An error occurred:

Check: ENS-FW-000006

Trellix ENS 10.x STIG: ENS-FW-000006 (in versions v2 r14 through v2 r10)

Title

(CUI) The ENS Firewall rules must disable IP protocol 41. (Cat II impact)

Discussion

(CUI) A host-based firewall scans all incoming and outgoing traffic. As it reviews arriving or departing traffic, the Firewall checks its list of rules, which is a set of criteria with associated actions. If the traffic matches all criteria in a rule, the Firewall acts according to the rule, blocking or allowing traffic through. The Internet transition mechanism for migrating from Internet Protocol version 4 (IPv4) to Internet Protocol version 6 (IPv6) uses tunneling to encapsulate IPv6 traffic over explicitly configured IPv4 links. This traffic is sent over IP protocol 41. The tunneled packets do not provide visibility so blocking Protocols 41 with the firewall aids in preventing unknown traffic.

Check Content

(CUI) Access the ePO server console. Select Menu >> Policy >> Policy Catalog, and then select "Endpoint Security Firewall" from the Product list. From the Category list, select "Firewall Rules". Select each configured Firewall Rules policy. Verify a rule is explicitly configured to block outbound protocol 41. The block all outbound protocol 41 must also be listed before the allow all outbound rule for V-230199. If an explicit rule does not exist for blocking outbound protocol 41, this is a finding. If the block outbound protocol 41 is listed after the allow all outbound rule, this is a finding.

Fix Text

(CUI) Access the ePO server console. Select Menu >> Policy >> Policy Catalog. Select "Endpoint Security Firewall" from the Product list. From the Category list, select "Firewall Rules". Select the Firewall Rules policy. Enter the following: Name: e.g., IPv6 (41) Outbound Action: Block Direction: Out Status: Enabled Network Protocol: IP Protocol, IPv4 Protocol (checked) Media Types: Wired, Wireless, Virtual (all checked) Transport Protocol dropdown: IPv6 encapsulation in IPv4 Click "Save". This block rule must be located above the allow all outound rule from V-230199 in the firewall rules list.

Additional Identifiers

Rule ID: SV-230200r881593_rule

Vulnerability ID: V-230200

Group Title: SRG-APP-000272

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001247

The information system automatically updates malicious code protection mechanisms.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SI-3 (2)

Automatic Updates