Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the network device interface ACLs to verify all deny statements are logged. If deny statements are not logged, this is a finding.
Configure interface ACLs to log all deny statements.
Have the SA display the configuration settings that enable this feature. Review the network topology diagram, and review VPN concentrators. Determine if tunnel mode is being used by reviewing the configuration. Examples: In CISCO Router(config)# crypto ipsec transform-set transform-set-name transform1 Router(cfg-crypto-tran)# mode tunnel OR in Junos edit security ipsec security-association sa-name] mode tunnel
Establish the VPN as a tunneled VPN. Terminate the tunneled VPN outside of the firewall. Ensure all host-to-host VPN are established between trusted known hosts.
Review the network devices configuration to determine if administrative access to the device requires some form of authentication--at a minimum a password is required. If passwords aren't used to administrative access to the device, this is a finding.
Configure the network devices so it will require a password to gain administrative access to the device.
Review the device configuration or request that the administrator logon to the device and observe the terminal. Verify either Option A or Option B (for systems with character limitations) of the Standard Mandatory DoD Notice and Consent Banner is displayed at logon. The required banner verbiage follows and must be displayed verbatim: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: "I've read & consent to terms in IS user agreem't." If the device configuration does not have a logon banner as stated above, this is a finding.
Configure all management interfaces to the network device to display the DoD-mandated warning banner verbiage at logon regardless of the means of connection or communication. The required banner verbiage that must be displayed verbatim is as follows: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: "I've read & consent to terms in IS user agreem't."
Review the management connection for administrative access and verify the network device is configured to time-out the connection at 10 minutes or less of inactivity. If the device does not terminate inactive management connections at 10 minutes or less, this is a finding.
Configure the network devices to ensure the timeout for unattended administrative access connections is no longer than 10 minutes.
Review the device configuration to ensure DNS servers have been defined if it has been configured as a client resolver (name lookup). If the device is configured as a client resolver and DNS servers are not defined, this is a finding.
Configure the device to include DNS servers or disable domain lookup.
Review the device configuration and verify it is configured to only allow SNMP access from addresses belonging to the management network. If the device is not configured to filter SNMP from the management network only, this is a finding.
Configure the network devices to only allow SNMP access from only addresses belonging to the management network.
Review the ingress filter and verify SNMP has been restricted. SNMP operates on the TCP/UDP port 161.
The administrator will change the router configuration to block SNMP traffic at the perimeter.
Interfaces peering with commercial ISPs or other non-DoD network sources: Review ACLs configured on external interfaces of network devices connected to untrusted networks (e.g., ISP and other non-DoD networks) are blocking inbound ICMP messages. The following are exceptions are allowed inbound. Exceptions: ICMP messages Echo Reply (type 0) ICMP Destination Unreachable – fragmentation needed (type 3 - code 4) Source Quench (type 4) Parameter Problem (type 12). External Interfaces peering with NIPRNet or SIPRNet: This rule is NA. If ICMP messages are not blocked inbound on external facing interfaces to an ISP and other non-DoD network, this is a finding.
Configure ACLs on external interfaces of network devices connected to untrusted networks (e.g., ISP and other non-DoD networks) to block inbound ICMP messages. Exceptions to this rule are listed below. Exceptions: ICMP messages Echo Reply (type 0) ICMP Destination Unreachable – fragmentation needed (type 3 - code 4) Source Quench (type 4) Parameter Problem (type 12)
Review ACLs configured on network devices connected to untrusted networks (e.g., ISP and other non-DoD networks) are blocking outbound ICMP messages. The following are exceptions are allowed outbound. Exceptions: ICMP messages Packet-too-Big (type 3, code 4) Source Quench (type 4) Echo Request (type 8) If ICMP messages are not blocked outbound, this is a finding.
Configure ACLs on network devices to block outbound ICMP messages. Exceptions to this rule are listed below. Exceptions: ICMP messages Packet-too-Big (type 3, code 4) Source Quench (type 4) Echo Request (type 8)
Review the device configuration to determine if ACLs block ICMP Type 11 - Time exceeded outbound to untrusted networks (e.g., ISP and other non-DoD networks). If ICMP Type 11 - Time Exceeded is not blocked outbound on the network device, this is a finding.
Configure an ACL on the network device to block ICMP Type 11 - Time Exceeded outbound to untrusted networks (e.g., ISP and other non-DoD networks).
Review the device configuration to determine if authentication is configured for all IGP peers. If authentication is not configured for all IGP peers, this is a finding.
Configure authentication for all IGP peers.
Review the router configuration and compare it against the network documentation (topology diagrams and peering agreements). Verify that each BGP peering session is configured with the correct IP address and remote Autonomous System Number (ASN). If any BGP peering session is not configured with the correct IP address and remote ASN, this is a finding.
Configure each BGP peering session to the specific IP address of the peer router and remote ASN assigned to the organization controlling that peer.
Review the SNMP configuration of all managed nodes to ensure different community names (V1/2) or groups/users (V3) are configured for read-only and read-write access. If unique community strings or accounts are not used for SNMP peers, this is a finding.
Configure the SNMP community strings on the network device and change them from the default values. SNMP community strings and user passwords must be unique and not match any other network device passwords. Different community strings (V1/2) or groups (V3) must be configured for various levels of read and write access.
Review the network device configuration and validate there are no group accounts configured for access. If a group account is configured on the device, this is a finding.
Configure individual user accounts for each authorized person then remove any group accounts.
Review the accounts authorized for access to the network device. Determine if the accounts are assigned the lowest privilege level necessary to perform assigned duties. User accounts must be set to a specific privilege level which can be mapped to specific commands or a group of commands. Authorized accounts should have the least privilege level unless deemed necessary for assigned duties. If it is determined that authorized accounts are assigned to greater privileges than necessary, this is a finding.
Configure authorized accounts with the least privilege rule. Each user will have access to only the privileges they require to perform their assigned duties.
Review the organization's responsibilities list and reconcile the list of authorized accounts with those accounts defined for access to the network device. If an unauthorized account is configured for access to the device, this is a finding.
Remove any account configured for access to the network device that is not defined in the organization's responsibilities list.
Review the network devices configuration to determine if passwords are viewable. If passwords are viewable in plaintext, this is a finding.
Configure the network devices to ensure passwords are not viewable when displaying configuration information.
Review the network device configuration to verify only secure protocols using FIPS 140-2 validated cryptographic modules are used for any administrative access. Some of the secure protocols used for administrative and management access are listed below. This list is not all inclusive and represents a sample selection of secure protocols. -SSHv2 -SCP -HTTPS using TLS If management connections are established using protocols without FIPS 140-2 validated cryptographic modules, this is a finding.
Configure the network device to use secure protocols with FIPS 140-2 validated cryptographic modules.
Review the configuration to verify all attempts to access the device via management connection are logged. If management connection attempts are not logged, this is a finding.
Configure the device to log all access attempts to the device to establish a management connection for administrative access.
Review the running and boot configurations to determine if they are synchronized. IOS Procedure: With online editing, the "show running-config" command will only show the current running configuration settings, which are different from the IOS defaults. The "show startup-config" command will show the NVRAM startup configuration. Compare the two configurations to ensure they are synchronized. JUNOS Procedure: This will never be a finding. The active configuration is stored on flash as juniper.conf. A candidate configuration allows configuration changes while in configuration mode without initiating operational changes. The router implements the candidate configuration when it is committed; thereby, making it the new active configuration--at which time it will be stored on flash as juniper.conf and the old juniper.conf will become juniper.conf.1. If running configuration and boot configurations are not the same, this is a finding.
Add procedures to the standard operating procedure to keep the running configuration synchronized with the startup configuration.
Review all router configurations to ensure LLDPs are not included in the global configuration or LLDPs are not included for each active external interface. On Cisco routers ensure "no cdp run" is included in the global configuration or "no cdp enable" is included for each active external interface. If LLDPs are configured globally or on any external facing interfaces, this is a finding.
Configure the device so Link Layer Discovery Protocols are not included in the global configuration or Link Layer Discovery Protocols are not included for each active external interface.
Review the device configuration to determine if Finger has been implemented. If the Finger service is enabled, this is a finding.
Configure the device to disable the Finger service.
Review the configuration to determine if source routing is disabled. If IP source routing is enabled, this is a finding.
Configure the router to disable IP source routing.
Review the device configuration to determine if controls have been defined to ensure the router does not send ICMP unreachables, redirects, and mask replies out to any external interfaces. If ICMP unreachables notifications, mask replies, and redirects are enabled on external interfaces, this is a finding.
Disable ICMP unreachable notifications, mask replies, and redirects on all external interfaces.
