The firewall must block outbound IP packets that contain illegitimate packet attributes including, at a minimum, invalid source address or packets that fail minimum length tests (TCP length, UDP length, IP data length) that have undefined protocol numbers, improper use of hop-by-hop header, or IPv6 RH0 header.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-79481 | SRG-NET-000364-FW-000037 | SV-94187r1_rule | Medium |
| Description |
|---|
| If outbound communications traffic is not filtered, hostile activity intended to harm other networks may not be detected and prevented. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2018-03-21 |
Details
| Check Text ( C-79099r2_chk ) |
|---|
| Review the configuration and verify the firewall blocks outbound IP packets that contain an illegitimate attributes. At a minimum, rules must exist to filter based on invalid source address or packets that fail minimum length tests (TCP length, UDP length, IP data length) that have undefined protocol numbers, improper use of hop-by-hop header, or IPv6 RH0 header. If the firewall does not block outbound IP packets that that contain illegitimate packet attributes, this is a finding. |
| Fix Text (F-86255r1_fix) |
|---|
| Configure the firewall to block outbound IP packets that that contain illegitimate packet attributes. |