The IDPS must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000189-IDPS-000199 | SRG-NET-000189-IDPS-000199 | SRG-NET-000189-IDPS-000199_rule | Medium |
| Description |
|---|
| The IDPS must be designed and configured to implement security functions as a layered structure. An isolation boundary, using separate partitions and domains, must be used to minimize interactions between layers of the design. The lower layers of the design should not depend upon the upper layers. If one layer experiences an error in functionality or security, this should not impact the function of the remaining layers. This layered design minimizes the risk of leakage or corruption of privileged information. This control is normally a function of the IDPS application design and is usually not a configurable setting; however, in some applications, there may be settings that must be configured to optimize function isolation. |
| STIG | Date |
|---|---|
| IDPS Security Requirements Guide (SRG) | 2012-03-08 |
Details
| Check Text ( C-43352_chk ) |
|---|
| Verify the application is designed to separate security functions from non-security functions (i.e., separate address space) for executing process. If the vendor application design documentation indicates there is no boundary separation between security functions, this is a finding. |
| Fix Text (F-43352_fix) |
|---|
| Enable settings that implement security functions as a layered structure minimizing interactions between layers of the design. |