The Network administrator will implement signatures that detect specific attacks and protocols that should not be seen on the segments containing web servers.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18508	NET-IDPS-006	SV-20043r1_rule		Medium

Description
In the Regional Enterprise Enclave different sets of sensors will see different traffic as a result of their location within the regional enclave. By establishing separate signature profiles for each set of sensors, each profile can then be tuned to generate alarms based on the traffic types seen, the attack signatures, and the specific traffic (string signatures) that is relevant to that particular set of sensors. If more than one set of sensors will see the same traffic types, then the same signature profile may be used for both sets. Alerting on specific connection signatures, general attack signatures, and specific string signatures provides focused segment analysis at Layers 4 through 7. The IDPS system administrator will ensure the sensor monitoring the web servers is configured for application inspection and control of all web ports e.g. 80, 3128, 8000, 8010, 8080, 8888, 24326, etc. The sensor monitoring the web servers should be capable of inspecting web traffic that is not received on web ports; known as port redirection. In many implementations this is a separate signature that needs to be enabled.

Description

In the Regional Enterprise Enclave different sets of sensors will see different traffic as a result of their location within the regional enclave. By establishing separate signature profiles for each set of sensors, each profile can then be tuned to generate alarms based on the traffic types seen, the attack signatures, and the specific traffic (string signatures) that is relevant to that particular set of sensors. If more than one set of sensors will see the same traffic types, then the same signature profile may be used for both sets. Alerting on specific connection signatures, general attack signatures, and specific string signatures provides focused segment analysis at Layers 4 through 7. The IDPS system administrator will ensure the sensor monitoring the web servers is configured for application inspection and control of all web ports e.g. 80, 3128, 8000, 8010, 8080, 8888, 24326, etc. The sensor monitoring the web servers should be capable of inspecting web traffic that is not received on web ports; known as port redirection. In many implementations this is a separate signature that needs to be enabled.

STIG	Date
IDS/IPS Security Technical Implementation Guide	2013-10-08

Details

Check Text ( C-21209r1_chk )
Have the IDPS SA display the configuration settings. Verify all http ports are defined and have the SA identify the signatures that will review applications using port redirection. Review and tune as necessary the signatures that are specific to vulnerabilities in Web servers.

Fix Text (F-19099r1_fix)
Configure the IDPS to protect the Web components.