The firewall implementation must protect against or limit the effects of all types of Denial of Service (DoS) attacks directed against the device itself by employing security safeguards.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000362-FW-000233	SRG-NET-000362-FW-000233	SRG-NET-000362-FW-000233_rule		Medium

Description
Denial of Service is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. DoS attacks can take multiple forms but have the common objective of overloading or blocking a network or host to deny or seriously degrade performance, thus rendering it useless. These attacks can be simple “floods” of traffic to saturate circuits or devices, malware that consumes CPU and memory on a device or causes it to crash, or misconfigurations that disable or impair the proper function of a device. It is important to protect the management plane and the control plane of the firewall implementation itself. When a DoS attack is directed against the firewall implementation (or any other network element), the device will operate at a degraded capacity and will not be able to process legitimate traffic and may not respond to management commands. A firewall or other device implementing an Access Control List must be configured to protect itself from DoS attacks (e.g. embryonic connection or half-open attacks, etc.). Various techniques exist such as rate-limiting or filtering excessive traffic. Each protective measure depends on the specific attack. Traffic to the loopback or management IP address or management zone of the device must be filtered, policed, and/or otherwise limited. Whenever possible, access to the device through the console port through an Out-of-Band (OOB) network should be implemented. This provides a “last resort” remote access to the device.

Description

Denial of Service is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. DoS attacks can take multiple forms but have the common objective of overloading or blocking a network or host to deny or seriously degrade performance, thus rendering it useless. These attacks can be simple “floods” of traffic to saturate circuits or devices, malware that consumes CPU and memory on a device or causes it to crash, or misconfigurations that disable or impair the proper function of a device. It is important to protect the management plane and the control plane of the firewall implementation itself. When a DoS attack is directed against the firewall implementation (or any other network element), the device will operate at a degraded capacity and will not be able to process legitimate traffic and may not respond to management commands. A firewall or other device implementing an Access Control List must be configured to protect itself from DoS attacks (e.g. embryonic connection or half-open attacks, etc.). Various techniques exist such as rate-limiting or filtering excessive traffic. Each protective measure depends on the specific attack. Traffic to the loopback or management IP address or management zone of the device must be filtered, policed, and/or otherwise limited. Whenever possible, access to the device through the console port through an Out-of-Band (OOB) network should be implemented. This provides a “last resort” remote access to the device.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000362-FW-000233_chk )
Review the configuration of the firewall implementation(s) and interview the System Administrators. If the device is not configured to protect against or limit the effects of all types of Denial of Service (DoS) attacks directed against the device itself, this is a finding.

Fix Text (F-SRG-NET-000362-FW-000233_fix)
Configure the firewall implementation to protect against or limit the effects of all types of Denial of Service (DoS) attacks directed against the device itself. Follow information assurance vulnerability alert (IAVA) and other security advisory guidance.