The router must prevent access into the organization's internal networks except as explicitly permitted and controlled by employing boundary protection devices.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000201-RTR-000087	SRG-NET-000201-RTR-000087	SRG-NET-000201-RTR-000087_rule		Medium

Description
The enclave's internal network contains the servers where mission critical data and applications reside. There should never be connection attempts made to these devices from any host outside of the enclave. The initial defense for the internal network is to block at the perimeter any traffic attempting to make a connection to a host residing on the internal network.

STIG	Date
Router Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000201-RTR-000087_chk )
Inspect the policy filters installed on the router. Verify policy filters exist to monitor for invalid access into the organization's internal networks. Verify an enforcement action is taken to deny all access for direct connection to the internal network from outside the enclave. If a rule preventing direct access to the internal network from a source external to the DoD enclave does not exist, this is a finding.

Check Text ( C-SRG-NET-000201-RTR-000087_chk )

Inspect the policy filters installed on the router.
Verify policy filters exist to monitor for invalid access into the organization's internal networks.
Verify an enforcement action is taken to deny all access for direct connection to the internal network from outside the enclave.

If a rule preventing direct access to the internal network from a source external to the DoD enclave does not exist, this is a finding.

Fix Text (F-SRG-NET-000201-RTR-000087_fix)
Implement policy filters for monitoring and enforcing a denial-by-default posture for traffic from outside the enclave with destination addresses directly to the internal network.