Check: SRG-NET-000029-ALG-000079
Application Layer Gateway (ALG) SRG (SRG):
SRG-NET-000029-ALG-000079
(in version v1 r2)
Title
The ALG that is part of a CDS must enforce dynamic traffic flow control based on organization-defined policies. (Cat II impact)
Discussion
Information flow policies regarding dynamic information flow control include allowing or disallowing information flows based on changing conditions or mission/operational considerations. Changing conditions include changes in organizational risk tolerance due to changes in the immediacy of mission/business needs, changes in the threat environment, and detection of potentially harmful or adverse events. Organization-defined policies for CDS systems depend on the environment, data, and security boundaries. Organizations implementing CDS must follow the DoD-required process of testing, baselining, and risk assessment to ensure the rigor and accuracy necessary to rely upon a CDS for cross domain security. Enforcement occurs in boundary protection devices that employ rule sets or establish configuration settings that restrict information system services, provide a packet filtering capability based on header information, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics). This requirement is primarily used by organizations with cross domain solution needs. These solutions require advanced filtering techniques and flow enforcement mechanisms, such as high-assurance guards. Dynamic traffic flow control mechanisms are generally not available in commercial off-the-shelf information technology products.
Check Content
If the ALG is not part of a CDS, this is not applicable. Verify changes made to the policy filters (e.g., rules sets or content filters) take effect immediately. The change in the filter must be applied to active sessions as well as new sessions without the need for restart of recompiling. If the ALG does not enforce dynamic traffic flow control based on organization-defined policies, this is a finding.
Fix Text
If the ALG is part of a CDS, configure the ALG to enforce dynamic flow control based on organization-defined policies.
Additional Identifiers
Rule ID: SV-68733r1_rule
Vulnerability ID: V-54487
Group Title: SRG-NET-000029-ALG-000079
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000027 |
The information system enforces dynamic information flow control based on organization-defined policies. |
CCI-000366 |
The organization implements the security configuration settings. |