The firewall implementation must not have unnecessary services and functions enabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000131-FW-000074 | SRG-NET-000131-FW-000074 | SRG-NET-000131-FW-000074_rule | Medium |
| Description |
|---|
| Unnecessary services and functions increase the attack surface (sum of attack vectors) of a system. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. Firewalls and devices that implement ACLs can be capable of providing a wide variety of functions and services; not all of these capabilities are necessary. It is detrimental for network elements to provide, or enable by default, functionality exceeding requirements or mission objectives. Only those functions and services that are necessary to support operations must be enabled and those functions and services secured. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2014-07-07 |
Details
| Check Text ( C-SRG-NET-000131-FW-000074_chk ) |
|---|
| Review the firewall configuration to determine if services or functions not required for operation, or not related to firewall functionality (e.g., DNS, email client or server, ftp server, or web server) are enabled. Have the Firewall/System Administrator display the services running on the firewall. Required services should be documented with the IAO. If any undocumented/unapproved services are enabled, this is a finding. |
| Fix Text (F-SRG-NET-000131-FW-000074_fix) |
|---|
| Remove, if possible, unneeded services and functions from the firewall. Removal is recommended since the service or function may be inadvertently enabled. However, if removal is not possible, disable the service or function. Document all necessary services. |