7.1 Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone

Information

When permitting traffic from an untrusted zone, such as the Internet or guest network, to a more trusted zone, such as a DMZ segment, create security policies specifying which specific applications are allowed.
Rationale:
To avoid unintentionally exposing systems and services, rules allowing traffic from untrusted zones to trusted zones should be as specific as possible. Application-based rules, as opposed to service/port rules, further tighten what traffic is allowed to pass. Similarly, traffic from trusted to untrusted networks should have a security policy set, with application-based rules. A "catch-all" rule that allows all applications will also allow malware traffic. The goal should be to understand both inbound and outbound traffic, permit what is known, and block all other traffic.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Navigate to Policies > Security.
Set a Security Policy with:
Source: Zone set to OUTSIDE / Address set to any Destination / Destination: Zone set to DMZ / Address set to [DMZ IP Address] / Application set to web-browsing / Service set to application-default

Impact:
Setting application based rules on both inbound and outbound traffic ensures that the traffic on the protocol and port being specified is actually the application that you expect. For outbound traffic, the days of "we trust our users" is well past us, that statement also implies that we trust the malware on the user workstations, which is obviously not the case.
For traffic from trusted to less trusted interfaces, the applications should be characterized over time, with the end goal being that all applications in in the rules, and a final "block all" rule is in place. Not having this goal gives both attackers and malware the leeway they need to accomplish their goals.
Default Value:
Not Configured

See Also

https://workbench.cisecurity.org/files/2104

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|14, CSCv7|14

Plugin: Palo_Alto

Control ID: 9634eac0d0dbabae1e127db8ed506ccde2ca1d6b5d85bd1a1cf6ef0584bc6f21