The firewall implementation must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000019-FW-000018	SRG-NET-000019-FW-000018	SRG-NET-000019-FW-000018_rule		Medium

Description
Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. Therefore, controlling the flow of network traffic between networks of different security domains employing differing security postures is necessary. An enclave is a computing environment under the control of a single authority with personnel and physical security measures. The Enclave firewall rules should be based on applications being used within the internal Enclave; all non-required ports and services will be blocked by the most restrictive rules possible, and what is allowed through the firewall will be configured IAW DoD Instruction 8551.1. Perimeter filtering rules can be applied to any internal firewall device or router and should be implemented to the fullest extent possible. This is necessary in order to minimize internal threats and protect the enclave. The enclave perimeter requirement for filtering will include USCYBERCOM and Ports, Protocols, and Services (PPS) Vulnerability Assessment (VA) filtering guidelines.

Description

Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. Therefore, controlling the flow of network traffic between networks of different security domains employing differing security postures is necessary. An enclave is a computing environment under the control of a single authority with personnel and physical security measures. The Enclave firewall rules should be based on applications being used within the internal Enclave; all non-required ports and services will be blocked by the most restrictive rules possible, and what is allowed through the firewall will be configured IAW DoD Instruction 8551.1. Perimeter filtering rules can be applied to any internal firewall device or router and should be implemented to the fullest extent possible. This is necessary in order to minimize internal threats and protect the enclave. The enclave perimeter requirement for filtering will include USCYBERCOM and Ports, Protocols, and Services (PPS) Vulnerability Assessment (VA) filtering guidelines.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000019-FW-000018_chk )
Verify access to information and system resources is restricted based on a properly configured Access Control List or rule set. If the firewall implementation is not configured to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies, this is a finding.

Fix Text (F-SRG-NET-000019-FW-000018_fix)
Configure the firewall implementation to enforce logical access to information and system resources in accordance with the access control policies.