The firewall must block outbound traffic containing known and unknown denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.

From Firewall Security Requirements Guide Requirements

Part of SRG-NET-000192-FW-000029

Associated with: CCI-001094

SRG-NET-000192-FW-000029_rule The firewall must block outbound traffic containing known and unknown denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.

Vulnerability discussion

DoS attacks can take multiple forms but have the common objective of overloading or blocking a network or host to deny or seriously degrade performance. If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users.Installation of a firewall at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type.The firewall must include protection against DoS attacks that originate from inside the enclave that can affect either internal or external systems. These attacks may use legitimate or rogue endpoints from inside the enclave. These attacks can be simple "floods" of traffic to saturate circuits or devices, malware that consumes CPU and memory on a device or causes it to crash, or a configuration issue that disables or impairs the proper function of a device. For example, an accidental or deliberate misconfiguration of a routing table can misdirect traffic for multiple networks.To comply with this requirement, the ALG must monitor outbound traffic for indications of known and unknown DoS attacks. Audit log capacity management, along with techniques that prevent the logging of redundant information during an attack, also guards against DoS attacks.

Check content

Obtain and review the list of outbound interfaces and zones from site personnel. Review each of the configured outbound interfaces and zones. Verify zones that communicate outbound have been configured with the DoS Access Control Lists (ACLs) defined in CCI-002385. If all outbound interfaces are not configured to block known and unknown DoS attacks, this is a finding.

Fix text

Associate a properly configured DoS ACL filter group (CCI-002385) to outbound interfaces and security zones. Apply a screen to each outbound interface example: set security zones security-zone untrust interfaces set security zones security-zone trust screen untrust-screen

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer