UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The IDPS must be installed in stealth mode without an IP address on the interface with data flow.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34773 SRG-NET-000258-IDPS-00184 SV-45697r1_rule Medium
Description
The IDPS must prevent non-privileged users from gaining access to the system in order to circumvent intrusion detection and prevention capabilities. Circumventing IDPS capabilities would require gaining access to the configuration of the system. To prevent access by non-privileged users and processes, both passive and inline sensors must be installed in stealth mode. Operating a sensor without IP addresses assigned to monitoring interfaces is known as operating in stealth mode. Thus, only network interfaces used for IDPS management are configured with an IP address and management ports are accessible only from the management network. This conceals the sensors from attackers and thus limits exposure to attacks. If monitoring is being performed using a switch SPAN port, the sensors must be configured in stealth mode and the Network Interface Card (NIC) must be connected to the SPAN port with no network protocol stacks bound to the port. A second NIC must then be connected to an OOB network.
STIG Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide 2012-11-19

Details

Check Text ( C-43063r1_chk )
Review the interface configuration function for all sensors on all network segments.
Verify all interfaces used to monitor network traffic are not configured with IP addresses (configured to use stealth mode).

If the sensor interfaces used to monitor network traffic are not installed in stealth mode, this is a finding.
Fix Text (F-39095r1_fix)
Remove the IP addresses from all IDPS sensor interfaces monitoring data flow.