UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Tunnel entry point and the tunnel exit point must contain filters for expected tunnel protocol traffic with source and destination addresses and deny the remaining traffic by default.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18635 NET-TUNL-004 SV-20200r2_rule ECSC-1 Medium
Description
Tunnel endpoints that do not have the same controls as the network perimeter requirements become an unprotect entry point into the enclave.
STIG Date
Perimeter L3 Switch Security Technical Implementation Guide - Cisco 2016-07-07

Details

Check Text ( C-22330r1_chk )
These filtering actions enforce proper tunnel endpoint addresses at the border of the tunnel entry and exit points. Filtering is necessary because implementations may not enforce tunnel addresses in all cases. Filtering is also necessary because GRE tunneling implementations are not required by standards to check or enforce tunnel endpoint addresses.


Endpoint Verification at the Exit point (I) - Allow inbound IPv4 packets with a protocol value of 0x04 (4) that have both source and destination addresses of a deliberately configured IPv4-in-IPv4 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv4-in-IPv4 tunnel.

Endpoint Verification at the Exit network (II) - Allow inbound IPv4 packets with a protocol value of 0x29 (41) that have both source and destination addresses of a deliberately configured IPv6-in-IPv4 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv6-in-IPv4 tunnel.

Endpoint Verification at the Exit network (III) - Allow inbound IPv6 packets with a protocol value of 0x04 (4) that have both source and destination addresses of a deliberately configured IPv4-in-IPv6 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv4-in-IPv6 tunnel.

Endpoint Verification at the Exit network (IV) - Allow inbound IPv6 packets with a protocol value of 0x29 (41) that have both source and destination addresses of a deliberately configured IPv6-in-IPv6 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv6-in-IPv6 tunnel.

Endpoint Verification at the Exit network (v) - Allow inbound IPv4 and IPv6 packets with a protocol value of 0x2F (47) that have both source and destination addresses of a deliberately configured GRE tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured GRE tunnel.

Network configuration - Report bad inbound tunnel packets as a Security Event. Inbound packets that fail the filtering of the actions at the exit point should trigger a security alert since the entry point network filtering should catch all legitimate mistakes. These occurrences are likely the result of network attacks.



These filtering actions enforce proper tunnel endpoint addresses at the border of the entry point network. By filtering the tunneled data for validity, the entry point network can detect configuration errors and users conducting unauthorized tunneling operations. By filtering the addresses of tunneled data for validity, the entry point network can detect configuration errors and unauthorized tunneling operations by bad users.

Endpoint Verification at the Entry network, (I) Allow outbound IPv4 packets with a protocol value of 0x04 (4) that have both source and destination addresses of a deliberately configured IPv4-in-IPv4 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv4-in-IPv4 tunnel.

Endpoint Verification at the Entry network, (II) Allow outbound IPv4 packets with a protocol value of 0x29 (41) that have both source and destination addresses of a deliberately configured IPv6-in-IPv4 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv6-in-IPv4 tunnel.

Endpoint Verification at the Entry network, (III) Allow outbound IPv6 packets with a protocol value of 0x04 (4) that have both source and destination addresses of a deliberately configured IPv4-in-IPv6 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv4-in-IPv6 tunnel.

Endpoint Verification at the Entry network, (IV) Description: Allow outbound IPv6 packets with a protocol value of 0x29 (41) that have both source and destination addresses of a deliberately configured IPv6-in-IPv6 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv6-in-IPv6 tunnel.

Endpoint Verification at the Entry network, (v) Allow outbound IPv4 and IPv6 packets with a protocol value of 0x2F (47) that have both source and destination addresses of a deliberately configured GRE tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured GRE tunnel.


Network configuration - Report bad outbound tunnel packets as Network Management errors.
Outbound packets that fail the filtering of actions at the entry point should trigger a network management error since these are likely configuration or routing errors. This may also detect unauthorized tunneling by users.


Review the tunnel end-points and verify a filter is present.

The filter for the tunnel entry-point must be defined to permit expected traffic that enters the tunnel. All other traffic must be denied. This filter must contain a permit statement that explicitly permits the tunnel type (protocol) and the source and destination address.

The filter for the tunnel exit-point must be defined to permit the expect traffic that exits the tunnel. All other traffic must be denied. This filter must contain a permit statement that explicitly permits the tunnel type (protocol) and the source and destination address.
Fix Text (F-19262r1_fix)
Explicitly permit trusted network traffic and establish a deny by default policy at the tunnel entry and exit points.