STIGQter STIGQter: STIG Summary: Firewall Security Requirements Guide Version: 1 Release: 4 Benchmark Date: 26 Jul 2019: The firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.

DISA Rule

SV-94125r1_rule

Vulnerability Number

V-79419

Group Title

SRG-NET-000192-FW-000029

Rule Version

SRG-NET-000192-FW-000029

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Associate a properly configured DoS firewall filter (e.g., rules, access control lists [ACLs], screens, or policies) to outbound interfaces and security zones.

Apply a firewall filter to each outbound interface example:

set security zones security-zone untrust interfaces <OUTBOUND-INTERFACE>
set security zones security-zone trust screen untrust-screen

Check Contents

Obtain and review the list of outbound interfaces and zones from site personnel.

Review each of the configured outbound interfaces and zones. Verify zones that communicate outbound have been configured with the DoS firewall filter (i.e., rules, access control lists [ACLs], screens, or policies) such as IP sweeps, TCP sweeps, buffer overflows, unauthorized port scanning, SYN floods, UDP floods, and UDP sweeps.

If all outbound interfaces are not configured to block DoS attacks, this is a finding.

Vulnerability Number

V-79419

Documentable

False

Rule Version

SRG-NET-000192-FW-000029

Severity Override Guidance

Obtain and review the list of outbound interfaces and zones from site personnel.

Review each of the configured outbound interfaces and zones. Verify zones that communicate outbound have been configured with the DoS firewall filter (i.e., rules, access control lists [ACLs], screens, or policies) such as IP sweeps, TCP sweeps, buffer overflows, unauthorized port scanning, SYN floods, UDP floods, and UDP sweeps.

If all outbound interfaces are not configured to block DoS attacks, this is a finding.

Check Content Reference

M

Target Key

3377

Comments