The firewall implementation must implement NAT to ensure endpoint internal IPv4 addresses are not visible to external untrusted networks.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000018-FW-000168 | SRG-NET-000018-FW-000168 | SRG-NET-000018-FW-000168_rule | Medium |
| Description |
|---|
| An attacker can learn more about a site’s private network once it has discovered the real IP addresses of the hosts within. Network Address Translation (NAT) works well with the implementation of RFC 1918 addressing scheme; it also has the privacy benefit of hiding real internal addresses. NAT limits the direct connectivity that is possible between internal network hosts and the outside and makes it more difficult for outside attackers to discover the enclave's internal network. This requirement does not apply to SIPRNet and enclaves that are part of/connect to SIPRNet. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2014-07-07 |
Details
| Check Text ( C-SRG-NET-000018-FW-000168_chk ) |
|---|
| For NIPRNet and enclaves that are part of/connect to NIPRNet, review the firewall or premise router configuration to determine if Network Address Translation (NAT) has been implemented. If NAT is not configured, this is a finding. |
| Fix Text (F-SRG-NET-000018-FW-000168_fix) |
|---|
| Implement Network Address Translation (NAT) on the firewall or premise router for NIPRNet Enclaves. Configure NAT in accordance with vendor documentation/guidance; IP addresses assigned to the internal hosts in the enclave must not be directly accessible from external interfaces. |