Review the device configuration to determine that HTTP is not enabled for administrative access. The HTTPS server may be enabled for administrative access. If the device allows the use of HTTP for administrative access, this is a finding.
Configure the device to disable using HTTP (port 80) for administrative access.
Review the network devices configuration to determine if the vendor default password is active. If any vendor default passwords are used on the device, this is a finding.
Remove any vendor default passwords from the network devices configuration.
Have the administrator display the OS version in operation. The OS must be current with related IAVMs addressed. If the device is using an OS that does not meet all IAVMs or currently not supported by the vendor, this is a finding.
Update operating system to a supported version that addresses all related IAVMs.
Review the device configuration and validate uRPF or an egress ACL has been configured on all internal interfaces.
Configure the network device from accepting any outbound IP packet that contains an illegitimate address in the source address field by enabling uRPF Strict mode or via egress ACL.
Review the device configuration to determine if TCP Intercept has been configured to mitigate TCP SYN Flood attacks. If TCP Intercept has not been implemented, this is a finding. CAVEAT: If the site has implemented SYN flood protection for the network using the perimeter firewall or IPS (or an IDS if it is configured to dynamically configure upstream router to block the attack), there is not an additional requirement to implement it on the router.
Configure the device to use TCP Intercept to protect against TCP SYN attacks from outside the network.
Review the network device configuration to verify all management connections for administrative access require authentication. If authentication isn't configured for management access, this is a finding.
Configure authentication for all management connections.
Review the device configuration to verify it is configured to use SNMPv3 with both SHA authentication and privacy using AES encryption. Downgrades: If the site is using Version 1 or Version 2 with all of the appropriate patches and has developed a migration plan to implement the Version 3 Security Model, this finding can be downgraded to a Category II. If the targeted asset is running SNMPv3 and does not support SHA or AES, but the device is configured to use MD5 authentication and DES or 3DES encryption, then the finding can be downgraded to a Category III. If the site is using Version 1 or Version 2 and has installed all of the appropriate patches or upgrades to mitigate any known security vulnerabilities, this finding can be downgraded to a Category II. In addition, if the device does not support SNMPv3, this finding can be downgraded to a Category III provided all of the appropriate patches to mitigate any known security vulnerabilities have been applied and has developed a migration plan that includes the device upgrade to support Version 3 and the implementation of the Version 3 Security Model. If the device is configured to use to anything other than SNMPv3 with at least SHA-1 and AES, this is a finding. Downgrades can be determined based on the criteria above.
If SNMP is enabled, configure the network device to use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography (i.e., SHA authentication and AES encryption).
Review the network devices configuration and verify if either of the SNMP community strings "public" or "private" is being used. If default or well-known community strings are used for SNMP, this is a finding.
Configure unique SNMP community strings replacing the default community strings.
Review the network device configuration to determine if an authentication server is defined for gaining administrative access. If so, there must be only one account of last resort configured locally for an emergency. Verify the username and password for the local account of last resort is contained within a sealed envelope kept in a safe. If an authentication server is used and more than one local account exists, this is a finding.
Configure the device to only allow one local account of last resort for emergency access and store the credentials in a secure manner.
Review the configuration and verify a session using the console port will time out after 10 minutes or less of inactivity. If console access is not configured to timeout at 10 minutes or less, this is a finding.
Configure the timeout for idle console connection to 10 minutes or less.
Base Procedure: The administrator will bind the ingress ACL filtering packets entering the network to the external interface in an inbound direction. Note: All filters must be applied to the appropriate interfaces on an inbound direction. Ingress filtering is applied to all traffic entering the enclave. The ingress filter would be bound to all external interfaces.
Bind the ingress ACL to the external interface (inbound) and the egress ACL to the internal interface (inbound).
Review the network device configuration and verify SNMP community strings are read-only when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3. If write-access is used for SNMP versions 1, 2c, or 3-noAuthNoPriv mode and there is no documented approval by the ISSO, this is a finding.
Configure the network device to allow for read-only SNMP access when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3.
Review the network topology diagram, and review VPN concentrators. Verify that L2TP is not permitted into the enclave's private network. L2TP uses TCP and UDP ports 1701. See the PPS Vulnerability Assessment for additional protocol guidance and reference the Backbone Transport STIG for exceptions. If L2TP is not filtered outbound, this is a finding.
Terminate L2TP tunnels at the enclave perimeter, either in the DMZ or a service network for filtering and content inspection before passing traffic to the enclave's private network.
Review the network device's configuration and verify authentication is required for console access. If authentication is not configured for console access, this is a finding.
Configure authentication for console access on the network device.
Review the network device configuration to ensure all messages up to and including severity level 6 (informational) are logged and sent to a syslog server. Severity Level Message Type 0 Emergencies 1 Alerts 2 Critical 3 Errors 4 Warning 5 Notifications 6 Informational 7 Debugging If logging does not capture of up severity level 6, this is a finding.
Configure the network device to log all messages except debugging and send all log data to a syslog server.
Review the running config of the router that connects to an AG and verify that each permit statement of the ingress ACL is configured to only permit packets with destination addresses of the site’s NIPRNet address space or that belonging to the address block assigned by the AG network service provider. Note: An Approved Gateway (AG) is any external connection from a DoD NIPRNet enclave to an Internet Service Provider, or network owned by a contractor, or non-DoD federal agency that has been approved by either the DoD CIO or the DoD Component CIO. This AG requirement does not apply to commercial cloud connections when the Cloud Service Provider (CSP) network is connected via the NIPRNet Boundary Cloud Access Point (BCAP).
Insure the ingress ACL for any interface connected to an AAG is configured to only permit packets with a destination address belonging to the sites address block.
Review the configuration of the router connecting to the AG and verify that there are no BGP neighbors whose remote AS belongs to the AG service provider. Note: An Approved Gateway (AG) is any external connection from a DoD NIPRNet enclave to an Internet Service Provider, or network owned by a contractor, or non-DoD federal agency that has been approved by either the DoD CIO or the DoD Component CIO. This AG requirement does not apply to commercial cloud connections when the Cloud Service Provider (CSP) network is connected via the NIPRNet Boundary Cloud Access Point (BCAP).
The only method to be used to reach the AG will be through a static route.
Review the configuration of the router connecting to the AG and verify that there are no routes being redistributed into the enclave from the AG. Note: An Approved Gateway (AG) is any external connection from a DoD NIPRNet enclave to an Internet Service Provider, or network owned by a contractor, or non-DoD federal agency that has been approved by either the DoD CIO or the DoD Component CIO. This AG requirement does not apply to commercial cloud connections when the Cloud Service Provider (CSP) network is connected via the NIPRNet Boundary Cloud Access Point (BCAP).
Use distribute lists prefix lists to insure AG routes are not redistributed into the NIPRNet BGP or sites IGP (OSPF, EIGRP, RIP, etc).
Review the configuration and verify management access to the device is allowed only from hosts within the management network. If management access can be gained from outside of the authorized management network, this is a finding.
Configure an ACL or filter to restrict management access to the device from only the management network.
Review the configuration and verify the timeout is set for 60 seconds or less. The SSH service terminates the connection if protocol negotiation (that includes user authentication) is not complete within this timeout period. If the device is not configured to drop broken SSH sessions after 60 seconds, this is a finding.
Configure the network devices so it will require a secure shell timeout of 60 seconds or less.
Review the configuration and verify the number of unsuccessful SSH logon attempts is set at 3. If the device is not configured to reset unsuccessful SSH logon attempts at 3, this is a finding.
Configure the network device to require a maximum number of unsuccessful SSH logon attempts at 3.
Review the device configuration to determine if threshold filters or timeout periods are set for dropping excessive half-open TCP connections. For timeout periods, the time should be set to 10 seconds or less. If the device cannot be configured for 10 seconds or less, it should be set to the least amount of time allowable in the configuration. Threshold filters will need to be determined by the organization for optimal filtering. If the device is not configured in a way to drop half-open TCP connections using filtering or timeout periods, this is a finding.
Configure the device to drop half-open TCP connections through threshold filtering or timeout periods.
Identify the device or devices that make up the perimeter defense. Review the configuration of the premise routers and firewalls and verify that the filters are IAW DoD 8551. SA will review PPS Vulnerability Assessment of every port allowed into the enclave and apply all appropriate mitigations defined in the VA report. All ports and protocols allowed into the enclave must be registered in the PPSM database. Note: It is the responsibility of the enclave owner to have the applications the enclave uses registered in the PPSM database.
The SA will utilize ingress and egress ACLs to restrict traffic in accordance with the guidelines contained in DOD Instruction 8551.1 for all services and protocols required for operational commitments.
