Cisco ASA Firewall STIG Version Comparison

There are 3 differences between versions v1 r3 (Oct. 26, 2022) (the "left" version) and v2 r1 (July 24, 2024) (the "right" version).

Check CASA-FW-000220 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

The Cisco ASA must be configured to implement scanning threat detection.

Check Content

NOTE: When operating the ASA in multi-context mode with a separate IDPS, threat detection cannot be enabled, enabled and this check is Not Applicable. Review the ASA configuration to determine if scanning threat detection has been enabled. threat-detection scanning-threat shun NOTE: The parameter 'shun' "shun" is an optional parameter, parameter and not required, in the Cisco documentation, but can is required here to offer additional protection by dropping further connections from the threat. If the ASA has not been configured to enable scanning threat detection, this is a finding.

Discussion

In a port scanning attack, an unauthorized application is used to scan the host devices for available services and open ports for subsequent use in an attack. This type of scanning can be used as a DoS attack when the probing packets are sent excessively.

Fix

Configure scanning threat detection as shown in the example below. ASA(config)# threat-detection scanning-threat shun