Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-239860 | CASA-FW-000150 | SV-239860r991796_rule | Medium |
| Description |
|---|
| A firewall experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering, resulting in route flapping and will eventually black-hole production traffic. The device must be configured to contain and limit a DoS attack's effect on the device's resource utilization. The use of redundant components and load balancing are examples of mitigating "flood-type" DoS attacks through increased capacity. |
| STIG | Date |
|---|---|
| Cisco ASA Firewall Security Technical Implementation Guide | 2024-06-06 |
Details
| Check Text ( C-43093r863228_chk ) |
|---|
| NOTE: When operating the ASA in multi-context mode with a separate IDPS, threat detection cannot be enabled, and this check is Not Applicable. Review the ASA configuration to determine if threat detection has been enabled. threat-detection basic-threat If the ASA has not been configured to enable threat detection to mitigate risks of DoS attacks, this is a finding. |
| Fix Text (F-43052r665865_fix) |
|---|
| Configure threat detection as shown in the example below. ASA(config)# threat-detection basic-threat |