The operating system must prevent internal users from sending out packets which attempt to manipulate or spoof invalid IP addresses.

An XCCDF Rule

Description

<VulnDiscussion>Manipulation of IP addresses can allow untrusted systems to appear as trusted hosts, bypassing firewall and other security mechanism and resulting in system penetration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-216163r959010_rule
Severity: Medium
References: CCI-000366
Updated: 17 days ago

Determine the name of the zone that you are currently securing.

# zonename

If the command output is "global", then only the "phys" and "SR-IOV" interfaces assigned to the global zone require configuration. If using a non-Global zone, then all "phys" and "SR-IOV" interfaces assigned to the zone require configuration.
The Network Link Security profile is required.

Determine which network interfaces are available and what protection modes are enabled and required.

Enable link protection based on each configured network interface type.

For InfiniBand:
# pfexec dladm set-linkprop -p protection=restricted,ip-nospoof,dhcp-nospoof [interface name]  

For IP forwarding:
# pfexec dladm set-linkprop -p protection=mac-nospoof,restricted,dhcp-nospoof [interface name] 

For SR-IOV:
# pfexec dladm set-linkprop -p protection=mac-nospoof,restricted,dhcp-nospoof [interface name] 

For Ethernet without IP forwarding:
# pfexec dladm set-linkprop -p protection=mac-nospoof,restricted,ip-nospoof,dhcp-nospoof [interface name]

The operating system must prevent internal users from sending out packets which attempt to manipulate or spoof invalid IP addresses.

Description

Remediation - Manual Procedure