Symantec ProxySG must enable Attack Detection.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-94413	SYMP-NM-000320	SV-104305r2_rule		High

Description
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Symantec ProxySG Attack Detection prevents or limits the effects of denial of service (DoS) and distributed-DoS (DDoS) attacks by limiting the number of simultaneous TCP connections and/or excessive repeated requests from each client IP address that can be established within a specified time frame. Configure attack detection for both clients and servers or server groups. The client attack-detection configuration is used to control the behavior of attacking sources. The server attack-detection configuration is used when an administrator wants to prevent a server from becoming overloaded by limiting the number of outstanding requests that are allowed. The default settings should work in most environments, but can be fine tuned to prevent impact on the site's traffic flow. Organizations should also take into consideration the capabilities and configuration of adjacent network devices (e.g., firewalls performing packet filtering to block DoS attacks). The default settings should work in most environments, but can be fine-tuned to prevent impact on the site's traffic flow. Organizations should also take into consideration the capabilities and configuration of adjacent network devices (e.g., firewalls performing packet filtering to block DoS attacks). Default settings for client DDoS settings on the ProxySG are as follows. To view Default settings for client DDoS settings on the ProxySG, type the following command at the command line interface. ProxySG#(config attack-detection)show attack-detection client Client limits enabled: false Client interval: 20 minutes Default client limits: Client concurrent request limit: unlimited Client connection limit: 100 Client failure limit: 50 Client request limit: unlimited Client warning limit: 10 Blocked client action: Drop Client connection unblock time: unlimited Monitor only mode: disabled

Description

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Symantec ProxySG Attack Detection prevents or limits the effects of denial of service (DoS) and distributed-DoS (DDoS) attacks by limiting the number of simultaneous TCP connections and/or excessive repeated requests from each client IP address that can be established within a specified time frame. Configure attack detection for both clients and servers or server groups. The client attack-detection configuration is used to control the behavior of attacking sources. The server attack-detection configuration is used when an administrator wants to prevent a server from becoming overloaded by limiting the number of outstanding requests that are allowed. The default settings should work in most environments, but can be fine tuned to prevent impact on the site's traffic flow. Organizations should also take into consideration the capabilities and configuration of adjacent network devices (e.g., firewalls performing packet filtering to block DoS attacks). The default settings should work in most environments, but can be fine-tuned to prevent impact on the site's traffic flow. Organizations should also take into consideration the capabilities and configuration of adjacent network devices (e.g., firewalls performing packet filtering to block DoS attacks). Default settings for client DDoS settings on the ProxySG are as follows. To view Default settings for client DDoS settings on the ProxySG, type the following command at the command line interface. ProxySG#(config attack-detection)show attack-detection client Client limits enabled: false Client interval: 20 minutes Default client limits: Client concurrent request limit: unlimited Client connection limit: 100 Client failure limit: 50 Client request limit: unlimited Client warning limit: 10 Blocked client action: Drop Client connection unblock time: unlimited Monitor only mode: disabled

STIG	Date
Symantec ProxySG NDM Security Technical Implementation Guide	2019-12-20

Details

Check Text ( C-93599r1_chk )
Verify Attack Detection is enabled. 1. SSH into the ProxySG console, type "enable". 2. Enter the correct password, type "configure terminal". 3. Press "Enter", type "show attack-detection configuration". 4. Confirm that "client limits enabled" equals "true". If Attack Detection is not enabled, this is a finding.

Fix Text (F-100529r1_fix)
Enable the Attack Detection function for the default settings or fine tune needed by site environment. 1. SSH into the ProxySG console, type "enable". 2. Enter the correct password, type "configure terminal". 3. Press "Enter", and then type "attack-detection". 4. Type "client" and press "Enter", type "enable-limits" and press "Enter". See "Chapter 73: Preventing Denial of Service Attacks" in the ProxySG Administration Guide to understand the functionality before proceeding. Fine tune the default client limits if there is an operational impact.

Fix Text (F-100529r1_fix)

Enable the Attack Detection function for the default settings or fine tune needed by site environment.

1. SSH into the ProxySG console, type "enable".
2. Enter the correct password, type "configure terminal".
3. Press "Enter", and then type "attack-detection".
4. Type "client" and press "Enter", type "enable-limits" and press "Enter".

See "Chapter 73: Preventing Denial of Service Attacks" in the ProxySG Administration Guide to understand the functionality before proceeding. Fine tune the default client limits if there is an operational impact.