The firewall must be configured with Access Control Lists (ACLs) that employ packet header and packet attributes, including source and destination IP addresses and ports, to prevent the flow of unauthorized or suspicious traffic between interconnected networks with different security policies.

From Firewall Security Requirements Guide Requirements

Part of SRG-NET-000019-FW-000003

Associated with: CCI-001414

SRG-NET-000019-FW-000003_rule The firewall must be configured with Access Control Lists (ACLs) that employ packet header and packet attributes, including source and destination IP addresses and ports, to prevent the flow of unauthorized or suspicious traffic between interconnected networks with different security policies.

Vulnerability discussion

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious communications between interconnected networks enforces approved authorizations for controlling the flow of traffic.The firewall that filters traffic outbound to interconnected networks with different security policies must be configured with ACLs that permit, restrict, or block traffic based on organization-defined traffic authorizations. Filtering must include packet header and packet attribute information, such as IP addresses and port numbers.Configure filters to perform certain actions when packets match specified attributes, including the following actions:- Apply a policy- Accept, reject, or discard the packets- Classify the packets based on their source address- Evaluate the next term in the filter- Increment a packet counter- Set the packets’ loss priority- Specify an IPsec SA- Specify the forwarding path- Write an alert or message to the system log

Check content

Verify the firewall is configured to use filters to restrict or block information system services based on best practices, known threats, and guidance in the Ports, Protocols, Services Management (PPSM) database regarding restrictions for boundary crossing for ports, protocols, and services. If the firewall cannot be configured with ACLs that employ packet header and packet attributes, including source and destination IP addresses and ports, to prevent the flow of unauthorized or suspicious traffic between interconnected networks with different security policies, this is a finding.

Fix text

Configure filters in the firewall to examine characteristics of incoming and outgoing packets, including but not limited to the following: - Bit fields in the packet header, including IP fragmentation flags, IP options, and TCP flags - IP version 4 (IPv4) numeric range, including destination port, DiffServ code point (DSCP) value, fragment offset, Internet Control Message Protocol (ICMP) code, ICMP packet type, interface group, IP precedence, packet length, protocol, and TCP and UDP source and destination port - IP version 6 (IPv6) numeric range, including CoS priority, destination address, destination port, ICMP code, ICMP packet type, interface group, IP address, next header, packet length, source address, source port, and TCP and UDP source and destination port - Source and destination address and prefix list

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer