STIGQter: STIG Summary: Network Infrastructure Policy Security Technical Implementation Guide Version: 9 Release: 10 Benchmark Date: 24 Jan 2020:

An Intrusion Detection and Prevention System (IDPS) must be deployed to monitor all unencrypted traffic entering and leaving the enclave.

DISA Rule

SV-8758r3_rule

Vulnerability Number

V-8272

Group Title

IDPS is not monitoring traffic unencrypted traffic behind the firewall.

Rule Version

NET-IDPS-021

Severity

CAT II

CCI(s)

• CCI-001097 - The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.
• CCI-001255 - The organization deploys monitoring devices strategically within the information system to collect organization-determined essential information.
• CCI-002668 - The organization defines the interior points within the information system (e.g., subnetworks, subsystems) where outbound communications will be analyzed to discover anomalies.

Weight

10

Fix Recommendation

Install an IDPS inline or passively, behind the enclave firewall to monitor all unencrypted traffic, inbound and outbound.

Check Contents

Review the network topology to ensure the enclave has the IDPS positioned to monitor all traffic to and from the enclave. Review any type of report that was recently produced from information provided by the sensor showing any recent alerts, an escalation activity and any type of log or configuration changes. This will show the sensor is being actively monitored and alerts are being acted upon. If the enclave’s CNDSP requires continuous monitoring of the IDPS, the CNDSPs management team (e.g. sensor grid management team at DISA) will verify the operational status by providing information about the enclave’s IDPS such as a network diagram, MOA, current alert information, or other information to validate its operational status.

If there is no IDPS positioned and enabled to monitor all ingress and egress traffic, this is a finding.

Exception: If the perimeter security for the enclave or B/C/P/S is provisioned via the JRSS, then this requirement is not applicable.

Vulnerability Number

V-8272

Documentable

False

Rule Version

NET-IDPS-021

Severity Override Guidance

Review the network topology to ensure the enclave has the IDPS positioned to monitor all traffic to and from the enclave. Review any type of report that was recently produced from information provided by the sensor showing any recent alerts, an escalation activity and any type of log or configuration changes. This will show the sensor is being actively monitored and alerts are being acted upon. If the enclave’s CNDSP requires continuous monitoring of the IDPS, the CNDSPs management team (e.g. sensor grid management team at DISA) will verify the operational status by providing information about the enclave’s IDPS such as a network diagram, MOA, current alert information, or other information to validate its operational status.

If there is no IDPS positioned and enabled to monitor all ingress and egress traffic, this is a finding.

Exception: If the perimeter security for the enclave or B/C/P/S is provisioned via the JRSS, then this requirement is not applicable.

Check Content Reference

M

Target Key

838

Comments