STIGQter: STIG Summary: Firewall Security Requirements Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.

DISA Rule

SV-206692r604133_rule

Vulnerability Number

V-206692

Group Title

SRG-NET-000192

Rule Version

SRG-NET-000192-FW-000029

Severity

CAT II

CCI(s)

CCI-001094 - The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems.

Weight

Fix Recommendation

Associate a properly configured DoS firewall filter (e.g., rules, access control lists [ACLs], screens, or policies) to outbound interfaces and security zones.

Apply a firewall filter to each outbound interface example:

set security zones security-zone untrust interfaces <OUTBOUND-INTERFACE>
set security zones security-zone trust screen untrust-screen

Check Contents

Obtain and review the list of outbound interfaces and zones from site personnel.

Review each of the configured outbound interfaces and zones. Verify zones that communicate outbound have been configured with the DoS firewall filter (i.e., rules, access control lists [ACLs], screens, or policies) such as IP sweeps, TCP sweeps, buffer overflows, unauthorized port scanning, SYN floods, UDP floods, and UDP sweeps.

If all outbound interfaces are not configured to block DoS attacks, this is a finding.

The firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments