The firewall implementation must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing security safeguards.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000362-FW-000229	SRG-NET-000362-FW-000229	SRG-NET-000362-FW-000229_rule		Medium

Description
Denial of Service is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. DoS attacks can take multiple forms but have the common objective of overloading or blocking a network or host to deny or seriously degrade performance, thus rendering it useless. These attacks can be simple “floods” of traffic to saturate circuits or devices, malware that consumes CPU and memory on a device or causes it to crash, or misconfigurations that disable or impair the proper function of a device. A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks. Services and components should be redundant when possible. A firewall or other device implementing an Access Control List must be configured to protect the enclave from DoS attacks (e.g. SYN-flood, ICMP-flood, Land, etc.). Various techniques exist such as rate-limiting, policing, or filtering excessive traffic. Each protective measure depends on the specific attack.

Description

Denial of Service is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. DoS attacks can take multiple forms but have the common objective of overloading or blocking a network or host to deny or seriously degrade performance, thus rendering it useless. These attacks can be simple “floods” of traffic to saturate circuits or devices, malware that consumes CPU and memory on a device or causes it to crash, or misconfigurations that disable or impair the proper function of a device. A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks. Services and components should be redundant when possible. A firewall or other device implementing an Access Control List must be configured to protect the enclave from DoS attacks (e.g. SYN-flood, ICMP-flood, Land, etc.). Various techniques exist such as rate-limiting, policing, or filtering excessive traffic. Each protective measure depends on the specific attack.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000362-FW-000229_chk )
Review the configuration of the firewall implementation(s) and interview the System Administrators. If the device is not configured to protect against or limit the effects of all types of Denial of Service (DoS) attacks, this is a finding. Note that more than one device can be configured to protect against or limit the effects of DoS attacks, so it may be necessary to review the configuration of more than one firewall implementation (such as a dedicated firewall or device with an ACL).

Check Text ( C-SRG-NET-000362-FW-000229_chk )

Review the configuration of the firewall implementation(s) and interview the System Administrators. If the device is not configured to protect against or limit the effects of all types of Denial of Service (DoS) attacks, this is a finding.

Note that more than one device can be configured to protect against or limit the effects of DoS attacks, so it may be necessary to review the configuration of more than one firewall implementation (such as a dedicated firewall or device with an ACL).

Fix Text (F-SRG-NET-000362-FW-000229_fix)
Configure the firewall implementation to protect against or limit the effects of all types of Denial of Service (DoS) attacks. Follow information assurance vulnerability alert (IAVA) and other security advisory guidance.