The DataPower Gateway must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

From IBM DataPower ALG Security Technical Implementation Guide

Associated with: CCI-002403

SV-79769r1_rule The DataPower Gateway must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Vulnerability discussion

Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.Access control policies and access control lists implemented on devices that control the flow of network traffic (e.g., application level firewalls and Web content filters), ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the Internet or CDS) must be kept separate.

Check content

Type “Access Control List” in nav search. Verify that Access Control Lists are used for all services. If Access Control lists are not used, this is a finding.

Fix text

Type “Access Control List” in nav search. Create ACL with desired address ranges and gates. Apply this ACL to all Front Side Handlers or Firewalls.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.