NET-TUNL-004 - Tunnel end-points are not verified by filters

Information

Tunnel entry point and the tunnel exit point must contain filters for expected tunnel protocol traffic with source and destination addresses and deny the remaining traffic by default.

Tunnel endpoints that do not have the same controls as the network perimeter requirements become an unprotect entry point into the enclave.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Explicitly permit trusted network traffic and establish a deny by default policy at the tunnel entry and exit points.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

References: CAT|II, Rule-ID|SV-20200r2_rule, STIG-ID|NET-TUNL-004, Vuln-ID|V-18635

Plugin: Cisco

Control ID: d13f8848225284d7d5473ef4511513dc3f92815a271473d41c0c4c1006721f8a