The firewall must be configured to use filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.

From Firewall Security Requirements Guide

Part of SRG-NET-000202-FW-000039

Associated with: CCI-001109

SV-94121r1_rule The firewall must be configured to use filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.

Vulnerability discussion

To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known sources and only those ports, protocols, or services that are permitted and operationally necessary.As a managed boundary interface, the firewall must block all inbound and outbound network traffic unless a filter is installed to explicitly allow it. The allow filters must comply with the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessment (VA).

Check content

Determine the default security policies on the firewall for traffic from one zone to another zone (inter-zone). This should be a "Deny" policy that blocks all inter-zone traffic by default. Ensure no policy that circumvents the default "Deny" inter-zone policy is allowed. Traffic through the firewall is filtered so that only the specific traffic that is approved and registered in the PPSM CAL and VAs for the enclave. Verify rules or access control statements containing "any" for either the host, destination, protocol, or port are not used. If the firewall does not deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception), this is a finding.

Fix text

Configure the firewall with a "Deny" inter-zone policy which, by default, blocks traffic between zones and allows network communications traffic by exception (i.e., deny all, permit by exception) in accordance with PPSM CAL and VAs for the enclave. Protocols, TCP/UDP ports, and endpoints (specific hosts or networks) must be identified and used to develop rulesets to restrict traffic to and from an enclave and across protected internal boundaries. Rules or access control statements containing "any" for either the host, destination, protocol, or port are prohibited.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer