The smartphone management server host-based or appliance firewall must be installed and configured as required.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24975	WIR-WMS-GD-004	SV-30812r2_rule	ECSC-1	High

Description
A smartphone user could get access to unauthorized network resources (application and content servers, etc.) if the smartphone management server host firewall is not set up as required.

STIG	Date
Good Mobility Suite Server (Android OS) Security Technical Implementation Guide	2011-12-14

Details

Check Text ( C-31229r2_chk )
The Good server host-based or appliance firewall must be configured as required. The Good server firewall is configured with the following rules: - Deny all except when explicitly authorized. - Internal traffic from the Good server is limited to internal systems used to host the smartphone services (e.g., email and LDAP servers) and approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized. - Internet traffic from the Good server is limited to only those specified smartphone services (e.g., Good NOC server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the Good server and/or service. - Firewall settings listed in the STIG/ISCG Technology Overview will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trusted IP addresses and subnets. Note: At a minimum, the IP address of the site Internet proxy server must be listed so the Good secure browser can connect to the Internet. Note: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above. Check Procedures: -Verify the firewall configuration meets approved architecture configuration requirements (or have the Network Reviewer do the review of the firewall). -Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers the Good server connects to should be included on this list. -Mark as a finding if a list of trusted networks by IP address is not configured on the Good server host-based firewall.

Check Text ( C-31229r2_chk )

The Good server host-based or appliance firewall must be configured as required.

The Good server firewall is configured with the following rules:

- Deny all except when explicitly authorized.

- Internal traffic from the Good server is limited to internal systems used to host the smartphone services (e.g., email and LDAP servers) and approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized.

- Internet traffic from the Good server is limited to only those specified smartphone services (e.g., Good NOC server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the Good server and/or service.

- Firewall settings listed in the STIG/ISCG Technology Overview will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trusted IP addresses and subnets.

Note: At a minimum, the IP address of the site Internet proxy server must be listed so the Good secure browser can connect to the Internet.

Note: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above.

Check Procedures:
-Verify the firewall configuration meets approved architecture configuration requirements (or have the Network Reviewer do the review of the firewall).

-Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers the Good server connects to should be included on this list.

-Mark as a finding if a list of trusted networks by IP address is not configured on the Good server host-based firewall.

Fix Text (F-27616r2_fix)
Install the smartphone management server host-based or appliance firewall and configure as required.