Review the configuration and verify the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected. If the auxiliary port is enabled without the use of a secured modem, this is a finding.
Disable the auxiliary port. If used for out-of-band administrative access, the port must be connected to a secured modem providing encryption and authentication.
The enclave perimeter requirement for filtering, to include JTF-GNO PPS filtering rules, and monitoring traffic will be enforced for any traffic from the AG. All traffic leaving the enclave, regardless of the destination--AG or NIPRNet addresses, will be filtered by the premise router's egress filter to verify that the source IP address belongs to the enclave. Note: An Approved Gateway (AG) is any external connection from a DoD NIPRNet enclave to an Internet Service Provider, or network owned by a contractor, or non-DoD federal agency that has been approved by either the DoD CIO or the DoD Component CIO. This AG requirement does not apply to commercial cloud connections when the Cloud Service Provider (CSP) network is connected via the NIPRNet Boundary Cloud Access Point (BCAP).
Ensure the perimeter is protected from this path. A deny by default policy is enforced at this connection and the site is in compliance with all PPS 13 and 14 boundaries.
Inspect the device configuration to validate IPv6 router advertisement suppression is enabled on all external-facing interfaces. This is applicable to all IPv6-enabled interfaces connected to an IP backbone (i.e. NIPRNet, SIPRNet, etc.), backdoor link, or an alternate gateway (AG). If router advertisements are not suppressed on external facing IPv6 interfaces, this is a finding.
Configure the network device to enable route advertisement suppression on all external facing have IPv6 enabled on the interface.
Review the device configuration to determine if each eBGP peer is authenticated with a unique password. If a unique password is not configured for each eBGP peer, this is a finding.
Configure unique password for each eBGP neighbor.
Review device configuration for key expirations of 180 days or less. If rotating keys are not configured to expire at 180 days or less, this is a finding.
Configure the device so rotating keys expire at 180 days or less.
Review the device configuration to determine if the device has been setup to be an FTP server. If the device has been configured to be an FTP server, this is a finding.
Disable FTP server services on the device.
Review the device configuration and verify there are no BSDr commands (e.g., rsh, rlogin, rcp, rdump, rrestore, and rdist) enabled. If BSDr commands are enabled, this is a finding.
Configure the device to disable BSDr command services.
Review the active configuration to determine if controls have been defined to ensure router has ICMPv6 unreachables or redirects disabled any external interfaces.
The network element configuration must be changed to ensure ICMPv6 unreachables and redirects are disabled at all external interfaces.
Review the network element configuration and verify that it is authenticating NTP messages received from the NTP server or peer using a FIPS-approved message authentication code algorithm. FIPS-approved algorithms for authentication are the cipher-based message authentication code (CMAC) and the keyed-hash message authentication code (HMAC). AES and 3DES are NIST-approved CMAC algorithms. The following are NIST-approved HMAC algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. Downgrade: If the network device is not capable of authenticating the NTP server or peer using a FIPS-approved message authentication code algorithm, then MD5 can be utilized for NTP message authentication and the finding can be downgraded to a CAT III. If the network element is not configured to authenticate received NTP messages using a FIPS-approved message authentication code algorithm, this is a finding. A downgrade can be determined based on the criteria above.
Configure the device to authenticate all received NTP messages using a FIPS-approved message authentication code algorithm.
Review the device configuration and determine if authentication services are using the loopback or OOB management interface as the source address. If the loopback or OOB management interface isn't being used as the source address for authentications services, this is a finding.
Configure the device to use its loopback or OOB management interface address as the source address when originating authentication services traffic.
Review the configuration and verify the loopback interface address is used as the source address when originating syslog traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for syslog traffic, this is a finding.
Configure the device to use its loopback or OOB management interface address as the source address when originating syslog traffic.
Review the configuration and verify the loopback interface address is used as the source address when originating NTP traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for NTP traffic, this is a finding.
Configure the device to use its loopback or OOB management interface address as the source address when originating NTP traffic.
Review the configuration and verify the loopback interface address is used as the source address when originating SNMP traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for SNMP traffic, this is a finding.
Configure the device to use its loopback or OOB management interface address as the source address when originating SNMP traffic.
Review the configuration and verify the loopback interface address is used as the source address when originating NetFlow traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for IP Flow/NetFlow traffic, this is a finding.
Configure the device to use its loopback or OOB management interface address as the source address when originating IP Flow/NetFlow traffic.
Review the device configuration to verify the loopback interface address is used as the source address when originating TFTP or FTP traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for TFTP or FTP traffic, this is a finding.
Configure the network device to use a loopback or OOB management interface address as the source address when originating TFTP or FTP traffic.
Review the configuration and verify iBGP peering uses the devices loopback interface address as the source address. If the loopback interface isn't being used as the source address for iBGP peering, this is a finding.
Configure the network device's loopback address as the source address for iBGP peering.
Review the firewall filter or have the SA provide the router filter mitigating the vulnerability. IOS Procedure: Verify that an ACL for IPv6 has been defined to deny packets with unknown or invalid payload, and log all violations. The ACL should be defined on the ingress and egress filters and should look as shown in the following example: ipv6 access-list inbound-to-enclave remark prohibit unknown protocols deny ipv6 any any undetermined-trans log …
Ensure the undetermined transport command is implemented.
The Routing Header is identified by a Next Header value of 43 (0x2B). To drop all types including type 2 Mobile IPv6 (MIPv6) a filter can be defined to drop the Routing Header 43 (0x2B). If MIPv6 is required a permit will be required for Routing Header 43 (0x2B) Type 2, and then drop the remaining Routing Headers 43 (0x2B). Verify that a filter for IPv6 traffic has been defined to deny packets that include a Routing Header of Type 0, Type 1, and Type 3-255 by all external router interfaces. The ACL should be defined on the ingress filters of the firewall or perimeter router. If a filter to deny packets with Routing Header of Type 0, Type 1, and Type 3-255 is not in place on the external router interfaces, this is a finding. IOS example filtering Type 0 only: ipv6 access-list inbound-to-enclave remark prohibit IPv6 routing header type0 deny ipv6 any any routing-type 0 log … IOS example filtering packets with a Next-Header Routing: ipv6 access-list inbound-to-enclave remark prohibit IPv6 routing header type0 deny ipv6 any any routing … JUNOS example filtering packets with a Next-Header Routing: firewall { family inet6 { filter inbound-to-enclave { term routing-header { from { next-header routing; } then { reject; }
IPv6 traffic with a Routing Header Type 0, 1, 3-255 must be dropped by all external router interfaces.
Review the configuration and ensure only approved ICMP types and codes are permitted into the enclave. Use source and destination filtering where appropriate. Apply the ICMP fragment filter to prevent DOS.
The network element must be configured to include controls to block inbound exploitable ICMP traffic message types.
Review the configuration and ensure only approved ICMP types are permitted to exit the enclave. Use source and destination filtering where appropriate. For the purpose of troubleshooting WAN link connectivity, inbound ICMP echo requests destined to the premise router’s external IP address and outbound echo replies originated by the premise router are permitted if the following conditions are met: 1. Inbound ICMP echo requests are restricted to packets sourced from a specific IP address and destined to the premise router’s external interface address. This filtering must be done via input ACL assigned to the premise router’s external interface. 2. Inbound ICMP echo requests must be rate limited via input service policy assigned to the premise router’s external interface or the control plane (see NET0966). Note: Outbound traffic generated by the router can only be filtered by using an outbound service policy on the control plane for IOS routers or outbound firewall on the routing engine for JUNOS routers. However, the router will only generate ICMP echo replies for ICMP echo requests that it is allowed to receive; hence, there is no need to filter these.
The network element must be configured to include controls to block outbound ICMP traffic message types.
Review the router configuration and verify that all internal interfaces have been configured with an ACL or filter on an inbound direction.
Bind the ingress ACL to the external interface (inbound) and the egress ACL to the internal interface (inbound).
Review the perimeter device configuration to ensure access control lists are configured to block, deny, or drop inbound IP addresses using the local host IP address space of 127.0.0.0/8. Depending on the security posture of the access control list, this requirement may be met explicitly or inexplicitly.
Configure the perimeter device to ensure access control lists are configured to block, deny, or drop inbound IP addresses using the local host IP address space of 127.0.0.0/8. Depending on the security posture of the access control list, this requirement may be met explicitly or inexplicitly.
Review the perimeter device configuration to ensure access control lists are configured to block, deny, or drop inbound IP addresses using the link-local IP address space of 169.254.0.0/16. Depending on the security posture of the access control list, this requirement may be met explicitly or inexplicitly.
Configure the perimeter device to ensure access control lists are configured to block, deny, or drop inbound IP addresses using the local host IP address space of 169.254.0.0/16. Depending on the security posture of the access control list, this requirement may be met explicitly or inexplicitly.
External Interfaces peering with NIPRNet or SIPRNet: Review the inbound ACLs on external facing interfaces of perimeter devices attached to the NIPR or SIPR to validate access control lists are configured to block, deny, or drop inbound IP addresses using RFC5735 and RFC6598. Examples of address space specified in RFC5735 and RFC6598: 0.0.0.0 255.0.0.0 100.64.0.0 255.192.0.0 192.0.0.0 255.255.255.0 192.0.2.0 255.255.255.0 198.18.0.0 255.254.0.0 198.51.100.0 255.255.255.0 203.0.113.0 255.255.255.0 224.0.0.0 240.0.0.0 240.0.0.0 240.0.0.0 External Interfaces peering with commercial ISPs or other non-DoD network sources: Review the inbound ACLs on external facing interfaces of perimeter devices to validate access control lists are configured to block, deny, or drop inbound IP addresses specified in both RFC5735 and RFC6598. Along with network address space specified in RFC5735 and RFC6598, perimeter devices connected to commercial ISPs for Internet or other non-DoD network sources will need to be reviewed for a full bogon list that includes IP space that has been allocated to the RIRs but not assigned by the RIR to an ISP or other end-user can be obtained at the link below, as it is updated regularly. If RFC5735 and RFC 6598 address space isn't blocked on the external interface, this is a finding.
Configure inbound ACLs on external facing interfaces of perimeter devices peering with NIPRNet or SIPRNet to block, deny, or drop inbound IP addresses specified in RFC5735 and RFC6598. Configure inbound ACLs on external facing interfaces of perimeter devices peering with commercial ISPs or other non-DoD networks to block, deny, or drop inbound IP addresses specified in RFC5735 and RFC6598. Along with network address space specified in RFC5735 and RFC6598, perimeter devices connected to commercial ISPs for Internet or other non-DoD network sources will need to be reviewed for a fullbogon list that includes IP space that has been allocated to the RIRs but not assigned by the RIR to an ISP or other end-user can be obtained at the link below, as it is updated regularly. http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
Review the perimeter device configuration to ensure access control lists are configured to block, deny, or drop inbound IP addresses using the RFC1918 IP address space of 10.0.0.0/8, 172.16.0.0 /12, and 192.168.0 /16. Depending on the security posture of the access control list, this requirement may be met explicitly or inexplicitly.
Configure the perimeter device to ensure access control lists are configured to block, deny, or drop inbound IP addresses using the RFC1918 IP address space of 10.0.0.0/8, 172.16.0.0 /12, and 192.168.0 /16. Depending on the security posture of the access control list, this requirement may be met explicitly or inexplicitly.
Review the device configuration to ensure FEC0::/10 IP addresses are not defined. If FEC0::/10 IP addresses are defined, this is a finding.
Configure the device using authorized IP addresses.
Base Procedure: Review the premise router configuration to ensure filters are in place to restrict the IP addresses explicitly, or implicitly. If ingress and egress ACLs for IPv6 have not been defined to deny Site Local Unicast Addresses and log all violations, this is a finding.
The administrator will configure the router ACLs to restrict IP addresses that contain any Site Local Unicast addresses.
Review the device configuration to ensure filters are in place to restrict inbound IP addresses explicitly, or inexplicitly. Verify that an ingress ACL for IPv6 has been defined to deny IPv6 Loopback, and log all violations. If the appropriate filters are not configured and applied, this is a finding.
Configure and apply the filters to restrict IP addresses that contain any loopback addresses.
Review the premise router configuration to ensure filters are in place to restrict the IP addresses explicitly, or implicitly. Verify that ingress and egress ACLs for IPv6 have been defined to deny the Unspecified Address and log all violations. If the appropriate filters are not configured and applied, this is a finding.
The administrator will configure the router ACLs to restrict IP addresses that contain any Unspecified Address.
Review the perimeter router configuration to ensure filters are in place to restrict the IP addresses. Verify that ingress and egress ACLs for IPv6 have been defined to deny the multicast source addresses and log all violations.
Configure the perimeter router access control lists to deny any IPv6 multicast address used as a source address.
Base Procedure: Review the premise router configuration to ensure filters are in place to restrict the IP addresses explicitly, or inexplicitly. Verify that ingress and egress ACLs for IPv6 have been defined to deny the embedded IPv4-compatible IPv6 addresses and log all violations.
The administrator will configure the router ACLs to restrict IP addresses that contain any embedded IPv4-compatible IPv6 addresses.
Base Procedure: Review the premise router configuration to ensure filters are in place to restrict the IP addresses explicitly, or inexplicitly. Verify that ingress and egress ACLs for IPv6 have been defined to deny the embedded IPv4-mapped IPv6 addresses and log all violations.
The administrator will configure the router ACLs to restrict IP addresses that contain any embedded IPv4-mapped IPv6 addresses.
Base Procedure: Review the premise router configuration to ensure filters are in place to restrict the IP addresses explicitly, or inexplicitly. Verify that ingress and egress ACLs for IPv6 have been defined to deny the Unique Local Unicast addresses and log all violations.
The administrator will configure the router ACLs to restrict IP addresses that contain any Unique Local Unicast addresses.
Unicast Strict mode: Review the router configuration to ensure uRPF has been configured on all internal interfaces.
The network element must be configured to ensure that an ACL is configured to restrict the router from accepting any outbound IP packet that contains an external IP address in the source field.
Review the configuration and verify SSH Version 1 is not being used for administrative access. If the device is using an SSHv1 session, this is a finding.
Configure the network device to use SSH version 2.
Verify ISATAP tunnels are terminated on the infrastructure routers or L3 switches within the enclave.
Terminate ISATAP tunnels at the infrastructure router to prohibit tunneled traffic from exiting the enclave perimeter prior to inspection by the IDS, IPS, or firewall.
Base Procedure: Specifying the IPv4 address of the 6to4 relay on the 6to4 router can mitigate these vulnerabilities.
Define a filter that allows 6to4 tunneling from trusted 6to4 relays.
Inspect the network device configuration to validate Teredo packets, UDP port 3544 is blocked both inbound to the enclave and outbound from the enclave. This requirement must be administered on either the perimeter router or firewall. If Teredo is not blocked one of these devices, this is a finding.
Configure either the perimeter router or firewall to block UDP port 3544 traffic inbound and outbound.
Base Procedure:Review network diagram in the STIG and ensure the architecture is designed correctly. The interface adjacent to the IPv4 LAN interface must not deploy IPv6 over IPv4. The techniques include using manually configured tunnels, generic routing encapsulation (GRE) tunnels, semiautomatic tunnel mechanisms such as tunnel broker services, and fully automatic tunnel mechanisms such as 6to4 for the WAN and intra-site automatic tunnel addressing protocol (ISATAP).
If NAT/PT is required the tunnel needs to be removed.
Review network diagram in the STIG and ensure the architecture is designed correctly. The interface facing the IPv4 LAN network must not receive IPv6 traffic. This can be accomplished by not having IPv6 on the interface supporting the IPv4 network. In addition a filter can be added to deny IPv6 at this interface. If interfaces supporting IPv4 in NAT-PT receive IPv6 traffic, this is a finding.
This can be accomplished by not having IPv6 enabled on the interface supporting the IPv4 network. In addition a filter can be added to deny IPv6 at the interface.
Verify an authentication server is required to access the device and that there are two or more authentication servers defined. If the device is not configured for two separate authentication servers, this is a finding.
Configure the device to use two separate authentication servers.
Review the emergency administration account configured on the network devices and verify that it has been assigned to a privilege level that will enable the administrator to perform necessary administrative functions when the authentication server is not online. If the emergency administration account is configured for more access than needed to troubleshoot issues, this is a finding.
Assign a privilege level to the emergency administration account to allow the administrator to perform necessary administrative functions when the authentication server is not online.
Review the device configuration to determine if IPSec tunnels used in transiting management traffic are filtered to only accept authorized traffic based on source and destination IP addresses of the management network. If filters are not restricting only authorized management traffic into the IPSec tunnel, this is a finding.
Configure filters based on source and destination IP address to restrict only authorized management traffic into IPSec tunnels used for transiting management data.
Verify the configuration at the remote VPN end-point is a mirror configuration as that reviewed for the local end-point.
Configure he crypto access-list used to identify the traffic to be protected so that it is a mirror (both IP source and destination address) of the crypto access list configured at the remote VPN peer.
Verify that the OOBM interface is an adjacency only in the IGP routing domain for the management network.
