The Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-239860 | CASA-FW-000150 | SV-239860r991796_rule | CCI-001095 | medium |
| Description | ||||
| A firewall experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering, resulting in route flapping and will eventually black-hole production traffic. The device must be configured to contain and limit a DoS attack's effect on the device's resource utilization. The use of redundant components and load balancing are examples of mitigating "flood-type" DoS attacks through increased capacity. | ||||
| STIG | Date | |||
| Cisco ASA Firewall Security Technical Implementation Guide | 2024-06-06 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
SC-5(2)
1.00
- DISA · V2R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-001095
1.00
- DISA · V2R1 · disa_xccdf · related
Details
Check Text (C-239860r991796_chk)
NOTE: When operating the ASA in multi-context mode with a separate IDPS, threat detection cannot be enabled, and this check is Not Applicable.
Review the ASA configuration to determine if threat detection has been enabled.
threat-detection basic-threat
If the ASA has not been configured to enable threat detection to mitigate risks of DoS attacks, this is a finding.
Fix Text (F-43052r665865_fix)
Configure threat detection as shown in the example below.
ASA(config)# threat-detection basic-threat