STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Network Infrastructure Policy Security Technical Implementation Guide

V-251368

CAT I (High)

A deny-by-default security posture must be implemented for traffic entering and leaving the enclave.

Rule ID

SV-251368r853653_rule

STIG

Network Infrastructure Policy Security Technical Implementation Guide

Version

V10R7

CCIs

CCI-002080, CCI-002082, CCI-002398, CCI-002399

Discussion

To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known sources and only those ports, protocols, or services that are permitted and operationally necessary. Applications, protocols, TCP/UDP ports, and endpoints (specific hosts or networks) are identified and used to develop rulesets and access control lists to restrict traffic to and from an enclave.

Check Content

Determine if a deny-by-default security posture has been implemented for both inbound and outbound traffic on the perimeter router or firewall.

If a deny-by-default security posture has not been implemented at the network perimeter, this is a finding.

Fix Text

Implement a deny-by-default security posture on either the enclave perimeter router or firewall.