Ensure that multiple IGP instances configured on the OOBM gateway router peer only with their appropriate routing domain. Verify that the all interfaces are configured for the appropriate IGP instance.
Verify that the IGP instance used for the managed network does not redistribute routes into the IGP instance used for the management network and vice versa. As an alternative, static routes can be used to forward management traffic to the OOBM interface; however, this method may not scale well. If static routes are used to forward management traffic to the OOB backbone network, verify that the OOBM interface is not an IGP adjacency and that the correct destination prefix has been configured to forward the management traffic to the correct next-hop and interface for the static route. In the following configuration examples, 10.1.1.0/24 is the management network and 10.1.20.4 is the interface address of the OOB backbone router that the OOB gateway router connects to. The network 10.1.20.0/24 is the OOBM backbone.
Ensure that the IGP instance used for the managed network does not redistribute routes into the IGP instance used for the management network and vice versa.
Review the ACL or filters for the router’s receive path and verify that only traffic sourced from the management network is allowed to access the router. This would include both management and control plane traffic.
Ensure that traffic from the managed network is not able to access the OOBM gateway router using either receive path or interface ingress ACLs.
Examine the egress filter on the OOBM interface of the gateway router to verify that only traffic sourced from the management address space is allowed to transit the OOBM backbone. In the example configurations below, the 10.1.1.0/24 is the management network address space at the enclave or managed network and 10.2.2.0/24 is the management network address space at the NOC.
Configure the OOBM gateway router interface ACLs to ensure traffic from the managed network does not leak into the management network.
Examine the ingress filter on the OOBM interface of the gateway router to verify that traffic is only destined to the local management address space. If the device is not configured from prohibiting management traffic off the managed network, this is a finding.
Configure access control lists or filters to block any traffic from the management network destined for the managed network's production address spaces.
Review the device configuration to determine if the OOB management interface is assigned an appropriate IP address from the authorized OOB management network. If an IP address assigned to the interface is not from an authorized OOB management network, this is a finding.
Configure the OOB management interface with an IP address from the address space belonging to the OOBM network.
Step 1: Verify the managed interface has an inbound and outbound ACL or filter. Step 2: Verify the ingress ACL blocks all transit traffic--that is, any traffic not destined to the router itself. In addition, traffic accessing the managed elements should be originated at the NOC. Step 3: Verify the egress ACL blocks any traffic not originated by the managed element. If management interface does not have an ingress and egress filter configured and applied, this is a finding.
If the management interface is a routed interface, it must be configured with both an ingress and egress ACL. The ingress ACL should block any transit traffic, while the egress ACL should block any traffic that was not originated by the managed network device.
Review the configuration to verify the management interface is configured as passive for the IGP instance for the managed network. Depending on the platform and routing protocol, this may simply require that the interface or its IP address is not included in the IGP configuration. If the management interface is not configured to be passive for IGP instances, this is a finding.
Configure the management interface as passive for the IGP instance configured for the managed network. Depending on the platform and routing protocol, this may simply require that the interface or its IP address is not included in the IGP configuration.
Review router configuration to verify that any traffic destined to the management network is blocked.
Configure the gateway router of the managed network with an ACL or filter on the egress interface to block all outbound management traffic.
Review the router configuration and verify that an inbound ACL has been configured for the management network sub-interface.
If a router is used to provide inter-VLAN routing, configure an inbound ACL for the management network sub-interface for the trunk link to block non-management traffic.
For both the NOC and the managed network, the IPSec tunnel end points may be configured on the premise or gateway router, a VPN gateway firewall or VPN concentrator. Verify that all traffic from the managed network to the management network and vice-versa is secured via IPSec encapsulation.
Where IPSec technology is deployed to connect the managed network to the NOC, it is imperative that the traffic entering the tunnels is restricted to only the authorized management packets based on destination address.
Review the configuration of the MLS or router to determine if the management traffic is classified and marked to a favorable PHB at the distribution layer. According to the DISN approved QoS classifications, control plane and management plane traffic should use DSCP 48 (Network-Control PHB). In the example configurations below, an infrastructure router within the managed network’s distribution layer will classify and mark at ingress all traffic destined to management network with DSCP 48.
When management traffic must traverse several nodes to reach the management network, classify and mark management traffic at the nearest upstream MLS or router.
When management traffic must traverse several nodes to reach the management network, ensure that all core routers within the managed network have been configured to provide preferred treatment for management traffic. This will ensure that management traffic receives guaranteed bandwidth at each forwarding device along the path to the management network. Verify that a service policy is bound to all core or internal router interfaces. The service policy should be configured to place management traffic in the appropriate forwarding class. The classes must be configured to receive the required service.
When management traffic must traverse several nodes to reach the management network, ensure that all core routers within the managed network have been configured to provide preferred treatment for management traffic.
Review the firewall protecting the server farm to validate an ACL with a deny-by-default security posture has been implemented that secures the servers located on the VLAN. If the filter is not defined on the firewall and the architecture contains a layer 3 switch between the firewall and the server, then review the ACL configured for the VLAN on the L3 switch.
Configure an ACL to protect the server VLAN interface. The ACL must be in a deny-by-default security posture.
Review the device configuration to ensure filters are in place to restrict the IP addresses explicitly or implicitly. Verify that ingress and egress ACLs for IPv6 have been defined to deny 6-to-4 tunnel addresses and log all violations. source type: 2002::/16 If filters are not in place to deny 6-to-4 tunnel addresses, this is a finding.
Configure the device using filters to restrict IP addresses that contain any 6-to-4 addresses.
Base Procedure: Review the premise router configuration to ensure filters are in place to restrict the IP addresses explicitly, or inexplicitly. Verify that ingress and egress ACLs for IPv6 have been defined to deny the 6bone address space and log all violations.
The administrator will configure the router ACLs to restrict IP addresses that contain any 6bone addresses.
Review the network device configuration and determine if filters are bound to the applicable interfaces to drop all inbound and outbound IPv4 or IPv6 packets with any of the following tunneling protocols: Source Demand Routing Protocol (SDRP) - protocol field value of 0x2A (42) AX.25 - protocol field value of 0x5D (93) IP-within-IP Encapsulation Protocol - protocol field value of 0x5E (94) EtherIP protocol - protocol field value of 0x61 (97) Encapsulation Header Protocol - protocol field value of 0x62 (98) PPTP - TCP or UDP destination port (0x06BB) 1723 If the appropriate filters are not configured and applied, this is a finding.
Configure the network device to drop all inbound and outbound IPv4 or IPv6 packets with any of the following tunneling protocols: Source Demand Routing Protocol (SDRP) - protocol field value of 0x2A (42) AX.25 - protocol field value of 0x5D (93) IP-within-IP Encapsulation Protocol - protocol field value of 0x5E (94) EtherIP protocol - protocol field value of 0x61 (97) Encapsulation Header Protocol - protocol field value of 0x62 (98) PPTP - TCP or UDP destination port (0x06BB) 1723
These filtering actions enforce proper tunnel endpoint addresses at the border of the tunnel entry and exit points. Filtering is necessary because implementations may not enforce tunnel addresses in all cases. Filtering is also necessary because GRE tunneling implementations are not required by standards to check or enforce tunnel endpoint addresses. Endpoint Verification at the Exit point (I) - Allow inbound IPv4 packets with a protocol value of 0x04 (4) that have both source and destination addresses of a deliberately configured IPv4-in-IPv4 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv4-in-IPv4 tunnel. Endpoint Verification at the Exit network (II) - Allow inbound IPv4 packets with a protocol value of 0x29 (41) that have both source and destination addresses of a deliberately configured IPv6-in-IPv4 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv6-in-IPv4 tunnel. Endpoint Verification at the Exit network (III) - Allow inbound IPv6 packets with a protocol value of 0x04 (4) that have both source and destination addresses of a deliberately configured IPv4-in-IPv6 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv4-in-IPv6 tunnel. Endpoint Verification at the Exit network (IV) - Allow inbound IPv6 packets with a protocol value of 0x29 (41) that have both source and destination addresses of a deliberately configured IPv6-in-IPv6 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv6-in-IPv6 tunnel. Endpoint Verification at the Exit network (v) - Allow inbound IPv4 and IPv6 packets with a protocol value of 0x2F (47) that have both source and destination addresses of a deliberately configured GRE tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured GRE tunnel. Network configuration - Report bad inbound tunnel packets as a Security Event. Inbound packets that fail the filtering of the actions at the exit point should trigger a security alert since the entry point network filtering should catch all legitimate mistakes. These occurrences are likely the result of network attacks. These filtering actions enforce proper tunnel endpoint addresses at the border of the entry point network. By filtering the tunneled data for validity, the entry point network can detect configuration errors and users conducting unauthorized tunneling operations. By filtering the addresses of tunneled data for validity, the entry point network can detect configuration errors and unauthorized tunneling operations by bad users. Endpoint Verification at the Entry network, (I) Allow outbound IPv4 packets with a protocol value of 0x04 (4) that have both source and destination addresses of a deliberately configured IPv4-in-IPv4 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv4-in-IPv4 tunnel. Endpoint Verification at the Entry network, (II) Allow outbound IPv4 packets with a protocol value of 0x29 (41) that have both source and destination addresses of a deliberately configured IPv6-in-IPv4 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv6-in-IPv4 tunnel. Endpoint Verification at the Entry network, (III) Allow outbound IPv6 packets with a protocol value of 0x04 (4) that have both source and destination addresses of a deliberately configured IPv4-in-IPv6 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv4-in-IPv6 tunnel. Endpoint Verification at the Entry network, (IV) Description: Allow outbound IPv6 packets with a protocol value of 0x29 (41) that have both source and destination addresses of a deliberately configured IPv6-in-IPv6 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv6-in-IPv6 tunnel. Endpoint Verification at the Entry network, (v) Allow outbound IPv4 and IPv6 packets with a protocol value of 0x2F (47) that have both source and destination addresses of a deliberately configured GRE tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured GRE tunnel. Network configuration - Report bad outbound tunnel packets as Network Management errors. Outbound packets that fail the filtering of actions at the entry point should trigger a network management error since these are likely configuration or routing errors. This may also detect unauthorized tunneling by users. Review the tunnel end-points and verify a filter is present. The filter for the tunnel entry-point must be defined to permit expected traffic that enters the tunnel. All other traffic must be denied. This filter must contain a permit statement that explicitly permits the tunnel type (protocol) and the source and destination address. The filter for the tunnel exit-point must be defined to permit the expect traffic that exits the tunnel. All other traffic must be denied. This filter must contain a permit statement that explicitly permits the tunnel type (protocol) and the source and destination address.
