05-21-2013 12:39 PM - edited 03-10-2019 05:58 AM
I have a 4270-20 (7.1(7)E4) monitoring a network that is required to use the DISA STIGs for certain security settings. there is a requirement (STIG ID NET0965) that requires the following:
The network device must be configured with a maximum wait time of 10 seconds or less to allow a host to establish a TCP connection.
Configure the maximum wait time for TCP connections to be established with the device to 10 seconds or less.
this is possible on a router or switch but can this be configured on the IPS?
06-04-2013 04:47 PM
I don't have an answer for you, but would like to share your pain. I wish DISA would spend the time to document this stuff on the most common platforms for the benefit of the people that are having to implement. Would save a lot of people a lot of time from having to scour the Internet looking for this information.
06-07-2013 01:23 PM
Perhaps more to the point, when will Cisco submit their IDS/IPS products for JITC testing for inclusion on the DOD UC APL?
01-06-2015 09:18 AM
from Cisco support:
IPS Signatures
Half-open SYN Attack
http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3050&signatureSubId=0&softwareVersion=6.0&releaseVersion=S774
IPS Signatures
TCP Session Embryonic Timeout
http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1302&signatureSubId=0&softwareVersion=6.0&releaseVersion=S212
from STIG writer:
NET0965 allows the use of filtering thresholds or timeout periods to drop half-open TCP connections. Using a TCP half-open SYN signature to trigger rate-limiting or blocking meets the first of the two options.
10-29-2014 06:43 AM
Still nothing from Cisco, issue still applicable on 4200 series appliances running 7.1(9)E4. Any ideas?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: