Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-228875 | PANW-AG-000127 | SV-228875r557387_rule | Medium |
Description |
---|
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can give configuration details about the network element. The traceroute utility will display routes and trip times on an IP network. An attacker can use traceroute responses to create a map of the subnets and hosts behind the boundary. The traditional traceroute relies on TTL - time exceeded responses from network elements along the path and an ICMP port-unreachable message from the target host. In some Operating Systems such as UNIX, trace route will use UDP port 33400 and increment ports on each response. Since blocking these UDP ports alone will not block trace route capabilities along with blocking potentially legitimate traffic on a network, it's unnecessary to block them explicitly. Because traceroutes typically rely on ICMP Type 11 - Time exceeded message, the time exceeded message will be the target for implicitly or explicitly blocking outbound from the trusted network. |
STIG | Date |
---|---|
Palo Alto Networks ALG Security Technical Implementation Guide | 2021-07-02 |
Check Text ( C-31110r513920_chk ) |
---|
Ask the Administrator which Security Policy blocks traceroutes and ICMP probes. Go to Policies >> Security View the identified Security Policy. If the "Source Zone" field is not external and the "Source Address" field is not any, this is a finding. If the "Destination Zone" fields do not include the internal and DMZ zones and the "Destination Address" field is not any, this is a finding. Note: The exact number and name of zones is specific to the network. If the "Application" fields do not include "icmp", "ipv6-icmp", and "traceroute", this is a finding. If the "Actions" field does not show "Deny" as the resulting action, this is a finding. |
Fix Text (F-31087r513921_fix) |
---|
Although the default inter-zone Security Policy will deny this traffic, a specific Security Policy should be used. To configure the security policy: Go to Policies >> Security Select "Add". In the "Security Policy Rule" window, complete the required fields. In the "General" tab, complete the "Name" and "Description" fields. In the "Source" tab, complete the "Source Zone" and "Source Address" fields. For the "Source Zone" field, select "external". For the "Source Address" field, select "any". In the "Destination" tab, complete the "Destination Zone" and "Destination Address" fields. For the "Destination Zone" field, select the internal and DMZ zones. Note: The exact number and name of zones are specific to the network. For the "Destination Address" field, select "any". In the "Applications" tab, select "icmp", "ipv6-icmp", "traceroute". In the "Actions tab", select "Deny" as the resulting action. Select the required Log Setting and Profile Settings as necessary. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears. |