The IDPS must monitor inbound and outbound communications for unusual or unauthorized activities or conditions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-34769 | SRG-NET-000256-IDPS-00180 | SV-45693r1_rule | Medium |
| Description |
|---|
| IDPS sensors must be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. Placing a sensor behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Monitoring outbound traffic can also detect abnormal traffic or mischievous activities by internal personnel. Without monitoring of both outbound and inbound traffic for anomalies, critical indicators of attacks may be missed until it is too late. |
| STIG | Date |
|---|---|
| Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide | 2012-11-19 |
Details
| Check Text ( C-43059r1_chk ) |
|---|
| Review the IDPS rules to determine what events are defined for each interface (inbound and outbound). If rules have not been installed to monitor each enabled interface for anomalies, this is a finding. |
| Fix Text (F-39091r1_fix) |
|---|
| Download a vendor rule set or create rules which examine network traffic on the inbound and outbound interfaces for anomalies. Define clipping levels/thresholds to provide a baseline. The rule must monitor for and alert on specific attacks identifying potential security violations or attacks. |