STIGQter STIGQter: STIG Summary: VMware ESX 3 Server Version: 1 Release: 2 Benchmark Date: 22 Jul 2016: The system must use a reverse-path filter for IPv4 network traffic when possible.

DISA Rule

SV-26084r1_rule

Vulnerability Number

V-22420

Group Title

GEN003613

Rule Version

GEN003613

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

If the system has a reverse-path filter capability, enable this feature in accordance with vendor documentation. If the system does not have this capability, add local firewall rules to block traffic with loopback network source addresses from being received on interfaces other than the loopback. Additionally, if the system is multihomed and the attached networks are isolated or perform symmetric routing, add rules to block traffic with source addresses expected on one interface when received on another interface.

For example, consider a system with two network interfaces, one attached to an isolated management network with address 10.0.0.55/24 and the other attached to a production network with address 192.168.1.2/24 and a default route. Traffic with a source address on the 10.0.0.0/24 network must be the only traffic accepted on the management interface and must not be accepted on the production interface.

Check Contents

If the system is in an environment that does not allow the proper operation of reverse-path filtering, such as with asymmetric routing, this requirement is not applicable.

Consult vendor documentation to determine if a specific configuration setting exists to enable reverse-path filtering. If this feature exists and is not enabled, this is a finding.

If no specific feature is available, examine the system's local firewall configuration to determine if traffic with source addresses expected on one interface (including loopback interfaces) is blocked when received on another interface. If no such filtering is configured, this is a finding.

Vulnerability Number

V-22420

Documentable

False

Rule Version

GEN003613

Severity Override Guidance

If the system is in an environment that does not allow the proper operation of reverse-path filtering, such as with asymmetric routing, this requirement is not applicable.

Consult vendor documentation to determine if a specific configuration setting exists to enable reverse-path filtering. If this feature exists and is not enabled, this is a finding.

If no specific feature is available, examine the system's local firewall configuration to determine if traffic with source addresses expected on one interface (including loopback interfaces) is blocked when received on another interface. If no such filtering is configured, this is a finding.

Check Content Reference

M

Responsibility

System Administrator

Target Key

1386

Comments