The firewall implementation must properly reassemble incoming fragmented packets before configured policies are applied to them or drop fragmented packets.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000401-FW-000246	SRG-NET-000401-FW-000246	SRG-NET-000401-FW-000246_rule		Medium

Description
Packet fragmentation is allowed by the TCP/IP specifications and is encouraged in situations where it is needed. However, packet fragmentation has been used to make some attacks harder to detect (by placing them within fragmented packets), and unusual fragmentation has also been used as a form of attack. For example, some network-based attacks have used packets that should not exist in normal communications, such as sending some fragments of a packet but not the first fragment, or sending packet fragments that overlap each other. This latter case, known as the Overlapping Fragment Attack, attempts to “trick” the firewall by overwriting part of the TCP header information of the first fragment, which contained data that was allowed to pass through the firewall, with malicious data in subsequent fragments. A common use of this is to overwrite the destination port number to change the type of service which would not be allowed to pass the router in normal circumstances. The capability to properly reassemble incoming fragmented packets before configured policies are applied to them can be verified by acceptance/validation processes in DoD or other government agencies. This would be verified, in part, by validation testing. If the device cannot properly reassemble packets before configured policies are applied to them, it must be configured to drop fragmented packets.

Description

Packet fragmentation is allowed by the TCP/IP specifications and is encouraged in situations where it is needed. However, packet fragmentation has been used to make some attacks harder to detect (by placing them within fragmented packets), and unusual fragmentation has also been used as a form of attack. For example, some network-based attacks have used packets that should not exist in normal communications, such as sending some fragments of a packet but not the first fragment, or sending packet fragments that overlap each other. This latter case, known as the Overlapping Fragment Attack, attempts to “trick” the firewall by overwriting part of the TCP header information of the first fragment, which contained data that was allowed to pass through the firewall, with malicious data in subsequent fragments. A common use of this is to overwrite the destination port number to change the type of service which would not be allowed to pass the router in normal circumstances. The capability to properly reassemble incoming fragmented packets before configured policies are applied to them can be verified by acceptance/validation processes in DoD or other government agencies. This would be verified, in part, by validation testing. If the device cannot properly reassemble packets before configured policies are applied to them, it must be configured to drop fragmented packets.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000401-FW-000246_chk )
This requirement generally applies to the design of an information technology product. This can be verified by acceptance/validation processes in DoD or other government agencies. If the firewall implementation can properly reassemble fragmented packets, this is not a finding. If the firewall implementation cannot properly reassemble fragmented packets, it must be configured to drop all packet fragments. If it is not, this is a finding.

Check Text ( C-SRG-NET-000401-FW-000246_chk )

This requirement generally applies to the design of an information technology product. This can be verified by acceptance/validation processes in DoD or other government agencies.

If the firewall implementation can properly reassemble fragmented packets, this is not a finding. If the firewall implementation cannot properly reassemble fragmented packets, it must be configured to drop all packet fragments. If it is not, this is a finding.

Fix Text (F-SRG-NET-000401-FW-000246_fix)
Properly reassembling fragment packets is a capability that would be intrinsic to the firewall implementation as a result of its development. If it is not capable of this, configure it to drop fragmented packets.