Rule ID
SV-279180r1170629_rule
Version
V1R1
Unrelated or unneeded proxy services increase the attack vector and add excessive complexity to the securing of the ALG. Multiple application proxies can be installed on many ALGs. However, proxy types must be limited to related functions. At a minimum, the web and email gateway represent different security domains/trust levels. Organizations should also consider separation of gateways that service the DMZ and the trusted network. Satisfies: SRG-NET-000131-ALG-000086, SRG-NET-000384-ALG-000136
1. In the Edge SWG Web UI, navigate to Configuration. 2. Go to "Services and Proxy Services". Under "Proxy Services", if there are more than HTTP, HTTPS, CAC-Mc-Notify, and any other required reverse proxy (e.g. HTTP/2 reverse proxy like H2-Console), this is a finding.
1. In the Edge SWG Web UI, navigate to Configuration. 2. Go to "Services and Proxy Services". 3. Under "Proxy Services", remove all services like FTP, etc., other than HTTP, HTTPS, CAC-Mc-Notify, and any other required reverse proxy (e.g., HTTP/2 reverse proxy like H2-Console). 4. Only authorized proxy service must be configured for Intercept, and any service not in use must be removed, not just set to Bypass.