DISA STIG NET0965

joedansereau · ‎05-21-2013

I have a 4270-20 (7.1(7)E4) monitoring a network that is required to use the DISA STIGs for certain security settings. there is a requirement (STIG ID NET0965) that requires the following:

The network device must be configured with a maximum wait time of 10 seconds or less to allow a host to establish a TCP connection.

Configure the maximum wait time for TCP connections to be established with the device to 10 seconds or less.

this is possible on a router or switch but can this be configured on the IPS?

efairbanks · ‎06-04-2013

I don't have an answer for you, but would like to share your pain. I wish DISA would spend the time to document this stuff on the most common platforms for the benefit of the people that are having to implement. Would save a lot of people a lot of time from having to scour the Internet looking for this information.

mark.barrett · ‎06-07-2013

Perhaps more to the point, when will Cisco submit their IDS/IPS products for JITC testing for inclusion on the DOD UC APL?

joedansereau · ‎01-06-2015

from Cisco support:

IPS Signatures

Half-open SYN Attack

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3050&signatureSubId=0&softwareVersion=6.0&releaseVersion=S774

IPS Signatures

TCP Session Embryonic Timeout

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1302&signatureSubId=0&softwareVersion=6.0&releaseVersion=S212

from STIG writer:

NET0965 allows the use of filtering thresholds or timeout periods to drop half-open TCP connections. Using a TCP half-open SYN signature to trigger rate-limiting or blocking meets the first of the two options.

joedansereau · ‎10-29-2014

Still nothing from Cisco, issue still applicable on 4200 series appliances running 7.1(9)E4. Any ideas?