The IDPS must be configured to monitor inbound and outbound TCP and UDP packets, dropping traffic using prohibited port numbers.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-34770 | SRG-NET-000256-IDPS-00181 | SV-45694r1_rule | Medium |
| Description |
|---|
| Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Monitoring outbound traffic can also detect abnormal traffic or mischievous activities by internal personnel. The IDS must be configured to monitor this traffic; however, the IPS must also be configured to take action to drop the traffic. The IPS must be configured to drop inbound and outbound TCP and UDP packets with the following port numbers: 67, 68, 546, 547, 647, 847, and 2490 on the IDPS. This requirement applies only if DHCPv6 is not used. |
| STIG | Date |
|---|---|
| Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide | 2012-11-19 |
Details
| Check Text ( C-43060r1_chk ) |
|---|
| Applies to networks where DHCPv6 is not used. Verify a sensor signature exists to monitor inbound and outbound TCP and UDP traffic for prohibited port numbers (e.g., 67, 68, 546, 547, 647, 847, and 2490). Verify the IPS or another system takes action to drop the prohibited packets. If the IDPS is not configured to detect and drop inbound and outbound TCP and UDP packets using prohibited ports, this is a finding. |
| Fix Text (F-39092r1_fix) |
|---|
| Create or install a rule to monitor for any inconsistencies in the advertised “M or O bit values” of router advertisements on a link. Create or install a rule to detect traffic on the commonly used DHCP ports. The following port numbers for both TCP and UDP are associated with DHCP: 67, 68, 546, 547, 647, 847, and 2490. Configure the rule to drop packets using prohibited ports. |