An error occurred:

Check: ENS-FW-000006

Trellix ENS 10.x STIG: ENS-FW-000006 (in versions v2 r7 through v2 r5)

Title

(CUI) The ENS Firewall rules must disable IP protocol 41. (Cat II impact)

Discussion

(CUI) A host-based firewall scans all incoming and outgoing traffic. As it reviews arriving or departing traffic, the Firewall checks its list of rules, which is a set of criteria with associated actions. If the traffic matches all criteria in a rule, the Firewall acts according to the rule, blocking or allowing traffic through. The Internet transition mechanism for migrating from Internet Protocol version 4 (IPv4) to Internet Protocol version 6 (IPv6) uses tunneling to encapsulate IPv6 traffic over explicitly configured IPv4 links. This traffic is sent over IP protocol 41. The tunneled packets do not provide visibility so blocking Protocols 41 with the firewall aids in preventing unknown traffic.

Check Content

(CUI) NOTE: If McAfee ENS Firewall is being used for host-based Firewall protection, this requirement is applicable and must be met. If the OPORD 16-0080 FRAGO 6 has been released and it is still in the implementation period, this is Not a Finding if configured per the FRAGO steps of implementation. If McAfee Host Intrusion Prevention Firewall is being used for host-based Firewall protection, this check is Not Applicable. Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select "Endpoint Security Firewall" from the Product list. From the Category list, select "Firewall Rules". Select each configured Firewall Rules policy. Verify a rule is explicitly configured to block protocol 41. If an allow all rule is configured in the Firewall Rules, this is a finding. If an explicit rule does not exist for blocking protocol 41, this is a finding.

Fix Text

(CUI) Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select "Endpoint Security Firewall" from the Product list. From the Category list, select "Firewall Rules". Select each configured Firewall Rules policy. Add a rule to explicitly block protocol 41. Click "Save".

Additional Identifiers

Rule ID: SV-230200r803964_rule

Vulnerability ID: V-230200

Group Title: SRG-APP-000272

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001247

The information system automatically updates malicious code protection mechanisms.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SI-3(2)

Automatic Updates