The firewall implementation must prevent log processing failures by rejecting or delaying network traffic generated above configurable traffic volume thresholds as defined by the organization.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-999999-FW-000187 | SRG-NET-999999-FW-000187 | SRG-NET-999999-FW-000187_rule | Medium |
| Description |
|---|
| If the firewall implementation becomes unable to write events to the application events log, a critical resource needed for event analysis would be lost. One method of exploiting this vulnerability is for an attacker to cause an auditable event to occur in rapid succession in an attempt to overwhelm the log capacity. The firewall implementation must provide methods for preventing log processing failures, such as traffic congestion and threshold management mechanisms. The firewall implementation must have the capability to reject or delay network traffic based on configured threshold levels to prevent overwhelming the application log processing capability. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2012-12-10 |
Details
| Check Text ( C-SRG-NET-999999-FW-000187_chk ) |
|---|
| Verify there is a rule which monitors for traffic volume thresholds. Verify there is a rule for dropping traffic that exceeds these thresholds. Examine the traffic priority screens to see if this feature is used by the organization. If the firewall implementation does not reject or delay network traffic based on normal volume thresholds, this is a finding. |
| Fix Text (F-SRG-NET-999999-FW-000187_fix) |
|---|
| Configure the firewall implementation to monitor for traffic volume patterns that exceed the norm for the network. Configure the firewall implementation to notify, alert, drop or delay suspect traffic based on excessive volume. Configure the network with organizationally defined traffic priorities. |