|Finding ID||Version||Rule ID||IA Controls||Severity|
|The only way to mediate the flow of traffic between the inside network, the outside connection, and the DMZ is to place the firewall into the architecture in a manner that allows the firewall the ability to screen content for all three destinations.|
|Network Infrastructure Policy Security Technical Implementation Guide||2017-12-07|
|Check Text ( C-7447r3_chk )|
| Review the network topology diagrams and visually inspect the firewall location to validate correct position on the network. |
If the firewall is not positioned between the perimeter router and the private network and between the perimeter router and the DMZ, this is a finding.
Exception: If the perimeter security for the enclave or B/C/P/S is provisioned via the JRSS, then this requirement is not applicable.
|Fix Text (F-7641r2_fix)|
|Move the firewall into the prescribed location to allow for enforcement of the Enclave Security Policy and allow for all traffic to be screened.|