SRG-NET-000019-FW-000194 | Medium | The firewall implementation must drop all inbound IPv6 packets containing undefined header extensions/protocol values. | Undefined header extensions may cause equipment to behave erratically or even crash. Various IPv6 extension headers have been standardized since the IPv6 standard was first published, and a... |
SRG-NET-000019-FW-000195 | Medium | The firewall implementation must drop fragmented IPv6 packets when any fragment overlaps another. | Fragmented packets can be used to "fool" a firewall into allowing otherwise prohibited traffic. A firewall must be able to properly enforce its filtering policy upon fragmented packets. This... |
SRG-NET-000019-FW-000196 | Medium | The firewall implementation must drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain. | Nested fragmentation in IPv6 should be dropped by the firewall since internal nodes that process the fragmentation may or may not be equipped to handle this unexpected case. These nodes may crash... |
SRG-NET-000019-FW-000197 | Medium | The firewall implementation must block IPv6 6to4 addresses at the enclave perimeter for inbound and outbound traffic. | Address spoofing is a major issue on tunnels to a 6to4 relay router. For incoming traffic, the 6to4 router is unable to match the IPv4 address of the relay router with the IPv6 address of the... |
SRG-NET-000018-FW-000249 | Medium | The firewall implementation must restrict the acceptance of any IP packets from the unspecified address (::/128). | The address 0:0:0:0:0:0:0:0, also defined ::/128, is called the unspecified address. It must never be assigned to any node. It indicates the absence of an address.
The unspecified address... |
SRG-NET-000018-FW-000248 | Medium | The firewall implementation must block any packet with a source or destination of the IPv6 local host loopback address (::1/128). | The IPv6 unicast address 0:0:0:0:0:0:0:1, also defined as ::1/128, is called the loopback address. It should never be used as the source or destination IP address of an inbound or outbound... |
SRG-NET-000019-FW-000192 | Medium | The firewall implementation must drop all inbound IPv6 packets for which the layer 4 protocol and ports (undetermined transport) cannot be located. | IPv6 allows an unlimited number of extension headers to be applied to a packet. Some devices are incapable of traversing the list of extension headers, with the result being that the network... |
SRG-NET-000019-FW-000193 | Medium | The firewall implementation must drop all inbound IPv6 packets with a Type 0 Routing header. | The IPv6 Type 0 Routing Header (extension header) is functionally equivalent to the IPv4 loose source routing header option, which is typically blocked for security reasons. The Type 0 Routing... |
SRG-NET-000019-FW-000253 | Medium | The firewall implementation must block IPv6 well-known multicast addresses on the ingress and egress inbound filters, (FF00::/8). | The following well-known multicast addresses are predefined and shall never be assigned to any multicast group.
Reserved Multicast Addresses:
FF00:0:0:0:0:0:0:0 ... |
SRG-NET-000019-FW-000252 | Medium | The firewall implementation must block IPv6 6bone address space on the ingress and egress filters (3FEE::/16). | The decommissioned 6bone allocation (3FFE::/16), RFC 3701 must be blocked. It is no longer a trusted source. |
SRG-NET-000019-FW-000251 | Medium | The firewall implementation must be configured to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with invalid option type values. | These options are intended to be for the Destination Options header only. The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do... |
SRG-NET-000019-FW-000250 | Medium | The firewall implementation must drop all inbound IPv6 packets with a Type 1 or Types 3 through 255 Routing Header. | The Type 1 Routing Header is defined by an abandoned specification called "Nimrod Routing". Devices may not recognize the Type 1 Routing Header, so packets with this header must be dropped. IETF... |
SRG-NET-000019-FW-000198 | Medium | The firewall implementation must block IPv6 Site Local Unicast addresses (FEC0::/10) at the enclave perimeter by the ingress and egress filters. | The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity, and potential misrouting, as documented in section 2 of RFC3879. IPv6 Site Local... |
SRG-NET-000019-FW-000199 | Medium | The firewall implementation must block IPv6 Jumbo Payload hop-by-hop header. | The IPv6 Jumbo Payload allows IP packets to be larger than 65,535 bytes. This header should be dropped unless the system is specifically designed to use very large payloads since it can break... |
SRG-NET-000019-FW-000255 | Medium | The firewall implementation must protect against Inbound IP packets using RFC5735, RFC6598, and other network address space allocated by IANA but not assigned by the regional internet registries for ISP and other end-customer use by blocking, denying, or dropping them at the perimeter device. | A packet originating from outside the enclave should never have a source address in an unassigned range. These are bogus source IP addresses and are often used in attacks. This type of IP... |
SRG-NET-000019-FW-000254 | Medium | The firewall implementation must block IPv6 Unique Local Unicast addresses on the ingress and egress filters, (FC00::/7). Note that this consists of all addresses that begin with FC or FD. | Packets originating outside the enclave with a source or destination address of the FC00::/7 prefix are bogus and may be malicious. The IANA has assigned the FC00::/7 prefix to Unique Local... |
SRG-NET-000402-FW-000247 | Medium | The firewall implementation must reveal error messages only to the IAO, IAM, and SA. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can give information about... |
