Title

Symantec ProxySG must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). (Cat II impact)

Discussion

A deny-all, permit-by-exception network communications traffic policy ensures that only connections that are essential and approved are allowed. As a managed interface, the ALG must block all inbound and outbound network communications traffic to the application being managed and controlled unless a policy filter is installed to explicitly allow the traffic. The allow policy filters must comply with the site's security policy. This requirement applies to both inbound and outbound network communications traffic. All inbound and outbound traffic for which the ALG is acting as an intermediary or proxy must be denied by default.

Check Content

Verify that the ProxySG is configured to deny all traffic by default. 1. Log on to the Web Management Console. 2. Browse to Configuration >> Policy >> Policy Options. 3. Verify that the "Default Proxy Policy" setting is set to "Deny". If Symantec ProxySG does not deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception), this is a finding.

Fix Text

Configure the ProxySG to deny all traffic by default. 1. Log on to the Web Management Console. 2. Browse to Configuration >> Policy >> Policy Options. 3. Set the "Default Proxy Policy" to "Deny" and click "Apply".

Additional Identifiers

Rule ID: SV-104281r1_rule

Vulnerability ID: V-94327

Group Title: SRG-NET-000202-ALG-000124

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.