UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall must block outbound IP packets that contain illegitimate packet attributes including, at a minimum, invalid source address or packets that fail minimum length tests (TCP length, UDP length, IP data length) that have undefined protocol numbers, improper use of hop-by-hop header, or IPv6 RH0 header.


Overview

Finding ID Version Rule ID IA Controls Severity
V-79481 SRG-NET-000364-FW-000037 SV-94187r1_rule Medium
Description
If outbound communications traffic is not filtered, hostile activity intended to harm other networks may not be detected and prevented.
STIG Date
Firewall Security Requirements Guide 2018-03-21

Details

Check Text ( C-79099r2_chk )
Review the configuration and verify the firewall blocks outbound IP packets that contain an illegitimate attributes. At a minimum, rules must exist to filter based on invalid source address or packets that fail minimum length tests (TCP length, UDP length, IP data length) that have undefined protocol numbers, improper use of hop-by-hop header, or IPv6 RH0 header.

If the firewall does not block outbound IP packets that that contain illegitimate packet attributes, this is a finding.
Fix Text (F-86255r1_fix)
Configure the firewall to block outbound IP packets that that contain illegitimate packet attributes.