Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-14691 | NET0926 | SV-15389r4_rule | ECSC-1 | High |
Description |
---|
This type of IP address spoofing occurs when someone outside the network uses an address that should not be routed or has not been officially assigned to an ISP for use by the RIR to gain access to systems or devices on the internal network. If the intruder is successful, they can intercept data, passwords, etc., and use that information to perform destructive acts on or to the network. |
STIG | Date |
---|---|
Perimeter L3 Switch Security Technical Implementation Guide | 2018-11-27 |
Check Text ( C-12856r8_chk ) |
---|
External Interfaces peering with NIPRNet or SIPRNet: Review the inbound ACLs on external facing interfaces of perimeter devices attached to the NIPR or SIPR to validate access control lists are configured to block, deny, or drop inbound IP addresses using RFC5735 and RFC6598. Examples of address space specified in RFC5735 and RFC6598: 0.0.0.0 255.0.0.0 100.64.0.0 255.192.0.0 192.0.0.0 255.255.255.0 192.0.2.0 255.255.255.0 198.18.0.0 255.254.0.0 198.51.100.0 255.255.255.0 203.0.113.0 255.255.255.0 224.0.0.0 240.0.0.0 240.0.0.0 240.0.0.0 External Interfaces peering with commercial ISPs or other non-DoD network sources: Review the inbound ACLs on external facing interfaces of perimeter devices to validate access control lists are configured to block, deny, or drop inbound IP addresses specified in both RFC5735 and RFC6598. Along with network address space specified in RFC5735 and RFC6598, perimeter devices connected to commercial ISPs for Internet or other non-DoD network sources will need to be reviewed for a full bogon list that includes IP space that has been allocated to the RIRs but not assigned by the RIR to an ISP or other end-user can be obtained at the link below, as it is updated regularly. If RFC5735 and RFC 6598 address space isn't blocked on the external interface, this is a finding. |
Fix Text (F-14156r5_fix) |
---|
Configure inbound ACLs on external facing interfaces of perimeter devices peering with NIPRNet or SIPRNet to block, deny, or drop inbound IP addresses specified in RFC5735 and RFC6598. Configure inbound ACLs on external facing interfaces of perimeter devices peering with commercial ISPs or other non-DoD networks to block, deny, or drop inbound IP addresses specified in RFC5735 and RFC6598. Along with network address space specified in RFC5735 and RFC6598, perimeter devices connected to commercial ISPs for Internet or other non-DoD network sources will need to be reviewed for a fullbogon list that includes IP space that has been allocated to the RIRs but not assigned by the RIR to an ISP or other end-user can be obtained at the link below, as it is updated regularly. http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt |