The IDPS must be installed in stealth mode without an IP address on the interface with data flow.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-34773 | SRG-NET-000258-IDPS-00184 | SV-45697r1_rule | Medium |
| Description |
|---|
| The IDPS must prevent non-privileged users from gaining access to the system in order to circumvent intrusion detection and prevention capabilities. Circumventing IDPS capabilities would require gaining access to the configuration of the system. To prevent access by non-privileged users and processes, both passive and inline sensors must be installed in stealth mode. Operating a sensor without IP addresses assigned to monitoring interfaces is known as operating in stealth mode. Thus, only network interfaces used for IDPS management are configured with an IP address and management ports are accessible only from the management network. This conceals the sensors from attackers and thus limits exposure to attacks. If monitoring is being performed using a switch SPAN port, the sensors must be configured in stealth mode and the Network Interface Card (NIC) must be connected to the SPAN port with no network protocol stacks bound to the port. A second NIC must then be connected to an OOB network. |
| STIG | Date |
|---|---|
| Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide | 2012-11-19 |
Details
| Check Text ( C-43063r1_chk ) |
|---|
| Review the interface configuration function for all sensors on all network segments. Verify all interfaces used to monitor network traffic are not configured with IP addresses (configured to use stealth mode). If the sensor interfaces used to monitor network traffic are not installed in stealth mode, this is a finding. |
| Fix Text (F-39095r1_fix) |
|---|
| Remove the IP addresses from all IDPS sensor interfaces monitoring data flow. |