The Juniper Networks SRX Series Gateway IDPS must drop packets or disconnect the connection when malicious code is detected.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-66435 | JUSX-IP-000028 | SV-80925r1_rule | Medium |
| Description |
|---|
| Configuring the IDPS to discard and/or redirect based on local organizational incident handling procedures minimizes the impact of this code on the network. Once an attack object in the IPS policy is matched, the SRX can execute an action on that specific session, along with actions on future sessions. The ability to execute an action on that particular session is known as an IDPS action. IDPS actions can be one of the following: No-Action, Drop-Packet, Drop-Connection, Close-Client, Close-Server, Close-Client-and-Server, DSCP-Marking, Recommended, or Ignore. IP actions are actions that can be enforced on future sessions. These actions include IP-Close, IP-Block, and IP-Notify |
| STIG | Date |
|---|---|
| Juniper SRX SG IDPS Security Technical Implementation Guide | 2017-07-07 |
Details
| Check Text ( C-67081r1_chk ) |
|---|
| Verify custom rules exist to drop packets or terminate sessions upon detection of malicious code. [edit] show security idp policy View the rulebase action option for the IDP policies. If rulebases for IDP policies which detect malicious code are not configured with an action of Drop-Packet, Drop-Connection, or some form of session termination, this is a finding. |
| Fix Text (F-72511r1_fix) |
|---|
| This requirement can be met through a custom rule within a policy or drop action option on the zone configuration to which the policy is applied. The following is an example of the command that can be added to the IDP policy. The policy is called Malicious-Activity and the rule is called R1 in this example. [edit] set security idp idp-policy Malicious-Activity rulebase-ips rule R1 then action drop-connection |