The perimeter firewall must be configured for service redundancy, load balancing, or other organization-defined safeguards to limit the effects of types of denial-of-service (DoS) attacks on the network.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-79467 | SRG-NET-000362-FW-000159 | SV-94173r1_rule | Medium |
| Description |
|---|
| As a critical security system, perimeter firewalls must be safeguarded with redundancy measures. If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Service redundancy techniques reduce the susceptibility of the firewall to many DoS attacks. A firewall experiencing a DoS attack will not be able to handle the traffic load. The high CPU utilization caused by a DoS attack will also have impact control keep-alives and timers used for neighbor peering, resulting in route flapping and eventually black hole traffic. Though redundant hardware is the primary means of compliance, there are a number of ways to meet this requirement. The firewall can also be configured for filter-based forwarding, per-flow load balancing, and/or per-packet load balancing. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2018-12-24 |
Details
| Check Text ( None ) |
|---|
| None |
| Fix Text (None) |
|---|
| None |