Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The firewall implementation must drop IPv6 packets for which the layer 4 protocol and ports cannot be detected.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-37362 | SRG-NET-999999-FW-000192 | SV-49123r1_rule | Low |
| Description |
|---|
| As a minimum, a firewall must be able to drop any packet for which it cannot identify the layer 4 protocol and ports (if applicable). This is usually a default firewall feature, but is a particular concern because IPv6 allows an unlimited number of extension headers to be applied to a packet. A firewall may not be able to locate the layer 4 protocol and port values if too many extension headers exhaust its resources. The security policy would be subverted if these packets were allowed to pass through a firewall. If the firewall cannot traverse through extension headers at all, it must drop packets using any extension header. This measure will disable a large amount of IPv6 functionality and should only be used if the primary guidance cannot be implemented. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2013-04-24 |
Details
| Check Text ( C-45609r1_chk ) |
|---|
| Verify the firewall implementation is configured to drop all inbound IPv6 packets for which the layer 4 protocol and ports (if applicable) is undetectable. If the firewall implementation does not drop packets for which the layer 4 protocol and ports is undetectable, this is a finding. |
| Fix Text (F-42287r1_fix) |
|---|
| Configure the firewall implementation to drop IPv6 packets for which the layer 4 protocol and ports is undetectable. |