NET-TUNL-003 - Tunnels do not use explicit IP addresses

Information

Tunnel endpoints must be explicitly defined as auto configuration tunnels are not permitted.

IPv6-in-IPv4 tunnels require explicit configuration (on the tunnel exit point node) of both the tunnel exit point IP address and the corresponding tunnel entry point address. These are the outer IP layer destination and source addresses respectively.

Unfortunately, the other three tunnel types (4-in-4, 4-in-6, and 6-in-6) have no such requirement built into the standards. The tunnel exit point address will likely need to be configured for these tunnel types (i.e. nodes are not expected to simply accept tunneling by default) and there MAY be a configuration option to allow the tunnel entry point address to be declared as well. Administrators should attempt to specify both addresses regardless of the IP versions being tunneled if the capability is available for the implementation.

There are no requirements in the GRE tunnel standards to check or restrict IP addresses of the tunnel end points (outer IP layer), so it is purely up to the software implementer. The tunnel exit point address will likely need to be configured for these tunnels (i.e. nodes are not expected to simply accept GRE tunneling by default) and there MAY be a configuration option to allow the tunnel entry point address to be declared as well. Administrators should attempt to specify both addresses if the capability is available for the implementation.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Review identified protocols allowed to enter the enclave. If the tunnels do not have explicit IP addresses than drop the tunnel by the deny-by-default tunnel policy, else document the auto configured tunnel in the SSAA describing the activity and perform periodic reviews for the tunnel need.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

References: CAT|II, Rule-ID|SV-20202r2_rule, STIG-ID|NET-TUNL-003, Vuln-ID|V-18636

Plugin: Cisco

Control ID: 0e92b4630e591ae77d67e9604e29b680312630fe4b3d5f474b0c487acfed4111