topic DISA STIG NET0965 in Network Security

DISA STIG NET0965

joedansereau — Sun, 10 Mar 2019 12:58:04 GMT

I have a 4270-20 (7.1(7)E4) monitoring a network that is required to use the DISA STIGs for certain security settings. there is a requirement (STIG ID NET0965) that requires the following:

The network device must be configured with a maximum wait time of 10 seconds or less to allow a host to establish a TCP connection.

Configure the maximum wait time for TCP connections to be established with the device to 10 seconds or less.

this is possible on a router or switch but can this be configured on the IPS?

DISA STIG NET0965

efairbanks — Tue, 04 Jun 2013 23:47:46 GMT

I don't have an answer for you, but would like to share your pain. I wish DISA would spend the time to document this stuff on the most common platforms for the benefit of the people that are having to implement. Would save a lot of people a lot of time from having to scour the Internet looking for this information.

DISA STIG NET0965

mark.barrett — Fri, 07 Jun 2013 20:23:12 GMT

Perhaps more to the point, when will Cisco submit their IDS/IPS products for JITC testing for inclusion on the DOD UC APL?

Still nothing from Cisco,

joedansereau — Wed, 29 Oct 2014 13:43:09 GMT

Still nothing from Cisco, issue still applicable on 4200 series appliances running 7.1(9)E4. Any ideas?

from Cisco support:

joedansereau — Tue, 06 Jan 2015 17:18:31 GMT

from Cisco support:

IPS Signatures

Half-open SYN Attack

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3050&signatureSubId=0&softwareVersion=6.0&releaseVersion=S774

IPS Signatures

TCP Session Embryonic Timeout

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1302&signatureSubId=0&softwareVersion=6.0&releaseVersion=S212

from STIG writer:

NET0965 allows the use of filtering thresholds or timeout periods to drop half-open TCP connections. Using a TCP half-open SYN signature to trigger rate-limiting or blocking meets the first of the two options.