The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).
An XCCDF Rule
Description
<VulnDiscussion>A firewall that relies on a deny all, permit by exception strategy requires all traffic to have explicit permission before traversing an interface on the host. The firewall must incorporate stateful packet filtering and logging. Nonlocal maintenance and diagnostic communications often contain sensitive information and must be protected. The security of these remote accesses can be ensured by sending nonlocal maintenance and diagnostic communications through encrypted channels enforced via firewall configurations. Satisfies: SRG-OS-000074, SRG-OS-000096, SRG-OS-000112, SRG-OS-000113, SRG-OS-000125, SRG-OS-000250, SRG-OS-000393</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-216387r986391_rule
- Severity
- Medium
- Updated
Remediation - Manual Procedure
The root role is required.
For Solaris 11, 11.1, 11.2, and 11.3, that use IP Filter, configure and enable the IP Filters policy.
# pfedit /etc/ipf/ipf.conf.