The operating system must prevent internal users from sending out packets which attempt to manipulate or spoof invalid IP addresses.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-48191 | SOL-11.1-050470 | SV-61063r1_rule | Medium |
| Description |
|---|
| Manipulation of IP addresses can allow untrusted systems to appear as trusted hosts, bypassing firewall and other security mechanism and resulting in system penetration. |
| STIG | Date |
|---|---|
| Solaris 11 SPARC Security Technical Implementation Guide | 2015-04-03 |
Details
| Check Text ( C-50623r2_chk ) |
|---|
| This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine if network link protection capabilities are enabled on each network interface. # dladm show-linkprop -p protection LINK PROPERTY PERM VALUE DEFAULT POSSIBLE net0 protection rw mac-nospoof, -- mac-nospoof, restricted, restricted, ip-nospoof, ip-nospoof, dhcp-nospoof dhcp-nospoof If mac-nospoof, restricted, ip-nospoof, and dhcp-nospoof do not appear in the " VALUE" column, this is a finding. |
| Fix Text (F-51799r1_fix) |
|---|
| This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. The Network Link Security profile is required. Determine which network interfaces are available and what protection modes are enabled. Enable link protection on each configured network interface. # pfexec dladm set-linkprop -p protection=mac-nospoof,restricted,ip-nospoof,dhcp-nospoof [interface name] |