An error occurred:

Check: TIPP-IP-000270

Trend Micro TippingPoint IDPS STIG: TIPP-IP-000270 (in versions v2 r2 through v1 r2)

Title

The TPS must protect against or limit the effects of known types of denial-of-service (DoS) attacks by employing signatures. (Cat II impact)

Discussion

If the network does not provide safeguards against DoS attack, network resources will be unavailable to users. Installation of TPS detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume, type, or protocol usage. Detection components that use signatures can detect known attacks by using known attack signatures. Signatures are usually obtained from and updated by the IDPS component vendor. These attacks include SYN-flood, ICMP-flood, and Land Attacks. This requirement applies to the communications traffic functionality of the IDPS as it pertains to handling communications traffic, rather than to the IDPS device itself.

Check Content

1. In the Trend Micro SMS, navigate to "Profiles" and "Inspection Profiles" and select the organization's profile. 2. If there is not one configured, select "Default". 3. Click "Search". 4. Under "Filter criteria", select the Filter Category "Traffic Normalization, Exploits, and Vulnerabilities", select the "Filter Name" section and type "ddos". If the following filter names produced in the search list are not set to Block+Notify, this is a finding. Note: If the site has set up a security profile (i.e., not using the default profile), then this should be inspected using the site's SSP for compliance.

Fix Text

1. In the Trend Micro SMS, navigate to "Profiles" and "Inspection Profiles" and select the organization's profile. 2. If there is not one configured, select "Default". 3. Click "Search". 4. Select the Filter Category "Traffic Normalization, Exploits, and Vulnerabilities". Select the "Filter Name" section and type "ddos". 5. Set all the items in the search to Block+Notify. Note: If the site has set up a security profile (i.e., not using the default profile), then this should be inspected using the site's SSP for compliance.

Additional Identifiers

Rule ID: SV-242192r997619_rule

Vulnerability ID: V-242192

Group Title: SRG-NET-000362-IDPS-00198

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002385

Protect against or limit the effects of organization-defined types of denial-of-service events.
CCI-004866

Employ organization-defined controls by type of denial-of-service to achieve the denial-of-service objective.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-5

Denial of Service Protection