PANW-IP-000030 - The Palo Alto Networks security platform must block outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.

Information

Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the sender to support diagnostics. However, some messages can also provide host information and network topology that may be exploited by an attacker.

Three ICMP messages are commonly used by attackers for network mapping: Destination Unreachable, Redirect, and Address Mask Reply. These responses must be blocked on external interfaces; however, blocking the Destination Unreachable response will prevent Path Maximum Transmission Unit Discovery (PMTUD), which relies on the response 'ICMP Destination Unreachable--Fragmentation Needed but DF Bit Set'. PMTUD is a useful function and should only be 'broken' after careful consideration.

An acceptable alternative to blocking all Destination Unreachable responses is to filter Destination Unreachable messages generated by the IDPS to allow ICMP Destination Unreachable-Fragmentation Needed but DF Bit Set (Type 3, Code 4) and apply this filter to the external interfaces.

Solution

Note: The interzone-default rule action is deny, so unless ICMP is specifically allowed by a policy, it will be denied. If there is an explicit security policy configured allowing ICMP from an internal zone or DMZ to an outside zone, then a policy must be configured to deny outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.

Create three custom Applications to identify ICMP Type 3, 5, and 18:
Go to Objects >> Applications
Select 'Add'.
In the Application window; complete the required fields In the Configuration tab, in the General section, complete the Name and Description Fields.
In the Configuration tab, in the Properties section, for Category, select networking, for Subcategory, select infrastructure, and for Technology, select network-protocol.
In the Advanced tab, in the Defaults section, select ICMP Type Enter '3' since ICMP Destination Unreachable is Type 3 Select OK Repeat this procedure two more times, using the values for ICMP Type are 5 and 18 since respectively since ICMP Redirect is Type 5 and ICMP Address Mask Reply is Type 18.
Use these three Application filters in a Security Policy.

To configure the security policy:
Go to Policies >> Security
Select 'Add'.
In the 'Security Policy Rule' window, complete the required fields.
In the 'General' tab, complete the 'Name' and 'Description' fields. Select 'interzone' for the Rule Type.
In the 'Source' tab, complete the 'Source Zone' and 'Source Address' fields.
For the 'Source Zone' field, select 'internal'.
For the 'Source Address' field, select 'any'.
In the 'Destination' tab, for the 'Destination Address' field, select 'any'.
Note: The 'Destination Zone' window will be grayed out (unable to enter parameters).

In the 'Applications' tab, select the three application filters configured above.
In the 'Actions' tab, select 'Deny' as the resulting action. Select the required Log Setting and Profile Settings as necessary.
Select 'OK'.
Commit changes by selecting 'Commit' in the upper-right corner of the screen. Select 'OK' when the confirmation dialog appears.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PAN_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-11a., CAT|II, CCI|CCI-001312, Rule-ID|SV-207698r557390_rule, STIG-ID|PANW-IP-000030, STIG-Legacy|SV-77157, STIG-Legacy|V-62667, Vuln-ID|V-207698

Plugin: Palo_Alto

Control ID: 977c54488d6b495ae22721345a041a6f0c660e1db4cb7b107657175f9b9cc8c0