Intrusion Detection and Prevention Systems (IDPS) SRG Version Comparison

There are 3 differences between versions v2 r4 (Oct. 26, 2018) (the "left" version) and v2 r6 (July 24, 2020) (the "right" version).

Check SRG-NET-000365-IDPS-00199 was removed from the benchmark in the "right" version. The text below reflects the old wording.

This check's original form is available here.

Title

The IDPS must fail securely in the event of an operational failure.

Check Content

Verify the IDPS fails securely in the event of an operational failure. If the IDPS does not fail securely in the event of an operational failure, this is a finding.

Discussion

Since the IDPS is a boundary protection device, if the IDPS fails in an unsecure manner the device may permit unauthorized information release. The operational failure may have been the result of a direct attack on the IDPS device which may be followed by a DoS attack or unauthorized entry attempt. Without the IDPS to monitor and detect these attacks, network is at risk. Fail secure is achieved by employing mechanisms to ensure that if the IDPS traffic monitoring and detection functions fail, it does not continue processing while security policies, filters, and signatures are not being applied. If the IDPS traffic monitoring and detection functions fail for any reason, the IDPS must stop forwarding traffic altogether or maintain the configured security policies. For this reason, device redundancy rather than a policy of failing open is vital to maintaining network availability while protecting DoD networks. Since it is usually not possible to test this capability in a production environment, systems should either be validated in a testing environment or prior to installation. This requirement is usually a function of the design of the IDPS component. Compliance can be verified by acceptance/validation processes or vendor attestation.

Fix

Configure the IDPS to fail securely in the event of an operational failure.