Check: CASA-FW-000150
Cisco ASA Firewall STIG:
CASA-FW-000150
(in versions v1 r2 through v1 r0.1)
Title
The Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks. (Cat II impact)
Discussion
A firewall experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering, resulting in route flapping and will eventually black-hole production traffic. The device must be configured to contain and limit a DoS attack's effect on the device's resource utilization. The use of redundant components and load balancing are examples of mitigating "flood-type" DoS attacks through increased capacity.
Check Content
Review the ASA configuration to determine if threat detection has been enabled. threat-detection basic-threat If the ASA has not been configured to enable threat detection to mitigate risks of DoS attacks, this is a finding.
Fix Text
Configure threat detection as shown in the example below. ASA(config)# threat-detection basic-threat
Additional Identifiers
Rule ID: SV-239860r665866_rule
Vulnerability ID: V-239860
Group Title: SRG-NET-000193-FW-000030
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001095 |
The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks. |
Controls
Number | Title |
---|---|
SC-5 (2) |
Excess Capacity / Bandwidth / Redundancy |