The Cisco ASA must be configured to block traffic from IP addresses that have a known bad reputation based on the latest reputation intelligence.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239887	CASA-IP-000270	SV-239887r665974_rule		Medium

Description
Configuring the network element to delete and/or quarantine based on local organizational incident handling procedures minimizes the impact of this code on the network. Malicious code includes, but is not limited to, viruses, worms, trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. Malicious code may also be able to run and attach programs, which may allow the unauthorized distribution of malicious mobile code. Sometimes it is necessary to generate a log event and then automatically delete the malicious code; however, for critical attacks or where forensic evidence is deemed necessary, the preferred action is for the file to be quarantined for further investigation. This requirement is limited to network elements that perform security functions, such as ALG and IDPS.

Description

Configuring the network element to delete and/or quarantine based on local organizational incident handling procedures minimizes the impact of this code on the network. Malicious code includes, but is not limited to, viruses, worms, trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. Malicious code may also be able to run and attach programs, which may allow the unauthorized distribution of malicious mobile code. Sometimes it is necessary to generate a log event and then automatically delete the malicious code; however, for critical attacks or where forensic evidence is deemed necessary, the preferred action is for the file to be quarantined for further investigation. This requirement is limited to network elements that perform security functions, such as ALG and IDPS.

STIG	Date
Cisco ASA IPS Security Technical Implementation Guide	2021-03-15

Details

Check Text ( C-43120r665972_chk )
Step 1: Navigate to Configuration >> ASA FirePOWER Configuration >> Object Management. Step 2: Click the Security Intelligence tab. Step 3: Next to the Intelligence Feed, click the edit icon. Step 4: Verify that a frequency has been selected and not disabled. Note: The Security Intelligence block listing feature is the easiest method to maintain a blacklist. Security Intelligence uses reputation intelligence to quickly block connections to or from IP addresses, URLs, and domain names. The Intelligence Feed, which tracks IP addresses representing security threats such as malware, spam, botnets, and phishing. Because the Intelligence Feed is regularly updated, using it ensures that the system uses up-to-date information to filter malicious network traffic. If the ASA is not configured to block traffic from IP addresses that have a known bad reputation based on the latest reputation intelligence, this is a finding.

Check Text ( C-43120r665972_chk )

Step 1: Navigate to Configuration >> ASA FirePOWER Configuration >> Object Management.

Step 2: Click the Security Intelligence tab.

Step 3: Next to the Intelligence Feed, click the edit icon.

Step 4: Verify that a frequency has been selected and not disabled.

Note: The Security Intelligence block listing feature is the easiest method to maintain a blacklist. Security Intelligence uses reputation intelligence to quickly block connections to or from IP addresses, URLs, and domain names. The Intelligence Feed, which tracks IP addresses representing security threats such as malware, spam, botnets, and phishing. Because the Intelligence Feed is regularly updated, using it ensures that the system uses up-to-date information to filter malicious network traffic.

If the ASA is not configured to block traffic from IP addresses that have a known bad reputation based on the latest reputation intelligence, this is a finding.

Fix Text (F-43079r665973_fix)
Step 1: Navigate to Configuration >> ASA FirePOWER Configuration >> Object Management. Step 2: Click the Security Intelligence tab. Step 3: Next to the Intelligence Feed, click the edit icon. Step 4: Edit the Update Frequency. Choose various intervals from two hours to one week. The user can also disable feed updates. Step 5: Click Store ASA FirePOWER Changes.