Ensuring the system protects against denial-of-service attacks
Rule Title: RiOS must protect against or limit the effects of all known types of denial-of-service (DoS) attacks on the network device management network by employing organization-defined security safeguards.
STIG ID: RICX-DM-000143
Rule ID: SV-77481r1_rule Severity: CAT II
Vuln ID: V-62991 Class: Unclass
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
This requirement addresses the configuration of network devices to mitigate the impact of DoS attacks that have occurred or are ongoing on device availability. For each network device, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (for example, limiting processes or restricting the number of sessions the device opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, might reduce the susceptibility to some DoS attacks.
The security safeguards cannot be defined at the DoD level because they vary according to the capabilities of the individual network devices and the security controls applied on the adjacent networks (for example, firewalls performing packet filtering to block DoS attacks).
Verifying the system protects against denial-of-service attacks
Verify that RiOS is configured to protect against or limit the effects of all know types of denial-of-service (DoS) attacks on the device management network.
1. Connect to the Management Console.
2. Choose Administration > Security: Management ACL to display the Management ACL page.
3. Verify that the Enable Management ACL check box is selected.
4. Verify that there is a rule to limit management access from authorized devices and that the interface is set to other than an in-path interface.
If Management ACLs are not defined to limit access to identified or known devices and/or a management interface is not defined that is different from the in-path interface and/or Enable Management ACL is not checked, this is a security vulnerability finding.
Configuring the system to protect against denial-of-service attacks
Configure RiOS to protect against or limit the effects of all known types of denial-of-service (DoS) attacks on the network device management network.
1. Connect to the Management Console.
2. Choose Administration > Security: Management ACL to display the Management ACL page.
3. Click Add a New Rule to expand the page.
4. Select the Enable Management ACL check box.
5. Add rules so that the list contains unnecessary and/or nonsecure functional, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments:
Management ACL rule settings
Action specifies the Allow rule type from the drop-down list.
Service specifies HTTPS.
Source Network specifies the Management device network: for example, 1.2.3.0/24.
Interface selects an interface used for network management from the drop-down list.
Description sets to enable ease of management.