized. -Internal traffic from the server is limited to internal systems used to host the smartphone services (e.g., email and LDAP servers) and approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized. -Internet traffic from the server is limited to only specified services (e.g., Good NOC server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the mobile management server and/or service. -Firewall settings listed in the STIG Technology Overview or the vendor's installation manual will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trusted IP addresses and subnets. Note: At a minimum, the IP address of the site Internet proxy server must be listed so the Good secure browser can connect to the Internet. Note: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above. Check Procedures: -Verify the firewall configuration meets approved architecture configuration requirements (or have the Network Reviewer do the review of the firewall). -Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers the server connects to should be included on this list. - Mark as a finding if the IP addresses configured on the server host-based firewall are not on the list of trusted networks. |
Fix Text (F-27616r2_fix) |
---|
Install the management server host-based or appliance firewall and configure as required. |