The IDPS must be configured to automatically disable the monitored device if any of the organizationally defined lists of security violations are detected.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-34506 | SRG-NET-000037-IDPS-00035 | SV-45348r1_rule | Medium |
| Description |
|---|
| Incident related information can be obtained from a variety of sources including network monitoring. To reduce or eliminate the risk to the network, the IDPS must be configured to disable the network or monitored devices when an organizationally defined list of events is detected. Monitored devices may include workstations, hosts, or other devices registered with the IDPS. Since the IDPS is a major part of the network's protection and defense system, a compromised IDPS may allow malicious attacks to bypass the network's controls. For the purpose of this requirement, disabling is not considered the same as blocking or dropping of the traffic to or from the device. Disabling the network or monitored device is one action that may be selected when implementing CCI-001670. |
| STIG | Date |
|---|---|
| Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide | 2012-11-19 |
Details
| Check Text ( C-42698r1_chk ) |
|---|
| Review the IDPS configuration to determine if the system automatically disables the network or any monitored device identified for this action based on an organizationally defined list of security violations. If the IDPS is not configured to disable the network or monitored device upon detecting events identified on an organizationally defined list of security events, this is a finding. |
| Fix Text (F-38744r1_fix) |
|---|
| Configure the IDPS to automatically disable the network or monitored device if any of the organizationally defined lists of security violations are detected. |