SRG-NET-000335-FW-000216 | Medium | The firewall implementation must provide an immediate real time alert to the System Administrator and Information Assurance Officer, at a minimum, of all audit failure events requiring real time alerts. | If the firewall implementation becomes unable to write events to either local storage or to a centralized server, this is a logging failure. Configuring the network device or log server to... |
SRG-NET-000100-FW-000061 | Medium | The firewall implementation must protect audit logs from unauthorized deletion. | Associating event types with detected events in the logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly... |
SRG-NET-000192-FW-000234 | Medium | The firewall implementation must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding. | A compromised host in an enclave can be used by a malicious actor as a platform to launch cyber attacks on third parties. This is a common practice in “botnets”, which are a collection of... |
SRG-NET-000019-FW-000191 | Medium | The firewall implementation must suppress router advertisements on all external-facing IPv6-enabled interfaces. | IPv6 Neighbor Discovery relies, in part, on Router Advertisement, which can be abused by an attacker to cause either a Denial of Service or to redirect traffic to a rogue IPv6 router. To mitigate... |
SRG-NET-000512-FW-000222 | Medium | The firewall implementation must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including NSA configuration guides, Communications Tasking Orders (CTOs), and Directive-Type Memorandums (DTMs). | If the firewall or device implementing an ACL/rule set does not follow established security guidance, it is likely that it is not adequately secured, which increases the risk. Configuring the... |
SRG-NET-000391-FW-000244 | Medium | The firewall implementation must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions. | Failing to continuously monitor the network leaves the network vulnerable to attack. The Enclave firewall rules and Access Control Lists should be based on authorized applications being used... |
SRG-NET-000132-FW-000075 | Medium | The firewall implementation must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | The DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. These... |
SRG-NET-000131-FW-000224 | Medium | The firewall implementation's auxiliary port (if present) must be disabled unless it is connected to a secured modem providing encryption and authentication. | The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network.... |
SRG-NET-000018-FW-000017 | Medium | The firewall implementation must enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies. | If the firewall implementation is not configured to control the flow of information within the network based on organization-defined information flow control policies, malicious or otherwise... |
SRG-NET-000131-FW-000223 | Medium | The firewall implementation must not enable the service or feature that automatically contacts the vendor. | "Call home" services or features will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. However, using this... |
SRG-NET-000018-FW-000168 | Medium | The firewall implementation must implement NAT to ensure endpoint internal IPv4 addresses are not visible to external untrusted networks. | An attacker can learn more about a site’s private network once it has discovered the real IP addresses of the hosts within. Network Address Translation (NAT) works well with the implementation of... |
SRG-NET-000078-FW-000051 | Medium | The firewall implementation must log records for any match of a firewall rule (traffic either allowed or denied). | It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment.... |
SRG-NET-000018-FW-000205 | Medium | The firewall implementation must block any packet with a source or destination of the IPv4 local host loopback address (127.0.0.0/8). | The IPv4 loopback address should never be used as the source or destination IP address of an inbound or outbound transmission. Packets with a source IP or destination address of the 127.0.0.0/8... |
SRG-NET-000018-FW-000207 | Medium | The firewall implementation must protect server VLAN(s) by controlling the flow of information originating from one server farm segment destined for another server farm segment. | The intent of this requirement is to protect servers on a VLAN from a server that has been compromised by an intruder. If the server farm segments are not protected, a compromised server can be... |
SRG-NET-000018-FW-000206 | Medium | The firewall implementation must protect server VLAN(s) using a deny-by-default security posture. | Without proper access control of traffic entering or leaving the server VLAN, potential threats, such as a denial of service, data corruption, or theft could occur, resulting in the inability to... |
SRG-NET-000335-FW-000217 | Medium | The firewall implementation must make alarm messages identifying a security violation accessible to authorized personnel. | It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment.... |
SRG-NET-000075-FW-000048 | Medium | The firewall implementation must produce log records containing sufficient information to establish when (date and time) the events occurred. | It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment.... |
SRG-NET-000102-FW-000220 | Medium | The firewall implementation must protect audit tools from unauthorized modification. | If an audit tool is compromised, the validity of any audits that are performed using that tool may also be compromised and may be invalid. Basing decisions or attributions on an invalid audit may... |
