Ensure packet fragments are restricted for untrusted interfaces

Information

Sets the security appliance to drop fragmented packets received on the untrusted interface.

Rationale:

Attackers use fragmentation to evade security systems such as firewalls or IPS because the checks are usually performed on the first fragment. They can then put malicious payload in the other fragments to perform DoS against internal systems. Disabling the fragmentation on the security appliance implies changing its default behavior from accepting up to 24 fragments in a packet to accepting only 1 fragment in a packet. In other words, it implies accepting only non fragmented packets.

Solution

Configure Fragment settings with Firepower Management Center:

Step 1 - Select Devices > Device Management and click the edit icon () for your FTD device. The Interfaces tab is selected by default.

Step 2 - Click the edit icon () for the interface you want to edit.

Step 3 - Click the Advanced tab, and then click the Security Configuration tab.

Step 4 - To enable Unicast Reverse Path Forwarding, check the Anti-Spoofing check box.

Step 5 - To enable full fragment reassembly, check the Full Fragment Reassembly check box.

Step 6 - To change the number of fragments allowed per packet, check the Override Default Fragment Setting check box

See Also

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623.html

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6

Plugin: Cisco

Control ID: 1a5e2dc077c982d314928200c71842f3d9b9d2374b943e2553a7f27ebd8d8596