The firewall implementation must protect against Inbound IP packets using RFC5735, RFC6598, and other network address space allocated by IANA but not assigned by the regional internet registries for ISP and other end-customer use by blocking, denying, or dropping them at the perimeter device.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000019-FW-000255 | SRG-NET-000019-FW-000255 | SRG-NET-000019-FW-000255_rule | Medium |
| Description |
|---|
| A packet originating from outside the enclave should never have a source address in an unassigned range. These are bogus source IP addresses and are often used in attacks. This type of IP address spoofing occurs when someone outside the network uses an address that should not be routed or has not been officially assigned to an ISP for use by the regional internet registries to gain access to systems or devices on the internal network. If the intruder is successful, they can intercept data, passwords, etc., and use information to perform destructive acts on or to the network. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2014-07-07 |
Details
| Check Text ( C-SRG-NET-000019-FW-000255_chk ) |
|---|
| Review the configuration of the firewall implementation. If the router is not configured to block, deny, or drop inbound IP addresses using the RFC5735, RFC6598, and network address space allocated by IANA but not assigned by the RIRs for ISP and other end-customer use, this is a finding. |
| Fix Text (F-SRG-NET-000019-FW-000255_fix) |
|---|
| Configure the firewall implementation to block, deny, or drop inbound IP addresses using the RFC5735, RFC6598, and network address space allocated by IANA but not assigned by the RIRs for ISP and other end-customer IP address space. |