An error occurred:

Check: CASA-FW-000220

Cisco ASA Firewall STIG: CASA-FW-000220 (in versions v1 r2 through v1 r1)

Title

The Cisco ASA must be configured to implement scanning threat detection. (Cat I impact)

Discussion

In a port scanning attack, an unauthorized application is used to scan the host devices for available services and open ports for subsequent use in an attack. This type of scanning can be used as a DoS attack when the probing packets are sent excessively.

Check Content

Review the ASA configuration to determine if scanning threat detection has been enabled. threat-detection scanning-threat shun If the ASA has not been configured to enable scanning threat detection, this is a finding.

Fix Text

Configure scanning threat detection as shown in the example below. ASA(config)# threat-detection scanning-threat shun

Additional Identifiers

Rule ID: SV-239864r665878_rule

Vulnerability ID: V-239864

Group Title: SRG-NET-000362-FW-000028

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002385

The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-5

Denial Of Service Protection