STIGQter: STIG Summary: Firewall Security Requirements Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The firewall must be configured to use filters that use packet headers and packet attributes, including source and destination IP addresses and ports, to prevent the flow of unauthorized or suspicious traffic between interconnected networks with different security policies (including perimeter firewalls and server VLANs).

DISA Rule

SV-206674r604133_rule

Vulnerability Number

V-206674

Group Title

SRG-NET-000019

Rule Version

SRG-NET-000019-FW-000003

Severity

CAT I

CCI(s)

• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure filters in the firewall to examine characteristics of incoming and outgoing packets, including but not limited to the following:

- Bit fields in the packet header, including IP fragmentation flags, IP options, and TCP flags

- IP version 4 (IPv4) numeric range, including destination port, DiffServ code point (DSCP) value, fragment offset, Internet Control Message Protocol (ICMP) code, ICMP packet type, interface group, IP precedence, packet length, protocol, and TCP and UDP source and destination port

- IP version 6 (IPv6) numeric range, including class of service (CoS) priority, destination address, destination port, ICMP code, ICMP packet type, interface group, IP address, next header, packet length, source address, source port, and TCP and UDP source and destination port

- Source and destination address and prefix list

Check Contents

Verify the firewall is configured to use filters to restrict or block information system services based on best practices, known threats, and guidance in the Ports, Protocols, Services Management (PPSM) database regarding restrictions for boundary crossing for ports, protocols, and services.

If the firewall cannot be configured with filters that employ packet header and packet attributes, including source and destination IP addresses and ports, to prevent the flow of unauthorized or suspicious traffic between interconnected networks with different security policies, this is a finding.

Vulnerability Number

V-206674

Documentable

False

Rule Version

SRG-NET-000019-FW-000003

Severity Override Guidance

Verify the firewall is configured to use filters to restrict or block information system services based on best practices, known threats, and guidance in the Ports, Protocols, Services Management (PPSM) database regarding restrictions for boundary crossing for ports, protocols, and services.

If the firewall cannot be configured with filters that employ packet header and packet attributes, including source and destination IP addresses and ports, to prevent the flow of unauthorized or suspicious traffic between interconnected networks with different security policies, this is a finding.

Check Content Reference

M

Target Key

2912

Comments