The IDPS must enforce strict adherence to protocol format.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34715	SRG-NET-000200-IDPS-00147	SV-45608r1_rule		Medium

Description
Crafted packets not conforming to Institute of Electrical and Electronics Engineers (IEEE) standards can be used by attackers to exploit a host’s protocol stack to create a Denial of Service (DoS) or force a device reset, to bypass security gateway filtering, or to compromise a vulnerable device. It is imperative these packets are recognized and discarded at the network perimeter. This requirement is not applicable for IDS only implementations since it is specifically for enforcement.

Description

Crafted packets not conforming to Institute of Electrical and Electronics Engineers (IEEE) standards can be used by attackers to exploit a host’s protocol stack to create a Denial of Service (DoS) or force a device reset, to bypass security gateway filtering, or to compromise a vulnerable device. It is imperative these packets are recognized and discarded at the network perimeter. This requirement is not applicable for IDS only implementations since it is specifically for enforcement.

STIG	Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide	2012-11-19

Details

Check Text ( C-42974r1_chk )
If this is an IDS only implementation, this is not applicable. Inspect the rules installed on the IPS. Verify signatures exist that monitor for valid formation of protocol formats. Verify an enforcement action is taken for disallowed or malformed protocol formats. If rules that monitor and enforce protocol formats are not installed, this is a finding.

Fix Text (F-39006r1_fix)
Implement rules to monitor and prevent the use of disallowed or malformed protocol formats.