6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packets

Information

For all zones, attach a Zone Protection Profile that is configured to drop packets with a spoofed IP address or a mismatched overlapping TCP segment, and packets with malformed, strict source routing, or loose source routing IP options set.

Rationale:

Using specially crafted packets, an attacker may attempt to evade or diminish the effectiveness of network security devices. Enabling the options in this recommendation lowers the risk of these attacks.

Impact:

Not configuring a Network Zone Protection Profile leaves an organization exposed to common attacks and reconnaissance from untrusted networks.

Solution

Navigate to Network > Network Profiles > Zone Protection > Zone Protection Profile > Packet Based Attack Protection > TCP/IP Drop.
Set Spoofed IP address to be checked.
Set Mismatched overlapping TCP segment to be checked.
Under IP Option Drop, set Strict Source Routing, Loose Source Routing, and Malformed to all be checked. Additional options may also be set if desired.

Default Value:

Not Configured

See Also

https://workbench.cisecurity.org/benchmarks/8826