The network device must enforce approved authorizations for controlling the flow of information within the network in accordance with applicable policy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000018-NDM-000018	SRG-NET-000018-NDM-000018	SRG-NET-000018-NDM-000018_rule		Low

Description
Information flow control regulates where information is allowed to travel. Flow control mechanisms, such as the network device, use security attributes to control and restrict information flow. Security attributes (a type of metadata) are information about one or more pieces of data. This information is bound to the data and may include information about the data's purpose, creator, origin, or classification. This control applies to the flow of information within an individual network device. Internal component communication, such as between the network device, router, and IPS, is not included in this control. The network device must restrict information flow within the component to authorized communications. A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, unauthorized commands, functionality, or traffic may be allowed to infiltrate security components, causing corruption or other undesirable conditions. Examples of flow control restrictions include preventing installed applications or functions from accessing security configurations; or preventing unauthorized commands from executing on the network device.

Description

Information flow control regulates where information is allowed to travel. Flow control mechanisms, such as the network device, use security attributes to control and restrict information flow. Security attributes (a type of metadata) are information about one or more pieces of data. This information is bound to the data and may include information about the data's purpose, creator, origin, or classification. This control applies to the flow of information within an individual network device. Internal component communication, such as between the network device, router, and IPS, is not included in this control. The network device must restrict information flow within the component to authorized communications. A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, unauthorized commands, functionality, or traffic may be allowed to infiltrate security components, causing corruption or other undesirable conditions. Examples of flow control restrictions include preventing installed applications or functions from accessing security configurations; or preventing unauthorized commands from executing on the network device.

STIG	Date
Network Device Management Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000018-NDM-000018_chk )
Verify the network device enforces approved authorizations for controlling the flow of information within the network in accordance with applicable policy. If the network device does not enforce approved authorizations for controlling the flow of information within the network in accordance with applicable policy, this is a finding.

Fix Text (F-SRG-NET-000018-NDM-000018_fix)
Configure the network device to enforce approved authorizations for controlling the flow of information within the network in accordance with applicable policy.