UCF STIG Viewer Logo

IDS/IPS Security Technical Implementation Guide


Overview

Date Finding Count (41)
2013-10-08 CAT I (High): 7 CAT II (Med): 30 CAT III (Low): 4
STIG Description
IDS/IPS Security Technical Implementation Guide

Available Profiles



Findings (MAC I - Mission Critial Classified)

Finding ID Severity Title
V-4582 High The network device must require authentication for console access.
V-3056 High Group accounts must not be configured for use on the network device.
V-3012 High The network element must be password protected.
V-3143 High The network element must not have any default manufacturer passwords.
V-3210 High The network element must not use the default or well-known SNMP community strings public and private.
V-3175 High The network device must require authentication prior to establishing a management connection for administrative access.
V-3196 High The network element must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.
V-3069 Medium Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
V-14671 Medium The network element must authenticate all NTP messages received from NTP servers and peers.
V-14717 Medium The network element must not allow SSH Version 1 to be used for administrative access.
V-19246 Medium The Network IDPS administrator will ensure the IDPS is protecting the enclave from malware and unexpected traffic by using TCP Reset signatures.
V-18512 Medium The Network IDPS administrator will tune the sensor to alarm if unexpected protocols for network management enter the subnet.
V-3057 Medium Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.
V-18513 Medium The Network IDPS administrator will ensure IP hijacking signatures have been implemented with the common default signatures.
V-3160 Medium The network element must be running a current and supported operating system with all IAVMs addressed.
V-3013 Medium The network element must display the DoD approved login banner warning in accordance with the CYBERCOM DTM-08-060 document.
V-18632 Medium The IAO/NSO will ensure if DHCPV6 is not being used in the enclave it will be disabled.
V-3014 Medium The network element must timeout management connections for administrative access after 10 minutes or less of inactivity.
V-28784 Medium A service or feature that calls home to the vendor must be disabled.
V-5611 Medium The network element must only allow management connections for administrative access from hosts residing in the management network.
V-3967 Medium The network element must time out access to the console port after 10 minutes or less of inactivity.
V-19233 Medium The IDPS device positioned to protect servers in the server farm or DMZs must provide protection from DoS SYN Flood attacks by dropping half open TCP sessions.
V-17821 Medium The network element’s OOBM interface must be configured with an OOBM network address.
V-5646 Medium The network device must drop half-open TCP connections through filtering thresholds or timeout periods.
V-18489 Medium The Network IDPS administrator will ensure all Network IDPS systems are installed and operational in stealth mode —no ip address on interface with data flow.
V-19250 Medium The IDPS administrator will ensure LAND DoS signature has been implemented to protect the enclave.
V-18484 Medium IDPS consoles, management and database servers must reside on the management network.
V-19256 Medium The IDPS Administrator will ensure Atomic Signatures are implemented to protect the enclave.
V-3176 Medium The IAO/NSO will ensure the IDS or firewall is configured to alert the administrator of a potential attack or system failure.
V-5613 Medium The network element must be configured for a maximum number of unsuccessful SSH login attempts set at 3 before resetting the interface.
V-5612 Medium The network element must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
V-18508 Medium The Network administrator will implement signatures that detect specific attacks and protocols that should not be seen on the segments containing web servers.
V-18509 Medium The Network administrator will implement signatures that detect both specific attacks on public service servers and traffic types (protocols) that should not be seen on the segments containing ftp servers.
V-3058 Medium Unauthorized accounts must not be configured for access to the network device.
V-18502 Medium The Network IDPS administrator will review whitelists and blacklists regularly and validate all entries to ensure that they are still accurate and necessary.
V-3179 Medium The IAO/NSO will ensure the sensor’s monitoring application or mechanism retrieves events from the sensor before the queue becomes full.
V-18501 Medium The IAO/NSO will ensure notifications are sent to the syslog server or central controller when threshold limits exceed the sensor’s capacity.
V-23747 Low The network element must use two or more NTP servers to synchronize time.
V-7011 Low The network element’s auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
V-14646 Low Alerts must be automatically generated to notify the administrator when log storage reaches seventy-five percent or more of its maximum capacity.
V-3070 Low The network element must log all attempts to establish a management connection for administrative access.