Tunnel entry point and the tunnel exit point must contain filters for expected tunnel protocol traffic with source and destination addresses and deny the remaining traffic by default.

From Perimeter L3 Switch Security Technical Implementation Guide

Part of Tunnel end-points are not verified by filters

Associated with IA controls: ECSC-1

SV-20200r2_rule Tunnel entry point and the tunnel exit point must contain filters for expected tunnel protocol traffic with source and destination addresses and deny the remaining traffic by default.

Vulnerability discussion

Tunnel endpoints that do not have the same controls as the network perimeter requirements become an unprotect entry point into the enclave.

Check content

These filtering actions enforce proper tunnel endpoint addresses at the border of the tunnel entry and exit points. Filtering is necessary because implementations may not enforce tunnel addresses in all cases. Filtering is also necessary because GRE tunneling implementations are not required by standards to check or enforce tunnel endpoint addresses. Endpoint Verification at the Exit point (I) - Allow inbound IPv4 packets with a protocol value of 0x04 (4) that have both source and destination addresses of a deliberately configured IPv4-in-IPv4 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv4-in-IPv4 tunnel. Endpoint Verification at the Exit network (II) - Allow inbound IPv4 packets with a protocol value of 0x29 (41) that have both source and destination addresses of a deliberately configured IPv6-in-IPv4 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv6-in-IPv4 tunnel. Endpoint Verification at the Exit network (III) - Allow inbound IPv6 packets with a protocol value of 0x04 (4) that have both source and destination addresses of a deliberately configured IPv4-in-IPv6 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv4-in-IPv6 tunnel. Endpoint Verification at the Exit network (IV) - Allow inbound IPv6 packets with a protocol value of 0x29 (41) that have both source and destination addresses of a deliberately configured IPv6-in-IPv6 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv6-in-IPv6 tunnel. Endpoint Verification at the Exit network (v) - Allow inbound IPv4 and IPv6 packets with a protocol value of 0x2F (47) that have both source and destination addresses of a deliberately configured GRE tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured GRE tunnel. Network configuration - Report bad inbound tunnel packets as a Security Event. Inbound packets that fail the filtering of the actions at the exit point should trigger a security alert since the entry point network filtering should catch all legitimate mistakes. These occurrences are likely the result of network attacks. These filtering actions enforce proper tunnel endpoint addresses at the border of the entry point network. By filtering the tunneled data for validity, the entry point network can detect configuration errors and users conducting unauthorized tunneling operations. By filtering the addresses of tunneled data for validity, the entry point network can detect configuration errors and unauthorized tunneling operations by bad users. Endpoint Verification at the Entry network, (I) Allow outbound IPv4 packets with a protocol value of 0x04 (4) that have both source and destination addresses of a deliberately configured IPv4-in-IPv4 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv4-in-IPv4 tunnel. Endpoint Verification at the Entry network, (II) Allow outbound IPv4 packets with a protocol value of 0x29 (41) that have both source and destination addresses of a deliberately configured IPv6-in-IPv4 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv6-in-IPv4 tunnel. Endpoint Verification at the Entry network, (III) Allow outbound IPv6 packets with a protocol value of 0x04 (4) that have both source and destination addresses of a deliberately configured IPv4-in-IPv6 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv4-in-IPv6 tunnel. Endpoint Verification at the Entry network, (IV) Description: Allow outbound IPv6 packets with a protocol value of 0x29 (41) that have both source and destination addresses of a deliberately configured IPv6-in-IPv6 tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured IPv6-in-IPv6 tunnel. Endpoint Verification at the Entry network, (v) Allow outbound IPv4 and IPv6 packets with a protocol value of 0x2F (47) that have both source and destination addresses of a deliberately configured GRE tunnel. This refers to the IP addresses of the outer IP layer. Drop any such packet that does not match both source and destination addresses of a deliberately configured GRE tunnel. Network configuration - Report bad outbound tunnel packets as Network Management errors. Outbound packets that fail the filtering of actions at the entry point should trigger a network management error since these are likely configuration or routing errors. This may also detect unauthorized tunneling by users. Review the tunnel end-points and verify a filter is present. The filter for the tunnel entry-point must be defined to permit expected traffic that enters the tunnel. All other traffic must be denied. This filter must contain a permit statement that explicitly permits the tunnel type (protocol) and the source and destination address. The filter for the tunnel exit-point must be defined to permit the expect traffic that exits the tunnel. All other traffic must be denied. This filter must contain a permit statement that explicitly permits the tunnel type (protocol) and the source and destination address.

Fix text

Explicitly permit trusted network traffic and establish a deny by default policy at the tunnel entry and exit points.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer