Rule ID
SV-237052r831327_rule
Version
V2R2
CCIs
CCI-002403
Unrestricted traffic may contain malicious traffic, which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. Access control policies and access control lists implemented on devices that control the flow of network traffic (e.g., application level firewalls and Web content filters), ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the Internet or CDS) must be kept separate. The URI White List defines acceptable destination URIs allowed for incoming requests. The White List Check compares the URI of an incoming request against the rules contained in the URI White List policy file. Connection requests are accepted only if the URI matches a rule in the URI White List. Note: A URI Black List can also be configured, which takes priority over a URI White List. However, since deny-all, permit by exception is a fundamental principle, a URI White List is necessary.
If the device is not used to load balance web servers, this is not applicable. Review the device configuration. The following command displays WAF templates: show slb template waf If the configured WAF template does not have the "uri-wlistcheck" option configured, this is a finding.
If the device is used to load balance web servers, configure the URI White List. The following commands configure the ADC to compare incoming traffic against the URI White List: slb template waf [template-name] uri-wlistcheck [file-name]