Title

(CUI) The McAfee ENS Firewall (FW) Connection Aware Group (CAG) rule group must be configured to prevent cross-domain traffic. (Cat II impact)

Discussion

(CUI) A host-based firewall scans all incoming and outgoing traffic. As it reviews arriving or departing traffic, the Firewall checks its list of rules, which is a set of criteria with associated actions. If the traffic matches all criteria in a rule, the Firewall acts according to the rule, blocking or allowing traffic through. A host-based firewall adds another layer of protection to prevent unauthorized traffic from reaching or leaving the system. To be effective, it must be enabled and properly configured. Operation across different classification levels or across mixed DoD and non-DoD networks could cause cross-contamination of data, loss of data, data leakage, or unauthorized access. Configuring a CAG/LAG firewall rule will prevent cross-domain traffic.

Check Content

(CUI) NOTE: If McAfee ENS Firewall is being used for host-based Firewall protection, this requirement is applicable and must be met. If the OPORD 16-0080 FRAGO 6 has been released and it is still in the implementation period, this is Not a Finding if configured per the FRAGO steps of implementation. If McAfee Host Intrusion Prevention Firewall is being used for host-based Firewall protection, this check is Not Applicable. Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select "Endpoint Security Firewall" from the Product list. From the Category list, select "Firewall Rules". Select each configured Firewall Rules policy. Verify a Connection Aware Group/Location Aware Group has been created with rules added to prevent cross-domain traffic. If an allow all rule is configured in the Firewall Rules, this is a finding. If a Connection Aware Group/Location Aware Group has not been created with rules added to prevent cross-domain traffic, this is a finding.

Fix Text

(CUI) Access the ePO server console. Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select "Endpoint Security Firewall" from the Product list. From the Category list, select "Firewall Rules". Select each configured Firewall Rules policy. Configure a Connection Aware Group/Location Aware Group with rules added to prevent cross-domain traffic. Click "Save".

Additional Identifiers

Rule ID: SV-230201r803966_rule

Vulnerability ID: V-230201

Group Title: SRG-APP-000332

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.