Information
Tunneled packets must be filtered at the tunnel exit point.
Once a tunnel has been terminated, the inner packet is no different than any other packet. Therefore, the inner packet must be filtered at the tunnel exit point network. In fact, some packets are more dangerous tunneled such as attacks against Neighbor Discovery where a required 255 count in the hop limit field could potentially be delivered.
NOTE: This requirement applies to any tunnel that is not an IPSec tunnel between two sites, part of the same enclave, and is under control of the same DAA.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To ensure the enclave can be protected from tunnels, the end-point must be decapsulated to inspect the Inner IP packet or the firewall must have the capability to perform primary and secondary filtering and content inspection. Tracing these tunnel end-points and ensuring filters that protect the enclave may be necessary.
Apply deny by default.
Apply destination addresses to tunnels to extended tunnels.
Apply PPS policies to protocols at all decapsulation end-points.
Apply content inspection.