SRG-NET-000511-FW-000214 | Medium | The firewall implementation must write log records to centralized, redundant log servers in real time and those records backed up weekly. | Information stored in one location is vulnerable to accidental or intentional deletion or alteration. Sending log records to a log server is a form of “off-loading” and is a common practice since... |
SRG-NET-000074-FW-000047 | Medium | The firewall implementation must produce audit log records that contain sufficient information to establish what type of event occurred. | It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment.... |
SRG-NET-000365-FW-000239 | Medium | The firewall implementation must fail securely in the event of an operational failure. | If the firewall implementation fails in an unsecure manner (open), unauthorized traffic originating externally to the enclave may enter, or the device may permit unauthorized information release. ... |
SRG-NET-000099-FW-000060 | Medium | The firewall implementation must protect audit log information from unauthorized modification. | Associating event types with detected events in the logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly... |
SRG-NET-000362-FW-000231 | Medium | The firewall implementation must drop half-open TCP connections through filtering thresholds or timeout periods. | Denial of Service is a condition when a resource is not available for legitimate users. A TCP connection consists of a three-way handshake message sequence. A connection request is transmitted by... |
SRG-NET-000362-FW-000232 | Medium | The firewall implementation must protect against "Ping of Death" (oversized ICMP echo request) attacks. | Denial of Service is a condition when a resource is not available for legitimate users. The "Ping of Death" is a malformed (oversized) ICMP echo request. An oversized ICMP echo request packet... |
SRG-NET-000362-FW-000233 | Medium | The firewall implementation must protect against or limit the effects of all types of Denial of Service (DoS) attacks directed against the device itself by employing security safeguards. | Denial of Service is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded... |
SRG-NET-000019-FW-000257 | Medium | The firewall implementation must block, deny, or drop inbound IP packets using an RFC 1918 address space (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) at the perimeter device. | This type of IP address spoofing occurs when someone outside the network uses an RFC1918 address to gain access to systems or devices on the internal network. If the intruder is successful, they... |
SRG-NET-000019-FW-000208 | Medium | The firewall implementation must maintain a current configuration that enforces dynamic information flow control based on organization-defined policies. | If configuration changes are not being saved, the firewall implementation will revert to a possibly unsecure configuration when it reboots; therefore, it is imperative that the most recent... |
SRG-NET-000202-FW-000118 | Medium | The firewall implementation must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Failing to identify and prohibit unauthorized traffic leaves the enclave vulnerable to attack. The initial defense for the internal network is for protection measures to block any traffic at the... |
SRG-NET-000019-FW-000256 | Medium | The firewall implementation must block, deny, or drop inbound IPv4 packets using a link-local address space (169.254.0.0/16) at the perimeter device. | This type of IPv4 address spoofing occurs when someone outside the network uses a link-local address to gain access to systems or devices on the internal network. If the intruder is successful,... |
SRG-NET-000088-FW-000215 | Medium | The firewall implementation must automatically generate an alert to notify the administrator when log storage reaches seventy-five percent or more of its maximum capacity. | Configuring the network device or log server to provide alerts to the administrator in the event of modification or audit log capacity being exceeded ensures administrative staff is aware of... |
SRG-NET-000362-FW-000230 | Medium | The firewall implementation must protect against TCP SYN floods. | Denial of Service is a condition when a resource is not available for legitimate users. A SYN-flood attack is a denial-of-service attack where the attacker sends a huge amount of... |
SRG-NET-000131-FW-000074 | Medium | The firewall implementation must not have unnecessary services and functions enabled. | Unnecessary services and functions increase the attack surface (sum of attack vectors) of a system. These unnecessary capabilities or services are often overlooked and therefore may remain... |
SRG-NET-000362-FW-000229 | Medium | The firewall implementation must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing security safeguards. | Denial of Service is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded... |
SRG-NET-000334-FW-000201 | Medium | The firewall implementation must write log records to centralized, redundant log servers and those records backed up to a different system or media. | Information stored in one location is vulnerable to accidental or intentional deletion or alteration. Sending log records to a log server is a form of “off-loading” and is a common practice since... |
SRG-NET-000273-FW-000152 | Medium | The firewall implementation must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. | Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the sender to support diagnostics. However, some... |
SRG-NET-000088-FW-000055 | Medium | The firewall implementation must be configured to send an alert to designated personnel in the event of a logging failure. | If the firewall becomes unable to write events to either local storage or to a centralized server, this is a logging failure. Configuring the network device or log server to provide alerts to the... |