Explicitly permit trusted network traffic and establish a deny by default policy at the tunnel entry and exit points.
This vulnerability description and required safeguard is not applicable to MPLS auto tunnels used in traffic engineering. The following three tunnel types (4-in-4, 4-in-6, and 6-in-6) do not have requirements built into the standards. Tunnel exit points must be filtered to ensure these protocols have a valid destination address. If a destination address is not defined for these protocols, than drop the packets via the deny-by-default tunnel policy. 4-in-4 - protocol number: 0x04 (4) 4-in-6 - protocol number: 0x04 (4) 6-in-6 - protocol number: 0x29 (41) GRE - protocol number: 0x2F (47) ESP - protocol (50) AH - protocol (51) The language in the actions above such as “Drop any ... packet” should be modified as appropriate to account for the packets of any legitimate and deliberately chosen mechanisms. However these deliberate tunnels that do not comply with this policy need to be documented in the SSAA detailing purpose and verification data.
Review identified protocols allowed to enter the enclave. If the tunnels do not have explicit IP addresses than drop the tunnel by the deny-by-default tunnel policy, else document the auto configured tunnel in the SSAA describing the activity and perform periodic reviews for the tunnel need.
NOTE: This requirement applies to any tunnel that is not an IPSec tunnel between two sites, part of the same enclave, and is under control of the same DAA. This guidance describes three ways in which the inner IP layer filtering task may be accomplished, depending on the advances in firewall technology. Refer to NSA firewall design considerations for IPv6 section 5.2 for a description of desired firewall filtering capabilities for tunneled traffic. This reference document defines primary filtering as a firewall that can filter the inner source and destination IP addresses of a tunneled packet in a manner similar to filtering source and destination ports of a TCP or UDP packet. Secondary filtering capability is defined to be the ability to fully filter the entire inner IP layer to the same degree an untunneled packet is filtered. The Primary guidance below assumes an advanced firewall with the capability to perform both the primary and secondary filtering functions as explained above. Alternative 1 below assumes that the firewall can perform only the primary filtering function. Alternative 2 assumes the firewall cannot do either primary or secondary filtering as may be the case with some existing firewall products. For Alternatives 1 and 2, the decapsulation point may be an interior router with the filtering of the inner IP layer performed by a secondary firewall. Additional actions are provided to protect the decapsulating node itself from being attacked, since this node is in front of the protective filtering. Primary (FW can do both primary and secondary filtering) ACTION #1 Enforce Proper Tunnel Access (per IP address): At the tunnel exit point network, drop any emerging tunnel packets (of either IP version) whose inner IP layer source address is not within the range or set of ranges of expected values from the tunnel entry point network. The expected addresses are those that are configured into the tunnel via routes to a tunnel by name, by address, or by interface (NET-TUNL-012). Regardless of how traffic is routed into a tunnel entry point, the network should ensure that the resulting tunnel packets have a specific tunnel entry point source address (i.e. outer IP layer) that can be used for reliable filtering. Note: The primary filtering capability defined in the justification section above can be used to accomplish this task in conjunction with the tunnel endpoint verification of NET-TUNL-004. Primary (FW can do both primary and secondary filtering) ACTION #2 Apply Baseline Filtering as a Minimum: All packets that pass the filtering of action #1 above must be fully filtered per the baseline guidance defined ( Apply all NET-IPV6-xxx filtering to the inner IP layer via the firewall’s secondary filtering capability, and NET-TUNL-001. Notes: a) Includes (drop all Neighbor Discovery packets that emerge from tunnels). b) Includes (drop all packets containing a Link-local source or destination address that emerge from tunnels). c) Includes “Filtering Integrity for Fragmented Packets” applied to the inner IP layer. d) Includes blocking IP-in-IP tunneling. This applies to the next tunnel layer. Primary (FW can do both primary and secondary filtering) ACTION #3 Restrict Tunnel contents to the greatest extent possible: Description: Network administrators should apply additional filtering to restrict the tunnel contents to only the intended traffic types and destinations. The details of this filtering must be determined on a case-by-case basis. Note1: Tunnels are employed for a specific purpose and type of traffic, therefore it is likely that the tunnel traffic can be restricted more stringently than normal (un-tunneled) traffic. Note 2: The source addresses of the decapsulated packets can be used reliably to distinguish tunnels if there are more than one. This is true because action #1 above has already verified proper inner IP source address for each tunnel. ------------------------------------------------------------------------------------------------------------------------------- Alternative 1 - (FW can do only primary filtering) - Action #4 - Enforce Proper Tunnel Access (per IP address) Description: (Same as Primary Guidance action #1 above). At the tunnel exit point network, drop any emerging tunnel packets (of either IP version) whose inner IP layer source address is not within the range or set of ranges of expected values from the tunnel entry point network. The expected addresses are those that are configured into the tunnel via routing action (NET-TUNL-012). Note: The primary filtering capability defined in the justification section above can be used to accomplish this task in conjunction with the tunnel endpoint verification of NET-TUNL-004. Alternative 1 - (FW can do only primary filtering) - Action #5 - Apply Baseline Filtering as a minimum: Description: All packets that pass the filtering of action #1 above must be fully filtered per the baseline guidance. Apply all filtering to the inner IP layer. Since the border FW does not have the ability to filter the inner IP layer beyond the IP addresses, a second level of filtering (another firewall, internal) is needed to achieve this task. The border FW guarantees the proper tunnel decapsulation points which are likely located on an internal router or the secondary FW. In either case, it must not be possible for packets to be decapsulated and avoid filtering. For example, a decapsulating router MUST be configured to route all tunnel contents toward the internal FW and not out some other interface. All packets that pass the filtering of action #1 above must be fully filtered per the baseline guidance defined by the 2nd Firewall ( Apply all NET-IPV6-xxx filtering to the inner IP layer via the 2nd firewall, and NET-TUNL-001. Notes: a) Includes (drop all Neighbor Discovery packets that emerge from tunnels). b) Includes (drop all packets containing a Link-local source or destination address that emerge from tunnels). c) Includes “Filtering Integrity for Fragmented Packets” applied to the inner IP layer. d) Includes blocking IP-in-IP tunneling. This applies to the next tunnel layer. Alternative 1 - (FW can do only primary filtering) - ACTION #6 - Restrict Tunnel contents to the greatest extent possible: Apply action 3 controls. Alternative 1 - (FW can do only primary filtering) - ACTION #7 - Protect the Decapsulating node: Description: Drop any tunneled packets whose inner IP destination address belongs to an interface on the decapsulating node. The primary filtering capability defined in the justification section above can be used to accomplish this task. Note: Since the baseline IPv6 filtering is being performed by a secondary firewall (action #5 above), any packets allowed out of the tunnel directly to the decapsulating node would bypass this filtering and must not be allowed. ------------------------------------------------------------------------------------------------------------------------------- Alternative 2 - (FW can do neither primary nor secondary filtering) - Action #8 - Enforce Proper Tunnel Access (per IP address): Description: In this case, the border FW can only filter the outer IP layer and cannot see the internal IP addresses. Therefore, the decapsulating node or secondary firewall must filter the decapsulated packets to drop any emerging tunnel packets (of either IP version) whose inner IP layer source address is not within the range or set of ranges of expected values from the tunnel entry point network. Also, If the tunnel is GRE the border FW can only filter the out IP layer holding the GRE header and can not see the internal IP address. Note that multiple tunnels will likely require