STIGQter: STIG Summary: Firewall Security Requirements Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

DISA Rule

SV-206694r604133_rule

Vulnerability Number

V-206694

Group Title

SRG-NET-000202

Rule Version

SRG-NET-000202-FW-000039

Severity

CAT I

CCI(s)

• CCI-001109 - The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

Weight

10

Fix Recommendation

Configure the firewall with a "Deny" inter-zone policy which, by default, blocks traffic between zones and allows network communications traffic by exception (i.e., deny all, permit by exception) in accordance with PPSM CAL and VAs for the enclave.

Check Contents

Determine the default security policies on the firewall for traffic from one zone to another zone (inter-zone).

The default policy must be a "Deny" policy that blocks all inter-zone traffic by default. Ensure no policy that circumvents the default "Deny" inter-zone policy is allowed. Traffic through the firewall is filtered so that only the specific traffic that is approved and registered in the PPSM CAL and VAs for the enclave. Verify rules or access control statements containing "any" for either the host, destination, protocol, or port are not used.

If the firewall does not deny all network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception), this is a finding.

Vulnerability Number

V-206694

Documentable

False

Rule Version

SRG-NET-000202-FW-000039

Severity Override Guidance

Determine the default security policies on the firewall for traffic from one zone to another zone (inter-zone).

The default policy must be a "Deny" policy that blocks all inter-zone traffic by default. Ensure no policy that circumvents the default "Deny" inter-zone policy is allowed. Traffic through the firewall is filtered so that only the specific traffic that is approved and registered in the PPSM CAL and VAs for the enclave. Verify rules or access control statements containing "any" for either the host, destination, protocol, or port are not used.

If the firewall does not deny all network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception), this is a finding.

Check Content Reference

M

Target Key

2912

Comments