The perimeter firewall must be configured for service redundancy, load balancing, or other organization-defined safeguards to limit the effects of types of denial-of-service (DoS) attacks on the network.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-79467	SRG-NET-000362-FW-000159	SV-94173r1_rule		Medium

Description
As a critical security system, perimeter firewalls must be safeguarded with redundancy measures. If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Service redundancy techniques reduce the susceptibility of the firewall to many DoS attacks. A firewall experiencing a DoS attack will not be able to handle the traffic load. The high CPU utilization caused by a DoS attack will also have impact control keep-alives and timers used for neighbor peering, resulting in route flapping and eventually black hole traffic. Though redundant hardware is the primary means of compliance, there are a number of ways to meet this requirement. The firewall can also be configured for filter-based forwarding, per-flow load balancing, and/or per-packet load balancing.

Description

As a critical security system, perimeter firewalls must be safeguarded with redundancy measures. If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Service redundancy techniques reduce the susceptibility of the firewall to many DoS attacks. A firewall experiencing a DoS attack will not be able to handle the traffic load. The high CPU utilization caused by a DoS attack will also have impact control keep-alives and timers used for neighbor peering, resulting in route flapping and eventually black hole traffic. Though redundant hardware is the primary means of compliance, there are a number of ways to meet this requirement. The firewall can also be configured for filter-based forwarding, per-flow load balancing, and/or per-packet load balancing.

STIG	Date
Firewall Security Requirements Guide	2018-03-21

Details

Check Text ( C-79083r1_chk )
Since Service redundancy and load balancing can be a highly complex configuration that can be implemented using a wide variety of configurations, ask the site representative to demonstrate the method used and the configuration. If the perimeter firewall is not configured for service redundancy, load balancing, or other organization-defined safeguards to limit the effects of types of DoS attacks on the network, this is a finding.

Check Text ( C-79083r1_chk )

Since Service redundancy and load balancing can be a highly complex configuration that can be implemented using a wide variety of configurations, ask the site representative to demonstrate the method used and the configuration.

If the perimeter firewall is not configured for service redundancy, load balancing, or other organization-defined safeguards to limit the effects of types of DoS attacks on the network, this is a finding.

Fix Text (F-86239r1_fix)
Consult vendor configuration guides and knowledge base. Implement one or more methods of service redundancy and/or load balancing (e.g., filter-based forwarding, per-flow load balancing, per-packet load balancing, or hardware redundancy options). The implementation must be tested prior to placing into production.