Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-37365 | SRG-NET-999999-FW-000195 | SV-49126r1_rule | Medium |
Description |
---|
Drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering, to include protocol/port values, cannot be determined. A firewall must be able to properly enforce its filtering policy upon fragmented packets. This requires that the firewall be able to find the complete set of header data, including extension headers and the upper layer protocol/port values. It also requires that the packet not be susceptible to fragment overlap attacks. Fragment overlaps are a more serious problem in IPv6 than in IPv4 because the presence of extension headers can push the upper layer protocol/port information outward (toward packet boundaries) making it much harder to protect. How a firewall achieves these requirements is not important as long as both aspects are met. The wording "drop at least one fragment" is a statement of the bare minimum action to secure a packet, and is chosen to allow firewall venders flexibility in achieving it. |
STIG | Date |
---|---|
Firewall Security Requirements Guide | 2013-04-24 |
Check Text ( C-45612r1_chk ) |
---|
Verify the firewall implementation is configured to drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering, to include protocol/port values, cannot be determined. If the firewall implementation does not drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering, cannot be determined. |
Fix Text (F-42290r1_fix) |
---|
Configure the firewall implementation to drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering, cannot be determined. |