Check: NET0928
Network Infrastructure Policy STIG:
NET0928
(in versions v10 r6 through v9 r2)
Title
A policy must be implemented to keep Bogon/Martian rulesets up to date. (Cat II impact)
Discussion
A Bogon route or Martian address is a type of packet that should never be routed inbound through the perimeter device. Bogon routes and Martian addresses are commonly found as the source addresses of DDoS attacks. By not having a policy implemented to keep these addresses up to date, the enclave will run the risk of allowing illegitimate traffic into the enclave or even blocking legitimate traffic. Also, if there are rulesets with "any" as the source address then Bogons/Martians must be applied. Bogons and Martian addresses can be kept up to date routinely checking the IANA website or creating an account with Team Cymru to retrieve these lists in one of many ways. http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml http://www.team-cymru.org/Services/Bogons/
Check Content
Review the Bogon/Martian maintenance policy to validate plans and procedures are in place to protect the enclave from illegitimate network traffic with up to date Bogon/Martian rulesets. If the site does not have a policy to keep Bogon/Martian rulesets up to date, this is a finding.
Fix Text
Implement a Bogon/Martian maintenance policy to protect the enclave from illegitimate network traffic.
Additional Identifiers
Rule ID: SV-251371r806068_rule
Vulnerability ID: V-251371
Group Title: NET0928
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |