The Sentry must enforce approved authorizations for controlling the flow of information within the network based on attribute-based inspection of the source, destination, and headers, of the communications traffic.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-251009	SRG-NET-000018-ALG-000017	MOIS-AL-000020	SV-251009r1028172_rule	2024-09-25	3

Description
Information flow control regulates where information is allowed to travel within a network. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Sentry enforces approved authorizations by employing security policy and/or rules configured in MobileIron UEM that restrict information system services capability based on header or protocol information.

Description

Information flow control regulates where information is allowed to travel within a network. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Sentry enforces approved authorizations by employing security policy and/or rules configured in MobileIron UEM that restrict information system services capability based on header or protocol information.

ℹ️ Check
Verify the Sentry and MobileIron UEM is configured to enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. MobileIron UEM applies Configurations to devices/users based on manual or dynamic labels. Verify that Configurations that leverage Sentry such as Email, VPN, Docs@Work, or any backend service which leverage Sentry as a gateway are applied to the appropriate user groups via the configurable labels. If not, this is a finding. 1. Log in to the Core Admin Portal. 2. Go to Policies and Configurations >> Configurations. 3. Verify the Sentry related Configurations are applied to the devices accessing systems behind the Sentry. If Configurations are misassigned to the wrong label/user groups, this is a finding.

ℹ️ Check

Verify the Sentry and MobileIron UEM is configured to enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. MobileIron UEM applies Configurations to devices/users based on manual or dynamic labels. Verify that Configurations that leverage Sentry such as Email, VPN, Docs@Work, or any backend service which leverage Sentry as a gateway are applied to the appropriate user groups via the configurable labels. If not, this is a finding. 1. Log in to the Core Admin Portal. 2. Go to Policies and Configurations >> Configurations. 3. Verify the Sentry related Configurations are applied to the devices accessing systems behind the Sentry. If Configurations are misassigned to the wrong label/user groups, this is a finding.

✔️ Fix
Configure the Sentry to enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic via MI Core labels. 1. Log in to the Core Admin Portal. 2. Go to Policies and Configurations >> Configurations. 3. For Active Sync email use cases with Sentry, apply the Exchange or mail app configurations using the Sentry to devices via a label. 4. For App Tunnel use cases, apply app configurations using the Sentry to device via a label.

✔️ Fix

Configure the Sentry to enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic via MI Core labels. 1. Log in to the Core Admin Portal. 2. Go to Policies and Configurations >> Configurations. 3. For Active Sync email use cases with Sentry, apply the Exchange or mail app configurations using the Sentry to devices via a label. 4. For App Tunnel use cases, apply app configurations using the Sentry to device via a label.