2.7 Ensure internal sources are blocked on external networks

Information

Deny traffic with an internal source or reserved IP address from external source.

Rationale:

An attacker may attempt to bypass security controls and Intrusion Detection Systems (IDS) by using the source address of a trusted (generally internal) host, a technique known as spoofing. Packets arriving on external networks should never have a source address from your internal network ranges, especially where the internal networks use RFC1918 private address space or invalid addresses.

Any traffic with an internal source arriving on an external interface is certain to be an attack and should be blocked.

A Firewall Filter should be applied to all external network interfaces and include a term to deny internal address ranges.

The discard method is used to block the packet silently, with no message sent back to the source. This traffic should also be logged to the local routing engine and SYSLOG, allowing attacks to be detected and record kept.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To create a firewall filter term enter the following command from the [edit firewall family <family> filter <filter name>] hierarchy.

[edit firewall family inet filter <filter name>]
[email protected]#edit term <term name>

[edit firewall family inet filter <filter name> term <term name>]
[email protected]#set from source-address 127.0.0.0/8
[email protected]#set from source-address 10.0.0.0/8
[email protected]#set from source-address 0.0.0.0/32
[email protected]#set from source-address 172.16.0.0/12
[email protected]#set from source-address 192.168.0.0/16
[email protected]#set from source-address 192.0.2.0/24
[email protected]#set from source-address 169.254.0.0/16
[email protected]#set from source-address 198.18.0.0/15
[email protected]#set from source-address 198.51.100.0/24
[email protected]#set from source-address 203.0.113.0/24
[email protected]#set from source-address 224.0.0.0/8
[email protected]#set from source-address 255.255.255.255/32
[email protected]#set from source-address
[email protected]#set then discard
[email protected]#set then syslog
[email protected]#set then log

NOTE - At least one further term must be included in this firewall filter to allow legitimate traffic.

Default Value:

No firewall filters are configured by default.

References:

Cisco IOS Benchmark Version 2.2, Requirement 2.3.1.1, Center for Internet Security

[Firewall Filter Overview, JUNOS Software Policy Framework Configuration Guide, Juniper Networks](http://www.juniper.net/techpubs/software/junos/junos94/swconfig-policy/firewall-filter-overview.html)

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SC-7(11), 800-53|SI-4, CSCv7|12.2, CSCv7|12.3

Plugin: Juniper

Control ID: f54b6df7cc47c9530d174de73049ee495e27ff0ab796bd85c86ce7a54f2f8a84