UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must protect against Inbound IP packets using RFC5735, RFC6598, and other network address space allocated by IANA but not assigned by the regional internet registries for ISP and other end-customer use by blocking, denying, or dropping them at the perimeter device.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000019-FW-000255 SRG-NET-000019-FW-000255 SRG-NET-000019-FW-000255_rule Medium
Description
A packet originating from outside the enclave should never have a source address in an unassigned range. These are bogus source IP addresses and are often used in attacks. This type of IP address spoofing occurs when someone outside the network uses an address that should not be routed or has not been officially assigned to an ISP for use by the regional internet registries to gain access to systems or devices on the internal network. If the intruder is successful, they can intercept data, passwords, etc., and use information to perform destructive acts on or to the network.
STIG Date
Firewall Security Requirements Guide 2014-07-07

Details

Check Text ( C-SRG-NET-000019-FW-000255_chk )
Review the configuration of the firewall implementation. If the router is not configured to block, deny, or drop inbound IP addresses using the RFC5735, RFC6598, and network address space allocated by IANA but not assigned by the RIRs for ISP and other end-customer use, this is a finding.
Fix Text (F-SRG-NET-000019-FW-000255_fix)
Configure the firewall implementation to block, deny, or drop inbound IP addresses using the RFC5735, RFC6598, and network address space allocated by IANA but not assigned by the RIRs for ISP and other end-customer IP address space.