V-79481
The firewall must block outbound IP packets that contain illegitimate packet attributes including, at a minimum, invalid source address or packets that fail minimum length tests (TCP length, UDP length, IP data length) that have undefined protocol numbers, improper use of hop-by-hop header, or IPv6 RH0 header.
Finding ID
SRG-NET-000364-FW-000037
Rule ID
SV-94187r1_rule
Severity
CCE
(None)
Group Title
SRG-NET-000364-FW-000037
CCI
CCI-002403
Target Key
(None)
Documentable
No
Discussion
If outbound communications traffic is not filtered, hostile activity intended to harm other networks may not be detected and prevented.
Fix Text
Configure the firewall to block outbound IP packets that that contain illegitimate packet attributes.
Check Content
Review the configuration and verify the firewall blocks outbound IP packets that contain an illegitimate attributes. At a minimum, rules must exist to filter based on invalid source address or packets that fail minimum length tests (TCP length, UDP length, IP data length) that have undefined protocol numbers, improper use of hop-by-hop header, or IPv6 RH0 header. If the firewall does not block outbound IP packets that that contain illegitimate packet attributes, this is a finding.