STIGQter: STIG Summary: Firewall Security Requirements Guide Version: 1 Release: 4 Benchmark Date: 26 Jul 2019: The firewall must block or restrict inbound IP packets destined to the control plane of the firewall itself.

DISA Rule

SV-94181r1_rule

Vulnerability Number

V-79475

Group Title

SRG-NET-000364-FW-000034

Rule Version

SRG-NET-000364-FW-000034

Severity

CAT II

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

Establish ingress filters to block or restrict inbound IP packets destined to the control plane of the firewall itself.

Check Contents

Review the device configuration to determine if filters are in place to block loopback addresses.

Verify packets with a destination IP address assigned to the management or loopback address range are blocked (unless the packet has a source address assigned to the management network or network infrastructure).

If inbound IP packets destined to the control plane of the firewall itself are not blocked or restricted by an ingress firewall filter, this is a finding.

Vulnerability Number

V-79475

Documentable

False

Rule Version

SRG-NET-000364-FW-000034

Severity Override Guidance

Review the device configuration to determine if filters are in place to block loopback addresses.

Verify packets with a destination IP address assigned to the management or loopback address range are blocked (unless the packet has a source address assigned to the management network or network infrastructure).

If inbound IP packets destined to the control plane of the firewall itself are not blocked or restricted by an ingress firewall filter, this is a finding.

Check Content Reference

M

Target Key

3377

Comments