Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-14632 | NET0167 | SV-15257r2_rule | Medium |
Description |
---|
The enclave perimeter requirement for filtering, to include JTF-GNO PPS filtering rules, and monitoring traffic will be enforced for any traffic from the AG. All traffic entering the enclave from the AG must enter through the firewall and be monitored by internal IDS. All traffic leaving the enclave, regardless of the destination--AG or NIPRNet addresses, will be filtered by the premise router's egress filter to verify that the source IP address belongs to the enclave. |
STIG | Date |
---|---|
Perimeter Router Security Technical Implementation Guide Cisco | 2017-12-07 |
Check Text ( C-12648r2_chk ) |
---|
The enclave perimeter requirement for filtering, to include JTF-GNO PPS filtering rules, and monitoring traffic will be enforced for any traffic from the AG. All traffic leaving the enclave, regardless of the destination--AG or NIPRNet addresses, will be filtered by the premise router's egress filter to verify that the source IP address belongs to the enclave. Note: An Approved Gateway (AG) is any external connection from a DoD NIPRNet enclave to an Internet Service Provider, or network owned by a contractor, or non-DoD federal agency that has been approved by either the DoD CIO or the DoD Component CIO. This AG requirement does not apply to commercial cloud connections when the Cloud Service Provider (CSP) network is connected via the NIPRNet Boundary Cloud Access Point (BCAP). |
Fix Text (F-14094r1_fix) |
---|
Ensure the perimeter is protected from this path. A deny by default policy is enforced at this connection and the site is in compliance with all PPS 13 and 14 boundaries. |