separate decapsulation points (separate routers) in order to verify that the proper ranges are emerging from each tunnel. It is not correct to filter all decapsulated traffic from several tunnels at the same router interface since there would be no way to detect traffic from tunnel A containing inner IP layer source addresses intended for tunnel B (i.e. users from one remote network using the privileges intended for another network). Alternative 2 - (FW can do neither primary nor secondary filtering) - Action #9 - Apply Baseline Filtering as a minimum: All packets that pass the filtering of action #8 above must be fully filtered per the baseline guidance defined by the 2nd Firewall ( Apply all NET-IPV6-xxx filtering to the inner IP layer via the 2nd firewall, and NET-TUNL-001. As with Alternative 1, the secondary firewall must achieve this task. The border firewall guarantees the proper tunnel decapsulation points which are likely located on an internal router or secondary firewall. It must not be possible for packets to be decapsulated and avoid filtering. For example, a decapsulating router MUST be configured to route all tunnel contents toward the secondary firewall and not out some other interface. Notes: a) Includes (drop all Neighbor Discovery packets that emerge from tunnels). b) Includes (drop all packets containing a Link-local source or destination address that emerge from tunnels). c) Includes “Filtering Integrity for Fragmented Packets” applied to the inner IP layer. d) Includes blocking IP-in-IP tunneling. This applies to the next tunnel layer. Alternative 2 - (FW can do neither primary nor secondary filtering) - Action #10 - Restrict Tunnel contents to the greatest extent possible: Apply action 3 controls. Alternative 2 - (FW can do neither primary nor secondary filtering) - Action #11 - Protect the Decapsulating node: Description: Drop any tunneled packets whose inner IP destination address belongs to an interface on the decapsulating node. The decapsulating node must be able to perform this filtering itself since the border FW cannot see the inner IP addresses (an assumption for Alternative 2). Note: Since the baseline IPv6 filtering is being performed by a secondary firewall (action #9 above), any packets allowed out of the tunnel directly to the decapsulating node would likely bypass this filtering and must not be allowed. Alternative 2 - (FW can do neither primary nor secondary filtering) - Action #12 - Non-IP GRE Payloads: Per action 8, if payloads other than IP are being delivered by the GRE tunnels, they must be guaranteed proper filtering. Administrators must be sure that all tunnel contents are filtered. How this is achieved must be handled on a case-by-case basis depending on the particular GRE payload type and filtering/routing capabilities of the decapsulating node. If possible avoid this case by using IP-in-IP tunneling instead.
To ensure the enclave can be protected from tunnels, the end-point must be decapsulated to inspect the Inner IP packet or the firewall must have the capability to perform primary and secondary filtering and content inspection. Tracing these tunnel end-points and ensuring filters that protect the enclave may be necessary. Apply deny by default. Apply destination addresses to tunnels to extended tunnels.. Apply PPS policies to protocols at all decapsulation end-points. Apply content inspection.
Review procedures defined in NET-TUNL-002. After determining the final decapsulation end-points, ensure the tunnel implements protocol inspection, filtering and mitigation as defined in the PPS VA reports.
Ensure the tunnel implements protocol inspection, filtering and mitigation as defined in the PPS VA reports.
Follow the procedures defined in NET-TUNL-002 to determine all tunnel entry and exit points, then ensure each end-point is in a deny by default posture inbound and outbound.
Apply a deny by default posture on every tunnel end-point.
Determine if control plane protection has been implemented on the device by verifying traffic types have been classified based on importance levels and a policy has been configured to filter and rate limit the traffic according to each class. If the device doesn't have any control plane protection configured on the device, this is a finding.
Implement control plane protection by classifying traffic types based on importance levels and configure filters to restrict and rate limit the traffic punted to the route processor as according to each class.
An administratively scoped IP multicast region is defined to be a topological region in which there are one or more boundary routers with common boundary definitions. Such a router is said to be a boundary for multicast scoped addresses in the range defined in its configuration. In order to support administratively scoped multicast, a multicast boundary router will drop multicast traffic matching an interface's boundary definition in either direction. The IPv4 administrative scoped multicast address space is 239/8 which is divided into two scope levels: the Local Scope and Organization Local Scope. The Local Scope range is 239.255.0.0/16 and can expand into the reserved ranges 239.254.0.0/16 and 239.253.0.0/16 if 239.255.0.0/16 is exhausted. The IPv4 Organization Local Scope is 239.192.0.0/14 is the space from which an organization should allocate sub-ranges when defining scopes for private use. This scope can be expanded to 239.128.0.0/10, 239.64.0.0/10, and 239.0.0.0/10 if necessary. The scope of IPv6 multicast packets are determined by the scope value where 4 (ffx4::/16) is Admin-local, 5 (ffx5::/16) is Site-local, and 8 (ffx8::/16) is Organization-local. Review the multicast topology to determine any documented Admin-local (scope = 4) or Site-local (scope = 5) multicast boundaries for IPv6 traffic or any Local-scope (address block 239.255.0.0/16) boundary for IPv4 traffic. Verify that appropriate boundaries are configured on the applicable multicast-enabled interfaces.
Local Scope range is 239.255.0.0/16 and can expand into the reserved ranges 239.254.0.0/16 and 239.253.0.0/16 if 239.255.0.0/16 is exhausted. The scope of IPv6 multicast packets are determined by the scope value where 4 is Admin-local and 5 is Site-local. Configure the necessary boundary to ensure packets addressed to these administratively scoped multicast addresses do not cross the applicable administrative boundaries.
Review the configuration and verify two NTP servers have been defined. If the device is not configured to use two separate NTP servers, this is a finding.
Configure the device to use two separate NTP servers.
Verify that the software implemented on the router or firewall has been updated to a release that mitigates the risk of a DNS cache poisoning attack. A number of vendors have released patches to implement source port randomization. This change significantly reduces the practicality of cache poisoning attacks. See the Systems Affected section at http://www.kb.cert.org/vuls/id/800113 for additional details for specific products not listed below. The following BlueCoat products are vulnerable: Proxy SG: Fixed in 4.2.8.6 or 5.2.4.3 and later. Director: Fixed in: 4.2.2.4 or 5.2.2.5 and later. Proxy RA: Fixed in 2.3.2.1 and later. The following Secure Computing products are vulnerable: Sidewinder G2 6.1 .0.01 Sidewinder G2 6.1 .0.02 Sidewinder 5.0 Sidewinder 5.0 .0.01 Sidewinder 5.0 .0.02 Sidewinder 5.0 .0.03 Sidewinder 5.0 .0.04 Sidewinder 5.1 Sidewinder 5.1 .0.01 Sidewinder 5.1 .0.02 Sidewinder 5.1 .1 Sidewinder 5.1 .1.01 Sidewinder 5.2 Sidewinder 5.2 .0.01 Sidewinder 5.2 .0.02 Sidewinder 5.2 .0.03 Sidewinder 5.2 .0.04 Sidewinder 5.2 .1 Sidewinder 5.2 .1.02 Sidewinder 5.2.1 .10 Sidewinder Software 5.0 Sidewinder Software 5.0 .0.01 Sidewinder Software 5.0 .0.02 Sidewinder Software 5.0 .0.03 Sidewinder Software 5.0 .0.04 Sidewinder Software 5.1 Sidewinder Software 5.1 .0.01 Sidewinder Software 5.1 .0.02 Sidewinder Software 5.1 .1 Sidewinder Software 5.1 .1.01 Sidewinder Software 5.2 Sidewinder Software 5.2 .0.01 Sidewinder Software 5.2 .0.02 Sidewinder Software 5.2 .0.03 Sidewinder Software 5.2 .0.04 Sidewinder Software 5.2 .1 Sidewinder Software 5.2 .1.02 CyberGuard Classic CyberGuard TSP See Secure Computing Knowledgebase article 11446 for the resolution to updates to these vulnerable products. The following Juniper Networks ScreenOS firewall versions are vulnerable. ScreenOS 5.1 ScreenOS 5.2 The following Cisco PIX/ASA releases are vulnerable: 6.3(5) and earlier. Fixed with 6.3(5.144) and later 7.0 Fixed with 7.0(8.1) 7.1 Fixed with 7.1(2.74) 7.2 Fixed with 7.2(4.9) 8.0 Fixed with 8.0(3.32) 8.1 Fixed with 8.1(1.8) , 8.1(1.100), and 8.1(101.4) 8.2 Fixed with 8.2(0.140)
Update the OS to the release that mitigates the risk of a DNS cache poisoning attack
Review the device configuration to determine if the call home service or feature is disabled on the device. If the call home service is enabled on the device, this is a finding. Note: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.
