UCF STIG Viewer Logo

The IDPS must enforce configurable traffic volume thresholds representing logging capacity for network traffic to be logged.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000086-IDPS-000090 SRG-NET-000086-IDPS-000090 SRG-NET-000086-IDPS-000090_rule Medium
Description
Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a QoS framework to differentiate traffic and provide a method to avoid and manage network congestion. When network congestion occurs, all traffic has an equal chance of being dropped. QoS categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment based on the classification. Many DoS attacks target the network core by attempting to saturate link capacity and exhausting router processors. If hackers can compromise QoS trust boundaries, they can amplify the effect of their abuse. When attack traffic receives premium services, it not only forces priority traffic, such as voice, to compete for service, but it also robs critical network management traffic of the service it requires to ensure routing convergence and network availability. Furthermore, it enables the attacker to easily induce a sustained DoS attack on all network resources along the entire path where QoS has been hijacked. It is imperative that traffic marked for premium service is strictly policed. Traffic that is out of profile must be marked down by placing it into a low priority class.
STIG Date
IDPS Security Requirements Guide (SRG) 2012-03-08

Details

Check Text ( C-43218_chk )
Inspect the IDPS sensor configuration for log capacity.
Verify the logging capacity of the sensor and management console logs are configured.
Ask the site representative how the thresholds were derived.

If storage thresholds are not configured for each sensor, this is a finding. If the thresholds are not based on logging capacity and traffic volume data, this is a finding.
Fix Text (F-43218_fix)
Configure storage thresholds for the logs on each IDPS sensor.