Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The network device must prevent discovery of specific network components or devices comprising a managed interface.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000199-NDM-000149 | SRG-NET-000199-NDM-000149 | SRG-NET-000199-NDM-000149_rule | Medium |
| Description |
|---|
| Allowing neighbor discovery messages to reach external network nodes is dangerous because it provides an attacker a method of obtaining information about the network infrastructure that can be useful to plan an attack. In addition, responding to the sending node that a packet cannot be forwarded because the destination host is unreachable provides network mapping information. Furthermore, if a router receives a large number of packets that cannot be forwarded, the router processor could be overloaded if it must generate a high volume of unreachable messages. To mitigate the risk of reconnaissance or a denial of service attack, all external-facing interfaces must be configured to silently drop unreachable traffic, not announce network address information, and to ignore neighbor solicitation messages. |
| STIG | Date |
|---|---|
| Network Device Management Security Requirements Guide | 2013-07-30 |
Details
| Check Text ( C-SRG-NET-000199-NDM-000149_chk ) |
|---|
| Verify the network device prevents the discovery of specific network components or devices comprising a managed interface. If the network device does not prevent the discovery of specific network components or devices comprising a managed interface, this is a finding. |
| Fix Text (F-SRG-NET-000199-NDM-000149_fix) |
|---|
| Configure the network device to prevent the discovery of specific network components or devices comprising a managed interface. |