The firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

From Firewall Security Requirements Guide Requirements

Associated with: CCI-001109

SRG-NET-000202-FW-000039_rule The firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Vulnerability discussion

A deny-all, permit-by-exception network communications traffic policy ensures that only those connections that are essential and approved are allowed.As a managed boundary interface, the firewall must block all inbound and outbound network traffic unless a policy filter is installed to explicitly allow it. The allow policy filters must comply with the site's security policy.

Check content

Determine the default security policies on the firewall for traffic from one zone to another zone (inter-zone). This should be a Deny policy that blocks all inter-zone traffic by default. Ensure no policy that circumvents the default Deny inter-zone policy is allowed. Traffic through the device is permitted by policies developed to allow only the specific traffic that the system or enclave requires. If the firewall does not deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception), this is a finding.

Fix text

Configure the firewall with a Deny inter-zone policy which, by default, blocks traffic between zones and allows network communications traffic by exception (i.e., deny all, permit by exception).

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.