The IDPS must be installed in stealth mode without an IP address on the interface with data flow.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000258-IDPS-000240 | SRG-NET-000258-IDPS-000240 | SRG-NET-000258-IDPS-000240_rule | Medium |
| Description |
|---|
| Both passive and inline sensors must be installed in stealth mode. For stealth mode, an IP address is not assigned to the network interfaces used to monitor network traffic. Only network interfaces used for IDPS management will have an IP address assigned. Operating a sensor without IP addresses assigned to monitoring interfaces is known as operating in stealth mode. Stealth mode improves the security of the IDPS sensors because it prevents other hosts from initiating connections to them. This conceals the sensors from attackers and thus limits exposure to attacks. If monitoring is being performed using a switch SPAN port, the sensors must be configured in stealth mode and the Network Interface Card (NIC) must be connected to the SPAN port with no network protocol stacks bound to it. A second NIC must then be connected to an OOB network. Stealth mode will reduce the risk of the IDPS itself being attacked. |
| STIG | Date |
|---|---|
| IDPS Security Requirements Guide (SRG) | 2012-03-08 |
Details
| Check Text ( C-43412_chk ) |
|---|
| Review the configuration and ensure the interfaces with data flow do not have an IP address. If the sensors are not installed in stealth mode, this is a finding. |
| Fix Text (F-43412_fix) |
|---|
| Remove the IP addresses from all interfaces monitoring data flow. |