Check: NET0369
Network Infrastructure Policy STIG:
NET0369
(in versions v10 r6 through v9 r2)
Title
A deny-by-default security posture must be implemented for traffic entering and leaving the enclave. (Cat I impact)
Discussion
To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known sources and only those ports, protocols, or services that are permitted and operationally necessary. Applications, protocols, TCP/UDP ports, and endpoints (specific hosts or networks) are identified and used to develop rulesets and access control lists to restrict traffic to and from an enclave.
Check Content
Determine if a deny-by-default security posture has been implemented for both inbound and outbound traffic on the perimeter router or firewall. If a deny-by-default security posture has not been implemented at the network perimeter, this is a finding.
Fix Text
Implement a deny-by-default security posture on either the enclave perimeter router or firewall.
Additional Identifiers
Rule ID: SV-251368r853653_rule
Vulnerability ID: V-251368
Group Title: NET0369
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002080 |
The organization employs either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems. |
CCI-002082 |
The organization selects either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems. |
CCI-002130 |
The information system automatically audits account enabling actions. |
CCI-002132 |
The information system notifies organization-defined personnel or roles for account enabling actions. |
CCI-002398 |
The information system detects outgoing communications traffic posing a threat to external information systems. |
CCI-002399 |
The information system denies outgoing communications traffic posing a threat to external information systems. |
CCI-002428 |
The organization defines the requirements for cryptographic key generation to be employed within the information system. |
CCI-002429 |
The organization defines the requirements for cryptographic key distribution to be employed within the information system. |