Configure the network device to disable the call home service or feature. Note: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.
If IPv4 or IPv6 multicast routing is enabled, ensure that all interfaces enabled for PIM is documented in the network’s multicast topology diagram. Review the router or multi-layer switch configuration to determine if multicast routing is enabled and what interfaces are enabled for PIM.
If IPv4 or IPv6 multicast routing is enabled, ensure that all interfaces enabled for PIM is documented in the network’s multicast topology diagram. Enable PIM only on the applicable interfaces according to the multicast topology diagram.
Review the router or multi-layer switch to determine if either IPv4 or IPv6 multicast routing is enabled. If either is enabled, verify that all interfaces enabled for PIM has a neighbor filter to only accept PIM control plane traffic from the documented routers according to the multicast topology diagram.
If IPv4 or IPv6 multicast routing is enabled, ensure that all interfaces enabled for PIM has a neighbor filter to only accept PIM control plane traffic from the documented routers according to the multicast topology diagram.
An administratively scoped IP multicast region is defined to be a topological region in which there are one or more boundary routers with common boundary definitions. Such a router is said to be a boundary for multicast scoped addresses in the range defined in its configuration. In order to support administratively scoped multicast, a multicast boundary router will drop multicast traffic matching an interface's boundary definition in either direction. The IPv4 administrative scoped multicast address space is 239/8 which is divided into two scope levels: the Local Scope and Organization Local Scope. The Local Scope range is 239.255.0.0/16 and can expand into the reserved ranges 239.254.0.0/16 and 239.253.0.0/16 if 239.255.0.0/16 is exhausted. The IPv4 Organization Local Scope is 239.192.0.0/14 is the space from which an organization should allocate sub-ranges when defining scopes for private use. This scope can be expanded to 239.128.0.0/10, 239.64.0.0/10, and 239.0.0.0/10 if necessary. The scope of IPv6 multicast packets are determined by the scope value where 4 (ffx4::/16) is Admin-local, 5 (ffx5::/16) is Site-local, and 8 (ffx8::/16) is Organization-local. Review the perimeter router or multi-layer switch to determine if multicast routing is enabled on any external-facing interface. If enabled, determine if there is a multicast boundary configured on the external-facing interface to ensure that no administrative scope traffic is not allowed into or out of the enclave.
Local Scope range is 239.255.0.0/16 and can expand into the reserved ranges 239.254.0.0/16 and 239.253.0.0/16 if 239.255.0.0/16 is exhausted. The IPv4 Organization Local Scope is 239.192.0.0/14 is defined to be and is the space from which an organization should allocate sub- ranges when defining scopes for private use. The scope of IPv6 multicast packets are determined by the scope value where 4 is Admin-local, 5 is Site-local, and 8 is Organization-local. Configure the necessary boundary to ensure packets addressed to these administratively scoped multicast addresses do not cross the applicable administrative boundaries.
Review the perimeter router or multi-layer switch configuration and determine if filters are bound to the applicable interfaces to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with option type values of 0x04 (Tunnel Encapsulation Limit), 0xC9 (Home Address Destination), or 0xC3 (NSAP Address).
Configure the perimeter router or multi-layer switch to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with option type values of 0x04 (Tunnel Encapsulation Limit), 0xC9 (Home Address Destination), or 0xC3 (NSAP Address).
Review the router or multi-layer switch configuration to determine if the maximum hop limit has been configured. If it has been configured, then it must be set to at least 32. If the maximum hop limit is not set to at least 32, this is a finding.
Configure maximum hop limit to at least 32.
Review the perimeter router or multi-layer switch configuration and determine if filters are bound to the applicable interfaces to drop all inbound and outbound IPv6 packets containing a Destination Option header with option type values of 0x05 (Router Alert) or 0xC2 (Jumbo Payload).
Configure the perimeter router or multi-layer switch to drop all inbound and outbound IPv6 packets containing a Destination Option header with option type values of 0x05 (Router Alert) or 0xC2 (Jumbo Payload).
Review the perimeter router or multi-layer switch configuration and determine if filters are bound to the applicable interfaces to drop all inbound and outbound IPv6 packets containing an option type values of 0x8A (Endpoint Identification) regardless of whether it appears in a Hop-by-Hop or Destination Option header.
Configure the perimeter router or multi-layer switch to drop all inbound and outbound IPv6 packets containing an option type values of 0x8A (Endpoint Identification) regardless of whether it appears in a Hop-by-Hop or Destination Option header
Review the perimeter router or multi-layer switch configuration and determine if filters are bound to the applicable interfaces to drop all inbound and outbound IPv6 packets containing a Destination Option header with option type value of 0xC3 (NSAP address).
Configure the perimeter router or multi-layer switch to drop all inbound and outbound IPv6 packets containing a Destination Option header with option type value of 0xC3 (NSAP address).
Review the perimeter router or multi-layer switch configuration and determine if filters are bound to the applicable interfaces to drop all inbound and outbound IPv6 packets containing an undefined option type value regardless of whether they appear in a Hop-by-Hop or Destination Option header. Undefined values are 0x02, 0x03, 0x06 through 0x89 inclusive, 0x8B through 0xC1 inclusive, 0xC4 through 0xC8 inclusive, and anything greater than 0xC9.
Configure the perimeter router or multi-layer switch to drop all inbound and outbound IPv6 packets containing an undefined option type value regardless of whether they appear in a Hop-by-Hop or Destination Option header. Undefined values are 0x02, 0x03, 0x06 through 0x89 inclusive, 0x8B through 0xC1 inclusive, 0xC4 through 0xC8 inclusive, and anything greater than 0xC9.
If the router is functioning as a 6to4 router, verify that there is an egress filter (inbound on the internal-facing interface) to drop any outbound IPv4 packets that are tunneling IPv6 packets.
If the router is functioning as a 6to4 router, configure an egress filter (inbound on the internal-facing interface) to drop any outbound IPv4 packets that are tunneling IPv6 packets.
If the router is functioning as a 6to4 router, verify that an egress filter (inbound on the internal-facing interface) has been configured to drop any outbound IPv6 packets from the internal network with a source address that is not within the 6to4 prefix 2002:V4ADDR::/48 where V4ADDR is the designated IPv4 6to4 address for the enclave.
If the router is functioning as a 6to4 router, configure an egress filter (inbound on the internal-facing interface) to drop any outbound IPv6 packets from the internal network with a source address that is not within the 6to4 prefix 2002:V4ADDR::/48 where V4ADDR is the designated IPv4 6to4 address for the enclave.
Review the router or multi-layer switch configuration and determine if L2TPv3 has been configured to provide transport across an IP network. If it has been configured, verify that the L2TPv3 session requires authentication. If authentication has not been configured for L2TPv3, this is a finding. Note: Layer 2 Forwarding or L2F (RFC2341), which is the "version 1", and L2TPv2 (RFC 2661) are used for remote access services based on the Virtual Private Dial-up Network (VPDN) model--not for tunneling IP packets across a backbone as with L2TPv3. With the VPDN model, a user obtains a layer-2 connection to a RAS using dialup PSTN or ISDN service and then establishes a PPP session over that connection. The L2 termination and PPP session endpoints reside on the RAS. L2TP extends the PPP model by allowing the L2 and PPP endpoints to reside on different devices that are interconnected by a backbone network. A remote access client has an L2 connection to an L2TP Access Concentrator (LAC) that tunnels PPP frames across the IP backbone to the L2TP Network Server (LNS) residing in the private network.
Configure L2TPv3 to use authentication for any peering sessions.
Review the device configuration to determine if authentication is being used for all peers. A password or key should be defined for each BGP neighbor regardless of the autonomous system the peer belongs. Most vendors' command lines use a neighbor statement or keyword to specify a BGP peer. If BGP peers are not authenticated, this is a finding.
Configure the device to authenticate all BGP peers.