UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The perimeter firewall must be configured for service redundancy, load balancing, or other organization-defined safeguards to limit the effects of types of denial-of-service (DoS) attacks on the network.


Overview

Finding ID Version Rule ID IA Controls Severity
V-79467 SRG-NET-000362-FW-000159 SV-94173r1_rule Medium
Description
As a critical security system, perimeter firewalls must be safeguarded with redundancy measures. If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Service redundancy techniques reduce the susceptibility of the firewall to many DoS attacks. A firewall experiencing a DoS attack will not be able to handle the traffic load. The high CPU utilization caused by a DoS attack will also have impact control keep-alives and timers used for neighbor peering, resulting in route flapping and eventually black hole traffic. Though redundant hardware is the primary means of compliance, there are a number of ways to meet this requirement. The firewall can also be configured for filter-based forwarding, per-flow load balancing, and/or per-packet load balancing.
STIG Date
Firewall Security Requirements Guide 2018-09-13

Details

Check Text ( C-79083r1_chk )
Since Service redundancy and load balancing can be a highly complex configuration that can be implemented using a wide variety of configurations, ask the site representative to demonstrate the method used and the configuration.

If the perimeter firewall is not configured for service redundancy, load balancing, or other organization-defined safeguards to limit the effects of types of DoS attacks on the network, this is a finding.
Fix Text (F-86239r1_fix)
Consult vendor configuration guides and knowledge base. Implement one or more methods of service redundancy and/or load balancing (e.g., filter-based forwarding, per-flow load balancing, per-packet load balancing, or hardware redundancy options).

The implementation must be tested prior to placing into production.