The IPS must be configured to monitor inbound and outbound TCP and UDP packets, dropping traffic using prohibited port numbers.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000256-IDPS-000238 | SRG-NET-000256-IDPS-000238 | SRG-NET-000256-IDPS-000238_rule | Medium |
| Description |
|---|
| Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Monitoring outbound traffic can also detect abnormal traffic or mischievous activities by internal personnel. The IPS must be configured to drop inbound and outbound TCP and UDP packets with the following port numbers: 67, 68, 546, 547, 647, 847, and 2490 on the IDPS. This requirement applies only if DHCPv6 is not used. |
| STIG | Date |
|---|---|
| IDPS Security Requirements Guide (SRG) | 2012-03-08 |
Details
| Check Text ( C-43410_chk ) |
|---|
| Applies to networks where DHCPv6 is not used. Verify a sensor signature exists to monitor inbound and outbound TCP and UDP traffic for prohibited port numbers (e.g., 67, 68, 546, 547, 647, 847, and 2490). Verify the IPS or another system takes action to drop the prohibited packets. If the IDPS is not configured to detect and drop inbound and outbound TCP and UDP packets using prohibited ports, this is a finding. |
| Fix Text (F-43410_fix) |
|---|
| Applies to networks where DHCPv6 is not used. Create or install a signature or rule to monitor for any inconsistencies in the advertised "M or O bit values" of router advertisements on a link. Create or install a signature or rule to detect traffic on the commonly used DHCP ports. The following port numbers for both TCP and UDP are associated with DHCP: 67, 68, 546, 547, 647, 847, and 2490. |