The Juniper SRX Services Gateway Firewall providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by implementing statistics-based screens.

From Juniper SRX SG ALG Security Technical Implementation Guide

Part of SRG-NET-000362-ALG-000112

Associated with: CCI-002385

SV-80813r1_rule The Juniper SRX Services Gateway Firewall providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by implementing statistics-based screens.

Vulnerability discussion

If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Installation of content filtering gateways and application layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type. Juniper SRX Firewall DoS protections can be configured either within Screen or within the global flow options. Screens, also known as IDS-options, block various layer 3 and 4 attacks. Screen objects are configured with various screen-specific options and then assigned to a zone. The Juniper SRX can be configured with Screens to protect against the following statistics-based DoS attacks: IP sweeps, port scans, and flood attacks.

Check content

Run the following command to see the screen options currently configured: [edit] show security screen ids-option show security zone match "screen" If security screens are not configured or if the security zone is not configured with screen options, this is a finding.

Fix text

The following example commands configure security screens under a profile named untrust-screen. Screen options, especially those with configurable thresholds, must be customized for your specific deployment. [edit] set security screen ids-option Based on 800-53 requirements and vendor recommendations, the following DoS screens are required, at a minimum, for use in DoD configurations. set security screen ids-option untrust-screen icmp ip-sweep threshold 1000 set security screen ids-option untrust-screen tcp port-scan threshold 1000 set security screen ids-option untrust-screen tcp sin-flood alarm-threshold 1000 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 1100 set security screen ids-option untrust-screen tcp syn-flood source-threshold 100 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp tcp-sweep threshold 1000 set security screen ids-option untrust-screen udp flood threshold 5000 set security screen ids-option untrust-screen udp udp-sweep threshold 1000 To enable screen protection, the screen profile must be associated with individual security zones using the following command. Recommend assigning "untrust-screen" profile name to the default zone named "untrust". [edit] set security zone security-zone screen Example: set security zones security-zone untrust screen untrust-screen

Pro Tips

Powered by sagemincer