UCF STIG Viewer Logo

Trend Micro TippingPoint IDPS Security Technical Implementation Guide


Overview

Date Finding Count (39)
2022-06-28 CAT I (High): 3 CAT II (Med): 36 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-242173 High The Trend Micro TippingPoint Security Management System (SMS) must be configured to send security IPS policy to the Trend Micro Threat Protection System (TPS).
V-242199 High The TPS must generate a log record so an alert can be configured to, at a minimum, the system administrator when malicious code is detected.
V-242197 High The SMS must install updates on the TPS for application software files, signature definitions, detection heuristics, and vendor-provided rules when new releases are available in accordance with organizational configuration management policy and procedures.
V-242188 Medium The SMS must be configured to remove or disable non-essential capabilities on SMS and TPS which are not required for operation or not related to IDPS functionality (e.g., web server, SSH, telnet, and TAXII).
V-242189 Medium The TPS must detect, at a minimum, mobile code that is unsigned or exhibiting unusual behavior, has not undergone a risk assessment, or is prohibited for use based on a risk assessment.
V-242167 Medium To protect against unauthorized data mining, the TPS must prevent code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
V-242168 Medium To protect against unauthorized data mining, the TPS must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.
V-242169 Medium To protect against unauthorized data mining, the TPS must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
V-242180 Medium The SMS must produce audit records containing information to establish where the event was detected, including, at a minimum, network segment, destination address, and TPS component which detected the event by sending all audit and system logs to a centralized syslog server.
V-242181 Medium The SMS must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address by sending all audit and system logs to a centralized syslog server.
V-242186 Medium In the event of a logging failure caused by the lack of audit record storage capacity, the SMS must continue generating and storing audit records, overwriting the oldest audit records in a first-in-first-out manner using Audit Log maintenance.
V-242187 Medium The SMS and TPS must provide log information in a format that can be extracted and used by centralized analysis tools.
V-242184 Medium The TPS and SMS must off-load log records to a centralized log server.
V-242185 Medium In the event of a logging failure, caused by loss of communications with the central logging server, the SMS must queue audit records locally by using the syslog over TCP protocol until communication is restored or until the audit records are retrieved manually or using automated synchronization tools.
V-242177 Medium The TPS must provide audit record generation capability for events where communication traffic is blocked or restricted based on policy filters, rules, signatures, and anomaly analysis.
V-242176 Medium The TPS must provide audit record generation capability for detection events based on implementation of policy filters, rules, signatures, and anomaly analysis.
V-242182 Medium The SMS must produce audit records containing information to establish the outcome of events associated with detected harmful or potentially harmful traffic, including, at a minimum, capturing all associated communications traffic by sending all audit and system logs to a centralized syslog server.
V-242183 Medium TPS must support centralized management and configuration of the content captured in audit records generated by all TPS components by using the Security Management System (SMS).
V-242196 Medium The TPS must automatically install updates to signature definitions, detection heuristics, and vendor-provided rules.
V-242179 Medium The SMS must produce audit records containing information to establish when (date and time) the events occurred by sending all audit and system logs to a centralized syslog server.
V-242172 Medium To protect against unauthorized data mining, the TPS must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
V-242171 Medium To protect against unauthorized data mining, the TPS must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code.
V-242170 Medium To protect against unauthorized data mining, the TPS must detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
V-242198 Medium The TPS must block malicious code.
V-242175 Medium The Trend Micro TPS must immediately use updates made to policy filters, rules, signatures, and anomaly analysis algorithms for traffic detection and prevention functions which are all contained in the Digital Vaccine (DV) updates.
V-242195 Medium The TPS must block malicious ICMP packets by properly configuring ICMP signatures and rules.
V-242194 Medium The TPS must block outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.
V-242178 Medium The SMS must produce audit records containing sufficient information to establish what type of event occurred, including, at a minimum, event descriptions, policy filter, rule or signature invoked, port, protocol, and criticality level/alert code or description by sending all audit and system logs to a centralized syslog server.
V-242191 Medium The TPS must fail to a secure state which maintains access control mechanisms when the IDPS hardware, software, or firmware fails on initialization/shutdown or experiences a sudden abort during normal operation (also known as "Fail closed").
V-242190 Medium The TPS must block any prohibited mobile code at the enclave boundary when it is detected.
V-242193 Medium The TPS must block outbound traffic containing known and unknown DoS attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic.
V-242192 Medium The TPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures.
V-242201 Medium The TPS must detect network services that have not been authorized or approved by the ISSO or ISSM, at a minimum, through use of a site-approved TPS device profile.
V-242200 Medium SMS and TPS components, including sensors, event databases, and management consoles must integrate with a network-wide monitoring capability.
V-242203 Medium The IDPS must continuously monitor inbound communications traffic for unusual/unauthorized activities or conditions.
V-242202 Medium The IDPS must generate an alert to the ISSM and ISSO, at a minimum, when unauthorized network services are detected.
V-242205 Medium The TPS must send an alert to, at a minimum, the ISSM and ISSO when intrusion detection events are detected which indicate a compromise or potential for compromise.
V-242204 Medium The TPS must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions.
V-242206 Medium The site must register with the Trend Micro TippingPoint Threat Management Center (TMC) in order to receive alerts on threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected which indicate a compromise or potential for compromise.