The firewall implementation must prevent discovery of specific system components or devices comprising a managed interface.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000199-FW-000123	SRG-NET-000199-FW-000123	SRG-NET-000199-FW-000123_rule		Medium

Description
Allowing neighbor discovery messages to reach external network nodes is dangerous because it provides an attacker a method of obtaining information about the network infrastructure that can be useful to plan an attack. In addition, responding to the sending node that a packet cannot be forwarded because the destination host is unreachable provides network mapping information. Furthermore, if a router receives a large number of packets that cannot be forwarded, the router processor could be overloaded if it must generate a high volume of unreachable messages. To mitigate the risk of reconnaissance or a DoS attack, all external-facing interfaces must be configured to silently drop unreachable traffic, not announce network address information, and to ignore neighbor solicitation messages. The firewall is installed in stealth mode with one interface installed on the management network. This interface is used for communications with the firewall and other network elements.

Description

Allowing neighbor discovery messages to reach external network nodes is dangerous because it provides an attacker a method of obtaining information about the network infrastructure that can be useful to plan an attack. In addition, responding to the sending node that a packet cannot be forwarded because the destination host is unreachable provides network mapping information. Furthermore, if a router receives a large number of packets that cannot be forwarded, the router processor could be overloaded if it must generate a high volume of unreachable messages. To mitigate the risk of reconnaissance or a DoS attack, all external-facing interfaces must be configured to silently drop unreachable traffic, not announce network address information, and to ignore neighbor solicitation messages. The firewall is installed in stealth mode with one interface installed on the management network. This interface is used for communications with the firewall and other network elements.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000199-FW-000123_chk )
Inspect the ACLs or policy filters installed on the firewall to block or ignore activity that would result in discovery of network devices by an unauthorized attacker by performing the following actions. Verify ACLs or policy filters exist that monitor for and drop unreachable traffic. Verify firewalls do not announce network address information. Verify firewalls ignore neighbor solicitation messages. If the firewall is not configured to prevent discovery of network devices and components, this is a finding.

Check Text ( C-SRG-NET-000199-FW-000123_chk )

Inspect the ACLs or policy filters installed on the firewall to block or ignore activity that would result in discovery of network devices by an unauthorized attacker by performing the following actions.
Verify ACLs or policy filters exist that monitor for and drop unreachable traffic.
Verify firewalls do not announce network address information.
Verify firewalls ignore neighbor solicitation messages.

If the firewall is not configured to prevent discovery of network devices and components, this is a finding.

Fix Text (F-SRG-NET-000199-FW-000123_fix)
Implement firewall ACLs or policy filters that monitor for and drop unreachable traffic and ignore neighbor solicitation messages. Configure ACLs or policy filters so network address information is not announced.