Introduction : This articles explains the new feature called “Firewall reject source routing” introduced in AOS version 220.127.116.11-FIFS.
Feature Notes : Before we proceed with understanding the Firewall Reject Source Routing feature, let us briefly understand what is FIPS and Common Criteria.
The 140 series of Federal Information Processing Standards (FIPS) are U.S. government computer security standards that specify requirements for cryptography modules.
The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. Common Criteria is used as the basis for a Government driven certification scheme and typically evaluations are conducted for the use of Federal Government agencies and critical infrastructure.
Firewall Reject Source Routing
Common Criteria requirement mandates that the firewall, by default should be able to reject and be capable of logging packets with the IP options - Loose Source Routing, Strict Source Routing, or Record Route specified.
- Loose Source Routing – is an IP option which can be used for address translation. Loose Source Routing uses a source routing option in IP to record the set of routers a packet must visit. The destination address of the packet is replaced with the next hop router the packet must visit. The name Loose Source Routing comes from the fact that only part of the path is set in advance.
- Strict Source Routing - The sender specifies the exact route the packet must take (every step of the route is decided in advance when the packet is sent)
- Record Route - This option is used to trace the route an IP packet takes through the network. Per RFC 791, when an internet module routes a datagram it checks to see if the record route option is present. If it is, it inserts its own internet address as known in the environment into which this datagram is being forwarded into the recorded route beginning at the byte indicated by the pointer, and increments the pointer by four.
Need for Source Routing options:
Source routing options can be used to get information about all the routers a packet transits. This could potentially be used to bypass firewalls and hence is a security threat.
For example: Network A has firewall configured correctly but allows traffic from network B which has no firewall configured. A malicious user can target network A routing its packet through network B.
Environment : This article applies to all the controller running AOS version 18.104.22.168-FIPS or above FIPS code.
Configuration Steps : CLI configuration:
(Aruba3600) (config) #firewall deny-source-routing
This command disallows IP frames with source routing options set.
(Aruba3600) (config) #firewall enable-per-packet-logging
This command enables logging to fully meet common criteria requirements.
- Navigate to Configuration > Advanced Services > Stateful Firewall > Global Settings
- Enable “Deny source routing”.