UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The IDPS must be configured to monitor inbound and outbound TCP and UDP packets, dropping traffic using prohibited port numbers.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34770 SRG-NET-000256-IDPS-00181 SV-45694r1_rule Medium
Description
Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Monitoring outbound traffic can also detect abnormal traffic or mischievous activities by internal personnel. The IDS must be configured to monitor this traffic; however, the IPS must also be configured to take action to drop the traffic. The IPS must be configured to drop inbound and outbound TCP and UDP packets with the following port numbers: 67, 68, 546, 547, 647, 847, and 2490 on the IDPS. This requirement applies only if DHCPv6 is not used.
STIG Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide 2012-11-19

Details

Check Text ( C-43060r1_chk )
Applies to networks where DHCPv6 is not used.

Verify a sensor signature exists to monitor inbound and outbound TCP and UDP traffic for prohibited port numbers (e.g., 67, 68, 546, 547, 647, 847, and 2490). Verify the IPS or another system takes action to drop the prohibited packets.

If the IDPS is not configured to detect and drop inbound and outbound TCP and UDP packets using prohibited ports, this is a finding.
Fix Text (F-39092r1_fix)
Create or install a rule to monitor for any inconsistencies in the advertised “M or O bit values” of router advertisements on a link.
Create or install a rule to detect traffic on the commonly used DHCP ports. The following port numbers for both TCP and UDP are associated with DHCP: 67, 68, 546, 547, 647, 847, and 2490.
Configure the rule to drop packets using prohibited ports.