Skip to content
Log In

Application Layer Gateway Security Requirements Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • The ALG that is part of a CDS, when transferring information between different security domains, must implement organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content.

    Data structure and content restrictions reduce the range of potential malicious and/or unsanctioned content in cross-domain transactions. Security policy filters that restrict data structures incl...
    Rule Medium Severity
    Show

  • SRG-NET-000284

    Group
    Show

  • SRG-NET-000285

    Group
    Show

  • SRG-NET-000288

    Group
    Show

  • The ALG providing content filtering must block or restrict detected prohibited mobile code.

    Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution ...
    Rule Medium Severity
    Show

  • SRG-NET-000289

    Group
    Show

  • SRG-NET-000313

    Group
    Show

  • SRG-NET-000314

    Group
    Show

  • The ALG providing intermediary services for remote access communications traffic must provide the capability to immediately disconnect or disable remote access to the information system.

    Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking progress would not be immediately stopped. Remote access functionality must have the ca...
    Rule Medium Severity
    Show

  • SRG-NET-000318

    Group
    Show

  • To protect against data mining, the ALG providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.

    Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from unaut...
    Rule Medium Severity
    Show

  • SRG-NET-000318

    Group
    Show

  • To protect against data mining, the ALG providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.

    Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from unaut...
    Rule Medium Severity
    Show

  • SRG-NET-000318

    Group
    Show

  • SRG-NET-000319

    Group
    Show

  • SRG-NET-000319

    Group
    Show

  • To protect against data mining, the ALG providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.

    Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched against organizational databases may result in...
    Rule Medium Severity
    Show

  • SRG-NET-000319

    Group
    Show

  • To protect against data mining, the ALG providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code.

    Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched against organizational applications may result...
    Rule Medium Severity
    Show

  • SRG-NET-000323

    Group
    Show

  • SRG-NET-000324

    Group
    Show

  • The ALG that is part of a CDS, when transferring information between different security domains, must use organization-defined data type identifiers to validate data essential for information flow decisions.

    Information flow decisions based on invalid data may allow unintended and unauthorized data flows, and therefore risk the confidentiality of information. They may also result in the unauthorized re...
    Rule Medium Severity
    Show

  • SRG-NET-000325

    Group
    Show

  • The ALG that is part of a CDS must uniquely identify and authenticate source by organization, system, application, and/or individual for information transfer.

    Attribution is a critical component of a security concept of operations. The ability to identify source and destination points for information flowing in information systems, allows the forensic re...
    Rule Medium Severity
    Show

  • SRG-NET-000326

    Group
    Show

  • The ALG that is part of a CDS must uniquely identify and authenticate destination by organization, system, application, and/or individual for information transfer.

    Attribution is a critical component of a security concept of operations. The ability to identify source and destination points for information flowing in information systems, allows the forensic re...
    Rule Medium Severity
    Show

  • SRG-NET-000328

    Group
    Show

  • The ALG that is part of a CDS, when transferring information between different security domains, must apply the same security policy filtering to metadata as it applies to data payloads.

    Subjecting metadata to the same filtering and inspection policies as payload data helps to mitigate the risk of data compromise through covert channels. This security measure also helps prevent the...
    Rule Medium Severity
    Show

  • SRG-NET-000329

    Group
    Show

  • The ALG that is part of a CDS must enforce the use of human reviews for organization-defined information flows under organization-defined conditions.

    Without network element enforcement of human reviews, security policy filters may have false positives and false negatives in marginal situations, which may result in loss of confidentiality or ava...
    Rule Medium Severity
    Show

  • SRG-NET-000331

    Group
    Show

  • SRG-NET-000334

    Group
    Show

  • SRG-NET-000335

    Group
    Show

  • SRG-NET-000337

    Group
    Show

  • SRG-NET-000339

    Group
    Show

  • The ALG providing user authentication intermediary services must implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

    For remote access to nonprivileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication i...
    Rule Medium Severity
    Show

  • SRG-NET-000340

    Group
    Show

  • SRG-NET-000344

    Group
    Show

  • The ALG must prohibit the use of cached authenticators after an organization-defined time period.

    If the cached authenticator information is out of date, the validity of the authentication information may be questionable. This requirement applies to all ALGs which may cache user authenticators...
    Rule Medium Severity
    Show

  • SRG-NET-000345

    Group
    Show

  • The ALG providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

    Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). The intent of this requirement...
    Rule Medium Severity
    Show

  • SRG-NET-000349

    Group
    Show

  • The ALG providing user authentication intermediary services must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles.

    Without conforming to FICAM-issued profiles, the information system may not be interoperable with FICAM-authentication protocols, such as SAML 2.0 and OpenID 2.0. Use of FICAM-issued profiles addr...
    Rule Medium Severity
    Show

  • SRG-NET-000355

    Group
    Show

  • The ALG providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.

    Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity assert...
    Rule Medium Severity
    Show

  • SRG-NET-000362

    Group
    Show

  • The ALG providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.

    If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Installation of content filtering gateways and application layer firewalls at key bo...
    Rule Medium Severity
    Show

  • SRG-NET-000362

    Group
    Show

  • The ALG must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.

    If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Load balancing provides service redundancy; which service redundancy reduces the susc...
    Rule Medium Severity
    Show

  • SRG-NET-000362

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules