The IDPS must monitor inbound and outbound communications for unusual or unauthorized activities or conditions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000256-IDPS-000237 | SRG-NET-000256-IDPS-000237 | SRG-NET-000256-IDPS-000237_rule | Medium |
| Description |
|---|
| IDPS sensors must be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. Both inbound and outbound traffic must be monitored. Placing a sensor behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Monitoring outbound traffic can also detect abnormal traffic or mischievous activities by internal personnel. Without monitoring of both outbound and inbound traffic for anomalies, critical indicators of attacks may be missed until it is too late. |
| STIG | Date |
|---|---|
| IDPS Security Requirements Guide (SRG) | 2012-03-08 |
Details
| Check Text ( C-43409_chk ) |
|---|
| Review the IDS configuration (signatures and rules) to determine what events are defined for each interface (inbound and outbound). If signatures and rules have not been installed to monitor each enabled interface for anomalies, this is a finding. |
| Fix Text (F-43409_fix) |
|---|
| Download a vendor signature or create rules which examine network traffic on the inbound and outbound interfaces for anomalies. Define clipping levels/thresholds to provide a baseline. The rule must scan and alert on specific attacks identifying potential security violations or attacks. |