Check: SRG-NET-000364-FW-000041
Firewall SRG:
SRG-NET-000364-FW-000041
(in versions v2 r3 through v2 r1)
Title
The firewall must be configured to inspect all inbound and outbound IPv6 traffic for unknown or out-of-order extension headers. (Cat II impact)
Discussion
IPv6 packets with unknown extension headers as well as out-of-order headers can create denial-of-service attacks for other networking components as well as host devices. IPv6 inspection can check conformance to RFC 2460 enforcing the order extension headers. While routers only need to examine the IPv6 destination address and the Hop-by-Hop Options header, firewalls should must recognize and parse through all existing extension headers since the upper-layer protocol information reside in the last header. An attacker is able to chain lots of extension headers in order to pass firewall- & intrusion detections. An attacker can cause a denial of service if an intermediary device or destination host is not capable of processing an extensive or out-of-order chaine of extension headers. Hence it is imperative, that the firewall is configured to drop packets with unknown or out-of-order headers.
Check Content
Review the firewall configuration to verify that IPv6 inspection is being performed on all interfaces. If the firewall is not configujred to inspect all inbound and outbound IPv6 traffic for unknown or out-of-order extension headers, this is a finding.
Fix Text
Configure the firewall to inspect all inbound and outbound traffic at the application layer.
Additional Identifiers
Rule ID: SV-223012r604133_rule
Vulnerability ID: V-223012
Group Title: SRG-NET-000364
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |