The IDPS must implement signatures that detect specific attacks and protocols that should not be seen on the segments containing web servers.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34751	SRG-NET-000237-IDPS-00171	SV-45661r1_rule		Medium

Description
In a regional Enterprise Enclave, different sets of sensors will see different traffic as a result of their location within the regional enclave. By establishing separate signature profiles for each set of sensors each profile can then be tuned to generate alarms based on the traffic types seen, the attack signatures, and the specific traffic (string signatures) relevant to each sensor group. If more than one sensor group sees the same traffic types, then the same signature profile may be used for both sets. Alerting on specific connection signatures, general attack signatures, and specific string signatures provides focused segment analysis at Layers 4. The sensor monitoring the web server will be configured for application inspection and control of all web ports (e.g., 80, 3128, 8000, 8010, 8080, 8888, 24326, etc.). The sensor monitoring the web servers must monitor and control web traffic not received on web ports. This process is called port redirection. In many implementations port redirection is a separate signature to be installed.

Description

In a regional Enterprise Enclave, different sets of sensors will see different traffic as a result of their location within the regional enclave. By establishing separate signature profiles for each set of sensors each profile can then be tuned to generate alarms based on the traffic types seen, the attack signatures, and the specific traffic (string signatures) relevant to each sensor group. If more than one sensor group sees the same traffic types, then the same signature profile may be used for both sets. Alerting on specific connection signatures, general attack signatures, and specific string signatures provides focused segment analysis at Layers 4. The sensor monitoring the web server will be configured for application inspection and control of all web ports (e.g., 80, 3128, 8000, 8010, 8080, 8888, 24326, etc.). The sensor monitoring the web servers must monitor and control web traffic not received on web ports. This process is called port redirection. In many implementations port redirection is a separate signature to be installed.

STIG	Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide	2012-11-19

Details

Check Text ( C-43027r1_chk )
Verify all network segments with web servers installed are monitored by one or more sensors. Verify signatures are installed for application inspection and control of all web ports. Verify signatures are installed to monitor and analyze application traffic that uses port redirection. If the IDPS sensors are not configured to perform application inspection and control of all web ports, this is a finding.

Check Text ( C-43027r1_chk )

Verify all network segments with web servers installed are monitored by one or more sensors. Verify signatures are installed for application inspection and control of all web ports. Verify signatures are installed to monitor and analyze application traffic that uses port redirection.

If the IDPS sensors are not configured to perform application inspection and control of all web ports, this is a finding.

Fix Text (F-39059r1_fix)
Install one or more sensors to monitor all network segments with web servers installed. Verify signatures are installed for application inspection and control of all web ports. Install signatures to monitor and analyze application traffic that uses port redirection. Review and tune all signatures that are specifically tailored to detect vulnerabilities in web servers.