The firewall implementation must only allow incoming communications from authorized sources routed to authorized destinations.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000364-FW-000237	SRG-NET-000364-FW-000237	SRG-NET-000364-FW-000237_rule		Medium

Description
Unauthorized traffic is untrusted traffic and may be malicious. Traffic originating from unauthorized sources may be hostile and pose a threat to an enclave or to other connected networks. Traffic originating from authorized sources but connecting to unauthorized destinations may be the result of compromised external hosts. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. Therefore, all expected traffic must be identified by application, endpoints, protocol, and port and then vetted. Only those connections (or traffic flows) which are essential and approved must be allowed. The firewall or other device implementing an Access Control List must only allow traffic from authorized sources to authorized destinations. Sources and destinations should be as specifically identified as possible. All other inbound and outbound traffic must be denied by default.

Description

Unauthorized traffic is untrusted traffic and may be malicious. Traffic originating from unauthorized sources may be hostile and pose a threat to an enclave or to other connected networks. Traffic originating from authorized sources but connecting to unauthorized destinations may be the result of compromised external hosts. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. Therefore, all expected traffic must be identified by application, endpoints, protocol, and port and then vetted. Only those connections (or traffic flows) which are essential and approved must be allowed. The firewall or other device implementing an Access Control List must only allow traffic from authorized sources to authorized destinations. Sources and destinations should be as specifically identified as possible. All other inbound and outbound traffic must be denied by default.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000364-FW-000237_chk )
Review the configuration of the firewall implementation and the system documentation and verify that only traffic from authorized sources to authorized destinations is allowed. If any source and destination combination is allowed that is not specifically authorized, this is a finding.

Fix Text (F-SRG-NET-000364-FW-000237_fix)
Configure the firewall implementation to only allow traffic from authorized sources to authorized destinations.