From AIX 6.1 SECURITY TECHNICAL IMPLEMENTATION GUIDE
Part of GEN007900
Associated with IA controls: ECSC-1
Associated with: CCI-001551
Reverse-path filtering provides protection against spoofed source addresses by causing the system to discard packets that have source addresses for which the system has no route or if the route does not point towards the interface on which the packet arrived. Depending on the role of the system, reverse-path filtering may cause legitimate traffic to be discarded and, therefore, should be used with a more permissive mode or filter, or not at all. Whenever possible, reverse-path filtering should be used.
Determine if the system is configured to use reverse-path filtering. Examine the IPSec rules on the system. # lsfilt -a All systems must block inbound traffic destined to the loopback address from other network interfaces. Additionally, if the system is multihomed and the attached networks are isolated or perform symmetric routing, traffic with source addresses expected on one interface must be blocked when received on another interface. If filtering is not configured on the system, this is a finding.
Configure the system to use reverse-path filtering using IP Sec filters.
Add rules to block traffic with loopback network source addresses from being received on interfaces other than the loopback, such as other ethernet interfaces.
Use smitty or genfilt command to block loopback address from network interfaces.
# smitty ipsec6
# genfilt -v6 -a D -s
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer