The IAO/NSO will ensure notifications are sent to the syslog server or central controller when threshold limits exceed the sensor’s capacity.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-18501 | NET-IDPS-004 | SV-20036r1_rule | ECTP-1 | Medium |
| Description |
|---|
| Scaling IDPS sensors to avoid missed packets as a result of CPU and memory thresholds when link mbps is greater than what the engine can inspect should be an initial consideration prior to deployment. The IDPS administrator will have the sensor send notifications to the syslog server or central controller when thresholds limits do occur. As mentioned in the guidance for Server Farms, VACLs can also be a useful tool to help scale the traffic a sensor receives. The VACL capture feature allows you to mirror traffic to ports configured to forward captured traffic. By defining the interested traffic, for instance web traffic, a copy of the http traffic only could be forwarded to the sensing interface avoiding data overflow. Additional design options such as Remote Switch Port Analyzer (RSPAN) are available and should be considered by the network engineer. |
| STIG | Date |
|---|---|
| IDS/IPS Security Technical Implementation Guide | 2013-10-08 |
Details
| Check Text ( C-21186r1_chk ) |
|---|
| Check the thresholds to ensure a message is sent when data overflow has occurred. |
| Fix Text (F-19092r1_fix) |
|---|
| Configure the device to send messages to indicate data overflow is occurring. |