All encrypted traffic must be decrypted prior to passing through content inspection and filtering mechanisms.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000030-NDM-NA | SRG-NET-000030-NDM-NA | SRG-NET-000030-NDM-NA_rule | Medium |
| Description |
|---|
| Allowing traffic to bypass the security checkpoints puts the network infrastructure and critical data at risk. However, attempting to decrypt traffic which is legitimately encrypted can violate privacy laws and confidentiality of the information. There can be cases where encrypted information may legitimately traverse either the perimeter or other network devices; however, this traffic must be inspected by approved content inspection application, either before encryption or at an authorized application proxy. The network device cannot determine if content filtering has been performed on encrypted data. It is not the function of the network device to encrypt or decrypt traffic. If a VPN gateway is installed on the network device, that functionality must be inspected for compliance with VPN guidance. This requirement is applicable to specific devices and does not involve the management of a network device. |
| STIG | Date |
|---|---|
| Network Device Management Security Requirements Guide | 2013-07-30 |
Details
| Check Text ( C-SRG-NET-000030-NDM-NA_chk ) |
|---|
| This requirement is NA for network device management. |
| Fix Text (F-SRG-NET-000030-NDM-NA_fix) |
|---|
| This requirement is NA for network device management. |