The firewall implementation must reveal error messages only to the IAO, IAM, and SA.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000402-FW-000247	SRG-NET-000402-FW-000247	SRG-NET-000402-FW-000247_rule		Medium

Description
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can give information about configuration and/or architecture of the network. Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the sender to support diagnostics. However, some also provide information that an attacker can use in reconnaissance of a network. ICMP control messages must be filtered at external enclave boundaries and at connections to untrusted networks. Log messages and SNMP traps must only be directed to authorized end-points (such as the log server and SNMP management console respectively) and be restricted to the Network Management subnet/VLAN.

Description

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can give information about configuration and/or architecture of the network. Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the sender to support diagnostics. However, some also provide information that an attacker can use in reconnaissance of a network. ICMP control messages must be filtered at external enclave boundaries and at connections to untrusted networks. Log messages and SNMP traps must only be directed to authorized end-points (such as the log server and SNMP management console respectively) and be restricted to the Network Management subnet/VLAN.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000402-FW-000247_chk )
Review the configuration of the firewall implementation; verify that ICMP control messages are filtered at external enclave boundaries and at connections to untrusted networks. If they are not, this is a finding. Review the network diagrams and the configuration of the firewall implementation; verify that there is a separate subnet and VLAN for Network Management, the log servers and SNMP management console are on this subnet/VLAN, and that the device is configured to send messages only to those destinations. If these actions have not been taken, this is a finding.

Check Text ( C-SRG-NET-000402-FW-000247_chk )

Review the configuration of the firewall implementation; verify that ICMP control messages are filtered at external enclave boundaries and at connections to untrusted networks. If they are not, this is a finding.

Review the network diagrams and the configuration of the firewall implementation; verify that there is a separate subnet and VLAN for Network Management, the log servers and SNMP management console are on this subnet/VLAN, and that the device is configured to send messages only to those destinations. If these actions have not been taken, this is a finding.

Fix Text (F-SRG-NET-000402-FW-000247_fix)
Filter ICMP control messages at external enclave boundaries and at connections to untrusted networks. Implement a separate network/VLAN for Network Management, deploy the log servers and SNMP management console on the Management Network, and configure the firewall implementation to send messages only to those destinations.