The network device must prevent discovery of specific network components or devices comprising a managed interface.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000199-NDM-000149	SRG-NET-000199-NDM-000149	SRG-NET-000199-NDM-000149_rule		Medium

Description
Allowing neighbor discovery messages to reach external network nodes is dangerous because it provides an attacker a method of obtaining information about the network infrastructure that can be useful to plan an attack. In addition, responding to the sending node that a packet cannot be forwarded because the destination host is unreachable provides network mapping information. Furthermore, if a router receives a large number of packets that cannot be forwarded, the router processor could be overloaded if it must generate a high volume of unreachable messages. To mitigate the risk of reconnaissance or a denial of service attack, all external-facing interfaces must be configured to silently drop unreachable traffic, not announce network address information, and to ignore neighbor solicitation messages.

Description

Allowing neighbor discovery messages to reach external network nodes is dangerous because it provides an attacker a method of obtaining information about the network infrastructure that can be useful to plan an attack. In addition, responding to the sending node that a packet cannot be forwarded because the destination host is unreachable provides network mapping information. Furthermore, if a router receives a large number of packets that cannot be forwarded, the router processor could be overloaded if it must generate a high volume of unreachable messages. To mitigate the risk of reconnaissance or a denial of service attack, all external-facing interfaces must be configured to silently drop unreachable traffic, not announce network address information, and to ignore neighbor solicitation messages.

STIG	Date
Network Device Management Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000199-NDM-000149_chk )
Verify the network device prevents the discovery of specific network components or devices comprising a managed interface. If the network device does not prevent the discovery of specific network components or devices comprising a managed interface, this is a finding.

Fix Text (F-SRG-NET-000199-NDM-000149_fix)
Configure the network device to prevent the discovery of specific network components or devices comprising a managed interface.