I have a 4270-20 (7.1(7)E4) monitoring a network that is required to use the DISA STIGs for certain security settings. there is a requirement (STIG ID NET0965) that requires the following:
The network device must be configured with a maximum wait time of 10 seconds or less to allow a host to establish a TCP connection.
Configure the maximum wait time for TCP connections to be established with the device to 10 seconds or less.
this is possible on a router or switch but can this be configured on the IPS?
I don't have an answer for you, but would like to share your pain. I wish DISA would spend the time to document this stuff on the most common platforms for the benefit of the people that are having to implement. Would save a lot of people a lot of time from having to scour the Internet looking for this information.
from Cisco support:
Half-open SYN Attack
TCP Session Embryonic Timeout
from STIG writer:
NET0965 allows the use of filtering thresholds or timeout periods to drop half-open TCP connections. Using a TCP half-open SYN signature to trigger rate-limiting or blocking meets the first of the two options.