Tunneled packets must be filtered at the tunnel exit point.

From Perimeter Router Security Technical Implementation Guide Cisco

Part of Tunneled packets are not filtered.

Associated with IA controls: EBBD-1

SV-20212r2_rule Tunneled packets must be filtered at the tunnel exit point.

Vulnerability discussion

Once a tunnel has been terminated, the inner packet is no different than any other packet. Therefore, the inner packet must be filtered at the tunnel exit point network. In fact, some packets are more dangerous tunneled such as attacks against Neighbor Discovery where a required 255 count in the hop limit field could potentially be delivered.

Check content

NOTE: This requirement applies to any tunnel that is not an IPSec tunnel between two sites, part of the same enclave, and is under control of the same DAA. This guidance describes three ways in which the inner IP layer filtering task may be accomplished, depending on the advances in firewall technology. Refer to NSA firewall design considerations for IPv6 section 5.2 for a description of desired firewall filtering capabilities for tunneled traffic. This reference document defines primary filtering as a firewall that can filter the inner source and destination IP addresses of a tunneled packet in a manner similar to filtering source and destination ports of a TCP or UDP packet. Secondary filtering capability is defined to be the ability to fully filter the entire inner IP layer to the same degree an untunneled packet is filtered. The Primary guidance below assumes an advanced firewall with the capability to perform both the primary and secondary filtering functions as explained above. Alternative 1 below assumes that the firewall can perform only the primary filtering function. Alternative 2 assumes the firewall cannot do either primary or secondary filtering as may be the case with some existing firewall products. For Alternatives 1 and 2, the decapsulation point may be an interior router with the filtering of the inner IP layer performed by a secondary firewall. Additional actions are provided to protect the decapsulating node itself from being attacked, since this node is in front of the protective filtering. Primary (FW can do both primary and secondary filtering) ACTION #1 Enforce Proper Tunnel Access (per IP address): At the tunnel exit point network, drop any emerging tunnel packets (of either IP version) whose inner IP layer source address is not within the range or set of ranges of expected values from the tunnel entry point network. The expected addresses are those that are configured into the tunnel via routes to a tunnel by name, by address, or by interface (NET-TUNL-012). Regardless of how traffic is routed into a tunnel entry point, the network should ensure that the resulting tunnel packets have a specific tunnel entry point source address (i.e. outer IP layer) that can be used for reliable filtering. Note: The primary filtering capability defined in the justification section above can be used to accomplish this task in conjunction with the tunnel endpoint verification of NET-TUNL-004. Primary (FW can do both primary and secondary filtering) ACTION #2 Apply Baseline Filtering as a Minimum: All packets that pass the filtering of action #1 above must be fully filtered per the baseline guidance defined ( Apply all NET-IPV6-xxx filtering to the inner IP layer via the firewall’s secondary filtering capability, and NET-TUNL-001. Notes: a) Includes (drop all Neighbor Discovery packets that emerge from tunnels). b) Includes (drop all packets containing a Link-local source or destination address that emerge from tunnels). c) Includes “Filtering Integrity for Fragmented Packets” applied to the inner IP layer. d) Includes blocking IP-in-IP tunneling. This applies to the next tunnel layer. Primary (FW can do both primary and secondary filtering) ACTION #3 Restrict Tunnel contents to the greatest extent possible: Description: Network administrators should apply additional filtering to restrict the tunnel contents to only the intended traffic types and destinations. The details of this filtering must be determined on a case-by-case basis. Note1: Tunnels are employed for a specific purpose and type of traffic, therefore it is likely that the tunnel traffic can be restricted more stringently than normal (un-tunneled) traffic. Note 2: The source addresses of the decapsulated packets can be used reliably to distinguish tunnels if there are more than one. This is true because action #1 above has already verified proper inner IP source address for each tunnel. ------------------------------------------------------------------------------------------------------------------------------- Alternative 1 - (FW can do only primary filtering) - Action #4 - Enforce Proper Tunnel Access (per IP address) Description: (Same as Primary Guidance action #1 above). At the tunnel exit point network, drop any emerging tunnel packets (of either IP version) whose inner IP layer source address is not within the range or set of ranges of expected values from the tunnel entry point network. The expected addresses are those that are configured into the tunnel via routing action (NET-TUNL-012). Note: The primary filtering capability defined in the justification section above can be used to accomplish this task in conjunction with the tunnel endpoint verification of NET-TUNL-004. Alternative 1 - (FW can do only primary filtering) - Action #5 - Apply Baseline Filtering as a minimum: Description: All packets that pass the filtering of action #1 above must be fully filtered per the baseline guidance. Apply all filtering to the inner IP layer. Since the border FW does not have the ability to filter the inner IP layer beyond the IP addresses, a second level of filtering (another firewall, internal) is needed to achieve this task. The border FW guarantees the proper tunnel decapsulation points which are likely located on an internal router or the secondary FW. In either case, it must not be possible for packets to be decapsulated and avoid filtering. For example, a decapsulating router MUST be configured to route all tunnel contents toward the internal FW and not out some other interface. All packets that pass the filtering of action #1 above must be fully filtered per the baseline guidance defined by the 2nd Firewall ( Apply all NET-IPV6-xxx filtering to the inner IP layer via the 2nd firewall, and NET-TUNL-001. Notes: a) Includes (drop all Neighbor Discovery packets that emerge from tunnels). b) Includes (drop all packets containing a Link-local source or destination address that emerge from tunnels). c) Includes “Filtering Integrity for Fragmented Packets” applied to the inner IP layer. d) Includes blocking IP-in-IP tunneling. This applies to the next tunnel layer. Alternative 1 - (FW can do only primary filtering) - ACTION #6 - Restrict Tunnel contents to the greatest extent possible: Apply action 3 controls. Alternative 1 - (FW can do only primary filtering) - ACTION #7 - Protect the Decapsulating node: Description: Drop any tunneled packets whose inner IP destination address belongs to an interface on the decapsulating node. The primary filtering capability defined in the justification section above can be used to accomplish this task. Note: Since the baseline IPv6 filtering is being performed by a secondary firewall (action #5 above), any packets allowed out of the tunnel directly to the decapsulating node would bypass this filtering and must not be allowed. ------------------------------------------------------------------------------------------------------------------------------- Alternative 2 - (FW can do neither primary nor secondary filtering) - Action #8 - Enforce Proper Tunnel Access (per IP address): Description: In this case, the border FW can only filter the outer IP layer and cannot see the internal IP addresses. Therefore, the decapsulating node or secondary firewall must filter the decapsulated packets to drop any emerging tunnel packets (of either IP version) whose inner IP layer source address is not within the range or set of ranges of expected values from the tunnel entry point network. Also, If the tunnel is GRE the border FW can only filter the out IP layer holding the GRE header and can not see the internal IP address. Note that multiple tunnels will likely require separate decapsulation points (separate routers) in order to verify that the proper ranges are emerging from each tunnel. It is not correct to filter all decapsulated traffic from several tunnels at the same router interface since there would be no way to detect traffic from tunnel A containing inner IP layer source addresses intended for tunnel B (i.e. users from one remote network using the privileges intended for another network). Alternative 2 - (FW can do neither primary nor secondary filtering) - Action #9 - Apply Baseline Filtering as a minimum: All packets that pass the filtering of action #8 above must be fully filtered per the baseline guidance defined by the 2nd Firewall ( Apply all NET-IPV6-xxx filtering to the inner IP layer via the 2nd firewall, and NET-TUNL-001. As with Alternative 1, the secondary firewall must achieve this task. The border firewall guarantees the proper tunnel decapsulation points which are likely located on an internal router or secondary firewall. It must not be possible for packets to be decapsulated and avoid filtering. For example, a decapsulating router MUST be configured to route all tunnel contents toward the secondary firewall and not out some other interface. Notes: a) Includes (drop all Neighbor Discovery packets that emerge from tunnels). b) Includes (drop all packets containing a Link-local source or destination address that emerge from tunnels). c) Includes “Filtering Integrity for Fragmented Packets” applied to the inner IP layer. d) Includes blocking IP-in-IP tunneling. This applies to the next tunnel layer. Alternative 2 - (FW can do neither primary nor secondary filtering) - Action #10 - Restrict Tunnel contents to the greatest extent possible: Apply action 3 controls. Alternative 2 - (FW can do neither primary nor secondary filtering) - Action #11 - Protect the Decapsulating node: Description: Drop any tunneled packets whose inner IP destination address belongs to an interface on the decapsulating node. The decapsulating node must be able to perform this filtering itself since the border FW cannot see the inner IP addresses (an assumption for Alternative 2). Note: Since the baseline IPv6 filtering is being performed by a secondary firewall (action #9 above), any packets allowed out of the tunnel directly to the decapsulating node would likely bypass this filtering and must not be allowed. Alternative 2 - (FW can do neither primary nor secondary filtering) - Action #12 - Non-IP GRE Payloads: Per action 8, if payloads other than IP are being delivered by the GRE tunnels, they must be guaranteed proper filtering. Administrators must be sure that all tunnel contents are filtered. How this is achieved must be handled on a case-by-case basis depending on the particular GRE payload type and filtering/routing capabilities of the decapsulating node. If possible avoid this case by using IP-in-IP tunneling instead.

Fix text

To ensure the enclave can be protected from tunnels, the end-point must be decapsulated to inspect the Inner IP packet or the firewall must have the capability to perform primary and secondary filtering and content inspection. Tracing these tunnel end-points and ensuring filters that protect the enclave may be necessary. Apply deny by default. Apply destination addresses to tunnels to extended tunnels.. Apply PPS policies to protocols at all decapsulation end-points. Apply content inspection.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer