A deny-by-default security posture must be implemented for traffic entering and leaving the enclave.

From Network Infrastructure Policy Security Technical Implementation Guide

Part of Deny by default policy is not implemented

Associated with: CCI-002080 CCI-002082 CCI-002398 CCI-002399

SV-12294r5_rule A deny-by-default security posture must be implemented for traffic entering and leaving the enclave.

Vulnerability discussion

To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known sources and only those ports, protocols, or services that are permitted and operationally necessary.Applications, protocols, TCP/UDP ports, and endpoints (specific hosts or networks) are identified and used to develop rulesets and access control lists to restrict traffic to and from an enclave.

Check content

Determine if a deny-by-default security posture has been implemented for both inbound and outbound traffic on the perimeter router or firewall. If a deny-by-default security posture has not been implemented at the network perimeter, this is a finding.

Fix text

Implement a deny-by-default security posture on either the enclave perimeter router or firewall.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.