SRG-NET-000103-FW-000221 | Medium | The firewall implementation must protect audit tools from unauthorized deletion. | If an audit tool is deleted, performing audits will take additional time and may lead to less thorough and/or less accurate results. This may adversely impact the ability of responsible personnel... |
SRG-NET-000193-FW-000235 | Medium | The firewall implementation must manage excess bandwidth to limit the effects of packet flooding types of Denial of Service (DoS) attacks. | Denial of Service is a condition when a resource is not available for legitimate users. Packet flooding DDoS attacks are referred to as Volumetric Attacks and have the objective of overloading a... |
SRG-NET-000098-FW-000059 | Medium | The firewall implementation must protect audit log information from unauthorized read access. | Associating event types with detected events in the logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly... |
SRG-NET-000113-FW-000065 | Medium | The firewall implementation must generate a log record for any traffic to a port, protocol, or service that is denied. | It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment.... |
SRG-NET-000015-FW-000015 | Medium | The firewall implementation must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | If the firewall implementation is not configured to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies,... |
SRG-NET-000333-FW-000213 | Medium | The firewall implementation must support centralized management and configuration of the content to be captured in log records. | Without the ability to centrally manage the content captured in the log records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a... |
SRG-NET-000101-FW-000219 | Medium | The firewall implementation must protect audit tools from unauthorized access. | If an audit tool is compromised, the validity of any audits that are performed using that tool may also be compromised and may be invalid. Basing decisions or attributions on an invalid audit may... |
SRG-NET-000366-FW-000240 | Medium | The firewall implementation must block both inbound and outbound communications traffic between organization-defined communication clients that are independently configured by end users and external service providers. | Various communication services such as public VoIP and Instant Messaging services route messages over their own networks and are stored on their own servers; therefore, that traffic can be... |
SRG-NET-000364-FW-000237 | Medium | The firewall implementation must only allow incoming communications from authorized sources routed to authorized destinations. | Unauthorized traffic is untrusted traffic and may be malicious. Traffic originating from unauthorized sources may be hostile and pose a threat to an enclave or to other connected networks. ... |
SRG-NET-000077-FW-000050 | Medium | The firewall implementation must produce log records containing sufficient information to establish the source of the event. | It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment.... |
SRG-NET-000205-FW-000121 | Medium | The firewall implementation must apply ingress filters entering the network to the external interface in the inbound direction. | Filters are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of filters... |
SRG-NET-000205-FW-000122 | Medium | The firewall implementation must apply egress filters leaving the network to the internal interface in the inbound direction. | Filters are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of filters... |
SRG-NET-000390-FW-000243 | Medium | The firewall implementation must continuously monitor inbound communications traffic for unusual or unauthorized activities or conditions. | Failing to continuously monitor the network leaves the network vulnerable to attack. The Enclave firewall rules and Access Control Lists should be based on authorized applications being used... |
SRG-NET-000089-FW-000056 | Medium | In the event of a logging failure, the firewall implementation must overwrite the oldest log records. | It is critical that if the firewall implementation is at risk of failing to process logs, it takes action to mitigate the failure. Responses to a logging failure depend upon the nature of the... |
SRG-NET-000199-FW-000238 | Medium | The firewall implementation must prevent discovery of specific system components or devices composing the enclave protection devices. | If the devices protecting the enclave can be discovered, they can be probed and attacked. These devices must be protected from discovery and reconnaissance by hostile actors or malware since... |
SRG-NET-000273-FW-000258 | Medium | The firewall implementation must block all inbound traceroutes to prevent network discovery by unauthorized users. | The traceroute tool will display routes and trip times on an IP network. An attacker can use traceroute responses to create a map of the subnets and hosts behind the perimeter. The traditional... |
SRG-NET-000019-FW-000018 | Medium | The firewall implementation must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. | Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain... |
SRG-NET-000401-FW-000246 | Medium | The firewall implementation must properly reassemble incoming fragmented packets before configured policies are applied to them or drop fragmented packets. | Packet fragmentation is allowed by the TCP/IP specifications and is encouraged in situations where it is needed. However, packet fragmentation has been used to make some attacks harder to detect... |
SRG-NET-000076-FW-000049 | Medium | The firewall implementation must produce log records containing sufficient information to establish where the events occurred. | It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in order to compile an accurate risk assessment.... |