iCompaas Support

Profile Applicability

• Level 1

Description:

In a network, fragmented packets are packets that have been split into smaller pieces for transmission across a network that cannot accommodate the full size of the packet. Amazon VPC Network Firewalls and security groups in AWS can manage how fragmented packets are handled. The default action for fragmented packets (whether to drop or forward them) should be set to ensure network security. This SOP ensures that fragmented packets are appropriately handled in your VPC by either dropping or forwarding them.

Rationale:

• Security: Fragmented packets are often used by attackers to bypass security controls, as they can evade detection or filtering mechanisms. Ensuring that fragmented packets are either dropped or forwarded to controlled systems can help mitigate potential vulnerabilities, such as attacks that rely on fragmenting malicious packets.

• Network Control: Proper handling of fragmented packets prevents the unintentional forwarding of incomplete data, maintaining the integrity of network traffic.

• Compliance: Some compliance frameworks, like SOC 2 or PCI-DSS, require strict network filtering and monitoring to reduce exposure to fragmented packet vulnerabilities.

Impact:

Pros:

• Improved Network Security: Prevents malicious actors from exploiting fragmented packets to bypass security mechanisms.

• Consistency in Network Traffic: Ensures that fragmented packets are treated consistently and according to best practices.

• Compliance: Aligns with regulatory requirements to maintain strong network security and monitoring.

Cons:

• Potential for Overblocking: Dropping fragmented packets may inadvertently block legitimate traffic that is fragmented.

• Operational Complexity: Requires careful configuration of firewalls and security groups to avoid false positives while ensuring security.

Default Value:

By default, some AWS services (such as VPC security groups) may allow fragmented packets, depending on the network configuration. You must configure firewalls or security group settings to explicitly drop or forward fragmented packets to ensure proper traffic management.

Pre-requisite:

• AWS IAM Permissions:

  • ec2:DescribeSecurityGroups

  • ec2:DescribeNetworkInterfaces

  • ec2:ModifySecurityGroupRules

• AWS CLI installed and configured.

• Amazon VPC and Network Firewalls are configured and operational.

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to VPC under Services.

3. In the VPC Dashboard, go to Network Firewalls or Security Groups.

4. Select the firewall or security group you want to review.

5. Check if the firewall or security group default action for fragmented packets is set to drop or forward.

   • Fragmented packets are typically dropped by default for security reasons.

   • If the default action is not set to drop or forward, proceed to configure it as described in the Implementation Steps below.

Using AWS CLI:

1. To describe the VPC network firewall configuration, run:
   

   aws ec2 describe-network-firewalls --query 'NetworkFirewalls[*].{FirewallName:Name,DefaultAction:DefaultActionForFragmentedPackets}'

2. To check the default action for fragmented packets in security groups, run:
   

   aws ec2 describe-security-groups --query 'SecurityGroups[*].{GroupName:GroupName,GroupId:GroupId,FragmentAction:FragmentedPacketsAction}'

3. Review the output and confirm that fragmented packets are set to drop or forward.

Implementation Steps:

Using AWS Console:

1. Sign in to the AWS Management Console and navigate to VPC or Network Firewalls.

2. Select the Network Firewall or Security Group that you want to configure.

3. In the Firewall details, navigate to the Traffic Filtering Rules section and configure the action for fragmented packets to Drop or Forward as per the policy.

4. For Security Groups:

   • Under the Inbound or Outbound rules, ensure that fragmented packets are either explicitly dropped or forwarded as needed.

5. Save the changes to apply the configuration.

Using AWS CLI:

1. To configure the Network Firewall to drop or forward fragmented packets, run the following command:
   

   aws ec2 update-network-firewall \
     --firewall-id <firewall-id> \
     --fragmented-packets-action DROP  # Or FORWARD

2. For Security Groups, use the following command to ensure fragmented packets are handled correctly:
   

   aws ec2 update-security-group-rule \
     --group-id <group-id> \
     --action drop --protocol tcp --port 0-65535

3. To verify the configuration, run:
   

   aws ec2 describe-network-firewalls --firewall-id <firewall-id> --query 'NetworkFirewalls[*].{FirewallName:Name,DefaultAction:DefaultActionForFragmentedPackets}'

Backout Plan:

Using AWS Console:

1. If setting the default action for fragmented packets causes issues, sign in to the AWS Management Console.

2. Navigate to AWS Network Firewall > Firewall Policies.

3. Select the Firewall Policy and go to the Fragmented Packet Handling section.
   Revert the Default Action from Drop or Forward to the previous configuration, if necessary.

4. Save the changes and verify that the default action is restored.

Using AWS CLI:

1. To revert the default action for fragmented packets, run:
   

   aws networkfirewall update-firewall-policy --firewall-policy-name <POLICY_NAME> --fragmented-packet-default-action <PREVIOUS_ACTION>

2. Verify that the default action has been reverted:
   

   aws networkfirewall describe-firewall-policy --firewall-policy-name <POLICY_NAME>

References:

• Amazon VPC Documentation

• AWS CLI: describe-security-groups

• AWS CLI: update-security-group-rule

• AWS CLI: describe-network-firewalls

CIS Controls Mapping: