The SA will utilize ingress and egress ACLs to restrict traffic destined to the enclave perimeter in accordance with the guidelines contained in DoD Instruction 8551.1 for all ports and protocols required for operational commitments.

From Firewall Security Technical Implementation Guide - Cisco

Part of Perimeter is not compliant with DOD Instr. 8551.1

SV-5731r1_rule The SA will utilize ingress and egress ACLs to restrict traffic destined to the enclave perimeter in accordance with the guidelines contained in DoD Instruction 8551.1 for all ports and protocols required for operational commitments.

Vulnerability discussion

Vulnerability assessments must be reviewed by the SA and protocols must be approved by the IA staff before entering the enclave.Access Control Lists (ACLs) are the first line of defense in a layered security approach. They permit authorized packets and deny unauthorized packets based on port or service type. They enhance the posture of the network by not allowing packets to even reach a potential target within the security domain. The list provided are highly susceptible ports and services that should be blocked or limited as much as possible without adversely affecting customer requirements. Auditing packets attempting to penetrate the network but are stopped by an ACL will allow network administrators to broaden their protective ring and more tightly define the scope of operation.If the perimeter is in a Deny-by-Default posture and what is allowed through the filter is IAW DoD Instruction 8551.1, and if the permit rule is explicitly defined with explicit ports and protocols allowed, then all requirements related to PPS being blocked would be satisfied.

Check content

Identify the device or devices that make up the perimeter defense. Review the configuration of the premise routers and firewalls and verify that the filters are IAW DoD 8551. SA will review PPS Vulnerability Assessment of every port allowed into the enclave and apply all appropriate mitigations defined in the VA report. All ports and protocols allowed into the enclave must be registered in the PPSM database. Note: It is the responsibility of the enclave owner to have the applications the enclave uses registered in the PPSM database.

Fix text

The SA will utilize ingress and egress ACLs to restrict traffic in accordance with the guidelines contained in DOD Instruction 8551.1 for all services and protocols required for operational commitments.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer