Check: SRG-NET-000248-IDPS-00206
Intrusion Detection and Prevention Systems SRG:
SRG-NET-000248-IDPS-00206
(in versions v3 r2 through v2 r2)
Title
The IDPS must perform real-time monitoring of files from external sources at network entry/exit points. (Cat II impact)
Discussion
Real-time monitoring of files from external sources at network entry/exit points helps to detect covert malicious code before it is downloaded to or executed by internal and external endpoints. Using malicious code, such as viruses, worms, Trojan horses, and spyware, an attacker may gain access to sensitive data and systems. IDPSs innately meet this requirement for real-time scanning for malicious code when properly configured to meet the requirements of this SRG. However, most products perform communications traffic inspection at the packet level.
Check Content
Verify the IDPS performs real-time monitoring of files from external sources at network entry/exit points. If the IDPS does not perform real-time monitoring of files from external sources at network entry/exit points, this is a finding.
Fix Text
Configure the IDPS to perform real-time monitoring of files from external sources at network entry/exit points.
Additional Identifiers
Rule ID: SV-206888r982259_rule
Vulnerability ID: V-206888
Group Title: SRG-NET-000248
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001242 |
The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy. |
| CCI-002624 |
Configure malicious code protection mechanisms to perform real-time scans of files from external sources at endpoint; and/or network entry and exit points as the files are downloaded, opened, or executed in accordance with organizational policy. |
Controls
| Number | Title |
|---|---|
| SI-3 |
Malicious Code Protection |