UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The IDPS must be configured to automatically disable the monitored device if any of the organizationally defined lists of security violations are detected.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34506 SRG-NET-000037-IDPS-00035 SV-45348r1_rule Medium
Description
Incident related information can be obtained from a variety of sources including network monitoring. To reduce or eliminate the risk to the network, the IDPS must be configured to disable the network or monitored devices when an organizationally defined list of events is detected. Monitored devices may include workstations, hosts, or other devices registered with the IDPS. Since the IDPS is a major part of the network's protection and defense system, a compromised IDPS may allow malicious attacks to bypass the network's controls. For the purpose of this requirement, disabling is not considered the same as blocking or dropping of the traffic to or from the device. Disabling the network or monitored device is one action that may be selected when implementing CCI-001670.
STIG Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide 2012-11-19

Details

Check Text ( C-42698r1_chk )
Review the IDPS configuration to determine if the system automatically disables the network or any monitored device identified for this action based on an organizationally defined list of security violations.

If the IDPS is not configured to disable the network or monitored device upon detecting events identified on an organizationally defined list of security events, this is a finding.
Fix Text (F-38744r1_fix)
Configure the IDPS to automatically disable the network or monitored device if any of the organizationally defined lists of security violations are detected.