STIGQter: STIG Summary: Firewall Security Requirements Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021: STIGQter: STIG Summary: Firewall Security Requirements Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:SV-206701r604133_rule
V-206701
SRG-NET-000362
SRG-NET-000362-FW-000028
CAT I
10
Configure the firewall to detect and prevent DoS attacks. Implement filters with thresholds that are customized for the specific environment where applicable. DoS filters are based on NIST 800-53 requirements and vendor recommendations.
The following sample commands show filters that implement this requirement (these are examples only):
set filter1 icmp ip-sweep threshold 1000
set filter2 tcp port-scan threshold 1000
set filter3 tcp syn-flood alarm-threshold 1000
set filter3 tcp syn-flood attack-threshold 1100
set filter4 tcp syn-flood source-threshold 100
set filter5 tcp syn-flood destination-threshold 2048
set filter6 tcp syn-flood timeout 20
set filter7 tcp tcp-sweep threshold 1000
set filter8 udp flood threshold 5000
set filter9 udp udp-sweep threshold 1000
View the security filters for each interface or security zone.
Verify DoS filters are configured to detect and prevent known DoS attacks such as IP sweeps, TCP sweeps, buffer overflows, unauthorized port scanning, SYN floods, UDP floods, and UDP sweeps.
If filters are not configured or if the security zone is not configured with filters that guard against common DoS attacks, this is a finding.
V-206701
False
SRG-NET-000362-FW-000028
View the security filters for each interface or security zone.
Verify DoS filters are configured to detect and prevent known DoS attacks such as IP sweeps, TCP sweeps, buffer overflows, unauthorized port scanning, SYN floods, UDP floods, and UDP sweeps.
If filters are not configured or if the security zone is not configured with filters that guard against common DoS attacks, this is a finding.
M
2912