3.3 Ensure packet fragments are restricted for untrusted interfaces

Information

Sets the security appliance to drop fragmented packets received on the untrusted interface.

Rationale:

Attackers use fragmentation to evade security systems such as firewalls or IPS because the checks are usually performed on the first fragment. They can then put malicious payload in the other fragments to perform DoS against internal systems. Disabling the fragmentation on the security appliance implies changing its default behavior from accepting up to 24 fragments in a packet to accepting only 1 fragment in a packet. In other words, it implies accepting only non fragmented packets.

Solution

* Step 1: Acquire the name of the untrusted interface <interface_name>
* Step 2: Run the following command to deny fragments on the interface.

HOSTNAME(CONFIG)#FRAGMENT CHAIN 1 _<interface_name> _

See Also

https://workbench.cisecurity.org/files/1903

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-2, CSCv7|11.1

Plugin: Cisco

Control ID: c566e3a83cf1787fa464c3f4147f5ac30be1983d0a5ac20fa33f0fa5e3e8c091