The Juniper SRX Services Gateway Firewall must configure ICMP to meet DoD requirements.

From Juniper SRX SG ALG Security Technical Implementation Guide

Part of SRG-NET-000273-ALG-000129

Associated with: CCI-001312

SV-80827r1_rule The Juniper SRX Services Gateway Firewall must configure ICMP to meet DoD requirements.

Vulnerability discussion

Providing too much information in error messages risks compromising the data and security of the application and system.Organizations carefully consider the structure/content of error messages. The required information within error messages will vary based on the protocol and error condition. Information that could be exploited by adversaries includes ICMP messages that reveal the use of firewalls or access-control lists.

Check content

Verify ICMP messages are configured to meet DoD requirements. [edit] show firewall family inet If ICMP messages are not configured in compliance with DoD requirements, this is a finding.

Fix text

Configure ICMP to meet DoD requirements. The following is an example which uses the filter name "protect_re" as the filter name with pre-configured address books (source-prefix-lists). [edit] set firewall family inet filter protect_re term permit-icmp from source-prefix-list ssh-addresses set firewall family inet filter protect_re term permit-icmp from source-prefix-list bgp-addresses set firewall family inet filter protect_re term permit-icmp from source-prefix-list loopback-addresses set firewall family inet filter protect_re term permit-icmp from source-prefix-list local-addresses set firewall family inet filter protect_re term permit-icmp from source-prefix-list ixiav4 set firewall family inet filter protect_re term permit-icmp from icmp-type echo-request set firewall family inet filter protect_re term permit-icmp from icmp-type echo-reply set firewall family inet filter protect_re term permit-icmp then log set firewall family inet filter protect_re term permit-icmp then syslog set firewall family inet filter protect_re term permit-icmp then accept set firewall family inet6 filter protect_re-v6 term permit-ar from icmp-type neighboradvertisement set firewall family inet6 filter protect_re-v6 term permit-ar from icmp-type neighborsolicit set firewall family inet6 filter ingress-v6 term permit-ar from icmp-type neighboradvertisement set firewall family inet6 filter ingress-v6 term permit-ar from icmp-type neighborsolicit set firewall family inet6 filter ingress-v6 term permit-ar from icmp-type 134 set firewall family inet6 filter ingress-v6 term permit-ar then accept set firewall family inet6 filter egress-v6 term permit-lr from icmp-type neighboradvertisement set firewall family inet6 filter egress-v6 term permit-lr from icmp-type neighbor-solicit set firewall family inet6 filter egress-v6 term permit-lr from icmp-type 134 set firewall family inet6 filter egress-v6 term permit-lr then accept

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer