STIGQter STIGQter: STIG Summary: Infrastructure Router Security Technical Implementation Guide Juniper Version: 8 Release: 29 Benchmark Date: 25 Jan 2019: The network device must drop half-open TCP connections through filtering thresholds or timeout periods.

DISA Rule

SV-15437r4_rule

Vulnerability Number

V-5646

Group Title

Devices not configured to filter and drop half-open connections.

Rule Version

NET0965

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the device to drop half-open TCP connections through threshold filtering or timeout periods.

Check Contents

Review the device configuration to validate threshold filters or timeout periods are set for dropping excessive half-open TCP connections.

For timeout periods, the time should be set to 10 seconds or less. If the device can not be configured for 10 seconds or less, it should be set to the least amount of time allowable in the configuration. Threshold filters will need to be determined by the organization for optimal filtering.

JUNOS Configuration Example:
firewall {
policer TCP-SYN-Policer {
if-exceeding {
bandwidth-limit 500k;
burst-size-limit 15k;
}
then discard;
}

family inet {
filter DOS-Protect {
.
.
.
/* Term tcp-syn-fin-limit: Rate limit TCP packets with SYN/FIN/RST flags. */
term tcp-syn-fin-limit {
from {
protocol tcp;
port [bgp ldp snmp snmptrap telnet ftp ftp-data ssh];
tcp-flags “syn | fin | rst”;
}
then policer TCP-SYN-Policer;
}
.
.
}

Vulnerability Number

V-5646

Documentable

False

Rule Version

NET0965

Severity Override Guidance

Review the device configuration to validate threshold filters or timeout periods are set for dropping excessive half-open TCP connections.

For timeout periods, the time should be set to 10 seconds or less. If the device can not be configured for 10 seconds or less, it should be set to the least amount of time allowable in the configuration. Threshold filters will need to be determined by the organization for optimal filtering.

JUNOS Configuration Example:
firewall {
policer TCP-SYN-Policer {
if-exceeding {
bandwidth-limit 500k;
burst-size-limit 15k;
}
then discard;
}

family inet {
filter DOS-Protect {
.
.
.
/* Term tcp-syn-fin-limit: Rate limit TCP packets with SYN/FIN/RST flags. */
term tcp-syn-fin-limit {
from {
protocol tcp;
port [bgp ldp snmp snmptrap telnet ftp ftp-data ssh];
tcp-flags “syn | fin | rst”;
}
then policer TCP-SYN-Policer;
}
.
.
}

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

510

Comments