The firewall must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services on the network segment in accordance with the guidelines contained in DoD Instruction 8551.1.

From Firewall Security Requirements Guide Requirements

Part of SRG-NET-000132-FW-000026

Associated with: CCI-000382

SRG-NET-000132-FW-000026_rule The firewall must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services on the network segment in accordance with the guidelines contained in DoD Instruction 8551.1.

Vulnerability discussion

Some ports, protocols, or services have well-known exploits or security weaknesses that can be leveraged in an attack against the enclave and put it at immediate risk. These ports, protocols, and services must be prohibited or restricted in the packet/stateful firewall configuration in accordance with DoD policy. Policy filters restrict traffic destined to the enclave perimeter in accordance with the guidelines contained in DoD Instruction 8551.1 for all ports, protocols, and functions.

Check content

Verify the firewall is configured to disable or restrict the use of functions, ports, protocols, and/or services on the network segment that are not allowed by the 8551.1. Verify all applications used in the enclave are registered in the Ports, Protocols, and Services Management (PPSM) database. Review the vulnerability assessment for each port allowed into the enclave and apply all appropriate mitigations defined in the Vulnerability Assessment report for that port. If functions, ports, protocols, and services identified on the PPSM are not disabled, this is a finding.

Fix text

SCAs must review the vulnerability assessment for each port allowed into the enclave and apply all appropriate mitigations defined in the Vulnerability Assessment report. Register only ports, protocols, and functions allowed into the enclave in the PPSM database. The enclave owner must register the applications used in the PPSM database. Consult the packet/stateful firewall knowledge base and configuration guides to determine the commands for disabling each port, protocol, service, or function that is not in compliance.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer