The firewall implementation must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000132-FW-000075	SRG-NET-000132-FW-000075	SRG-NET-000132-FW-000075_rule		Medium

Description
The DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. These ports, protocols, and services must be prohibited or restricted by the firewall implementation (enclave firewall and ACL in the perimeter router) in accordance with DoD policy. Ingress and egress Access Control Lists restrict traffic destined to the enclave perimeter in accordance with the guidelines contained in DoD Instruction 8551.1 for all ports and protocols required for operational commitments. All ports and protocols allowed into the enclave must be registered in the PPSM database. It is the responsibility of the enclave owner to have the applications the enclave uses registered in the PPSM database. Vulnerability assessments must be reviewed and protocols must be approved by the IA staff before entering the enclave. Systems Administrators will review the PPS Vulnerability Assessment of every port allowed into the enclave and apply all appropriate mitigations defined in the Vulnerability Assessment report. If the perimeter is in a Deny-by-Default posture and what is allowed through the perimeter defenses is in accordance with DoD Instruction 8551.1, and if each permit rule is explicitly defined with explicit ports and protocols allowed, then all requirements related to PPS being blocked would be satisfied.

Description

The DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. These ports, protocols, and services must be prohibited or restricted by the firewall implementation (enclave firewall and ACL in the perimeter router) in accordance with DoD policy. Ingress and egress Access Control Lists restrict traffic destined to the enclave perimeter in accordance with the guidelines contained in DoD Instruction 8551.1 for all ports and protocols required for operational commitments. All ports and protocols allowed into the enclave must be registered in the PPSM database. It is the responsibility of the enclave owner to have the applications the enclave uses registered in the PPSM database. Vulnerability assessments must be reviewed and protocols must be approved by the IA staff before entering the enclave. Systems Administrators will review the PPS Vulnerability Assessment of every port allowed into the enclave and apply all appropriate mitigations defined in the Vulnerability Assessment report. If the perimeter is in a Deny-by-Default posture and what is allowed through the perimeter defenses is in accordance with DoD Instruction 8551.1, and if each permit rule is explicitly defined with explicit ports and protocols allowed, then all requirements related to PPS being blocked would be satisfied.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000132-FW-000075_chk )
Review the Interface Design Document or Software Design Document for any custom or modified software to identify what protocols, services, and ports it uses. For commonly available commercial or open-source software used within the enclave, review the vendor or project documentation. Interviewing the responsible System Administrator, Software Engineer, or Principal Engineer is recommended. If any applications, ports, protocols, or services used by the enclave are not registered in the DoD Ports and Protocols Database in accordance with DoDI 8551.1, this is a finding. Review the configuration of the enclave routers and firewalls and verify that the rule sets/ACLs are in accordance with DoD 8551.1. If the perimeter is in a Deny-by-Default posture and what is allowed through the perimeter defenses is in accordance with DoD Instruction 8551.1, and if each permit rule is explicitly defined with explicit ports and protocols allowed, this is not a finding.

Check Text ( C-SRG-NET-000132-FW-000075_chk )

Review the Interface Design Document or Software Design Document for any custom or modified software to identify what protocols, services, and ports it uses. For commonly available commercial or open-source software used within the enclave, review the vendor or project documentation. Interviewing the responsible System Administrator, Software Engineer, or Principal Engineer is recommended. If any applications, ports, protocols, or services used by the enclave are not registered in the DoD Ports and Protocols Database in accordance with DoDI 8551.1, this is a finding.

Review the configuration of the enclave routers and firewalls and verify that the rule sets/ACLs are in accordance with DoD 8551.1. If the perimeter is in a Deny-by-Default posture and what is allowed through the perimeter defenses is in accordance with DoD Instruction 8551.1, and if each permit rule is explicitly defined with explicit ports and protocols allowed, this is not a finding.

Fix Text (F-SRG-NET-000132-FW-000075_fix)
Ensure all IP Ports, Protocols, and Services (PPSs) used by the enclave are registered in the DoD Ports and Protocols Database in accordance with DoDI 8550.1. Configure perimeter defenses (enclave firewall and perimeter router) and ingress and egress rule sets/ACLs to restrict traffic in accordance with the guidelines contained in DOD Instruction 8551.1 for all services and protocols required for operational commitments.

Fix Text (F-SRG-NET-000132-FW-000075_fix)

Ensure all IP Ports, Protocols, and Services (PPSs) used by the enclave are registered in the DoD Ports and Protocols Database in accordance with DoDI 8550.1. Configure perimeter defenses (enclave firewall and perimeter router) and ingress and egress rule sets/ACLs to restrict traffic in accordance with the guidelines contained in DOD Instruction 8551.1 for all services and protocols required for operational commitments.