UCF STIG Viewer Logo

The network element must enforce configurable traffic volume thresholds representing logging capacity for network traffic to be logged.


Overview

Finding ID Version Rule ID IA Controls Severity
V-27009 SRG-NET-000086 SV-34303r1_rule Medium
Description
Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a Quality of Service (QoS) framework to differentiate traffic and provide a method to avoid and manage network congestion. When network congestion occurs, all traffic has an equal chance of being dropped. QoS categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment based on the classification. Many DoS attacks target the network core by attempting to saturate link capacity and exhausting router processors. If hackers can compromise QoS trust boundaries, they can amplify the effect of their abuse. When attack traffic receives premium services, it not only forces priority traffic such as voice to compete for service, it robs critical control-plane and network management traffic the service it demands to ensure routing convergence and network availability. Furthermore, it enables the attacker to easily induce a sustained DoS attack on all network resources along the entire path where QoS has been hijacked. It is imperative that traffic marked for premium service is strictly policed. Traffic that is out of profile must be marked down by placing it into a low priority class.
STIG Date
Network Security Requirements Guide 2011-12-28

Details

Check Text ( None )
None
Fix Text (None)
None