Title

(U//FOUO) The Host Intrusion Prevention System (HIPS) Firewall must include a rule to block IPv6 Protocols 41 outbound connections. (Cat II impact)

Discussion

The Internet transition mechanism for migrating from Internet Protocol version 4 (IPv4) to Internet Protocol version 6 (IPv6) uses tunneling to encapsulate IPv6 traffic over explicitly-configured IPv4 links. This traffic is sent over IP protocol 41. The tunneled packets do not provide visibility so blocking Protocols 41 with the firewall aids in preventing unknown traffic.

Check Content

This check needs to be completed for every active policy that controls McAfee Agents. From the ePO server console, select the asset to be checked, then select "Assigned Policies", followed by the correct version of HIPS from the dropdown product list (e.g., Host Intrusion Prevention 8: Firewall). From the "Firewall Rules" category, select the applicable Firewall policy. From the Firewall rules page, verify a rule exists for blocking IPv6. View the rule configured for blocking IPv6. Under Description >> Action: verify “Block” is selected. Under Description >> Direction, verify “Out” is selected. Under Description >> Status, verify “Enabled” is selected. Under Network Options >> Network protocol, verify IP Protocol IPv4 Protocol is selected. Under Network Options >> Media types, verify Wired, Wireless and Virtual are selected. Under Transport Options >> Transport Options, verify Transport protocol selected is “IPv6 encapsulation in IPv4” If the settings are not all configured as stated, this is a finding.

Fix Text

(U//FOUO) From the ePO server console, select the asset to be checked, then select "Assigned Policies", followed by the correct version of HIPS from the dropdown product list (e.g., Host Intrusion Prevention 8: Firewall). From the "Firewall Rules" category, select the applicable policy. From the Firewall rules page, select “New Rule”. Enter the following: Name: e.g., IPv6 (41) Outbound Action: Block Direction: Out Status: Enabled Click “Next”. Network Protocol: IP Protocol, IPv4 Protocol (checked) Media Types: Wired, Wireless, Virtual (all checked) Click “Next”. Transport Protocol dropdown: IPv6 encapsulation in IPv4 Click “Next”, click “Next”, click “Next, click “Save”.

Additional Identifiers

Rule ID: SV-60367r5_rule

Vulnerability ID: V-47485

Group Title: H37020

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.