PANW-AG-000127 - The Palo Alto Networks security platform must block traceroutes and ICMP probes originating from untrusted networks (e.g., ISP and other non-DoD networks).

Information

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can give configuration details about the network element.

The traceroute utility will display routes and trip times on an IP network. An attacker can use traceroute responses to create a map of the subnets and hosts behind the boundary. The traditional traceroute relies on TTL - time exceeded responses from network elements along the path and an ICMP port-unreachable message from the target host. In some Operating Systems such as UNIX, trace route will use UDP port 33400 and increment ports on each response. Since blocking these UDP ports alone will not block trace route capabilities along with blocking potentially legitimate traffic on a network, it's unnecessary to block them explicitly. Because traceroutes typically rely on ICMP Type 11 - Time exceeded message, the time exceeded message will be the target for implicitly or explicitly blocking outbound from the trusted network.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Although the default inter-zone Security Policy will deny this traffic, a specific Security Policy should be used.

To configure the security policy:
Go to Policies >> Security
Select 'Add'.
In the 'Security Policy Rule' window, complete the required fields.
In the 'General' tab, complete the 'Name' and 'Description' fields.
In the 'Source' tab, complete the 'Source Zone' and 'Source Address' fields.
For the 'Source Zone' field, select 'external'.
For the 'Source Address' field, select 'any'.
In the 'Destination' tab, complete the 'Destination Zone' and 'Destination Address' fields.
For the 'Destination Zone' field, select the internal and DMZ zones. Note: The exact number and name of zones are specific to the network.
For the 'Destination Address' field, select 'any'.
In the 'Applications' tab, select 'icmp', 'ipv6-icmp', 'traceroute'.
In the 'Actions tab', select 'Deny' as the resulting action. Select the required Log Setting and Profile Settings as necessary.
Commit changes by selecting 'Commit' in the upper-right corner of the screen.
Select 'OK' when the confirmation dialog appears.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PAN_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-11b., CAT|II, CCI|CCI-001314, Rule-ID|SV-228875r557387_rule, STIG-ID|PANW-AG-000127, STIG-Legacy|SV-77121, STIG-Legacy|V-62631, Vuln-ID|V-228875

Plugin: Palo_Alto

Control ID: eb3fac05f9baecf6b0b4038d1e95b729e0af5b3f1b7c2aea9ca47528a55d9e97