CCI-004866

The ALG must employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.

The Arista MLS layer 2 switch must be configured for Storm Control to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

The Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks.

The Cisco ASA must be configured to block outbound traffic containing denial-of-service (DoS) attacks by ensuring an intrusion prevention policy has been applied to outbound communications traffic.

The Cisco router must be configured to protect against or limit the effects of denial of service (DoS) attacks by employing control plane protection.

The Cisco switch must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

The Cisco switch must manage excess bandwidth to limit the effects of packet-flooding types of denial-of-service (DoS) attacks.

The Cisco router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

The firewall must be configured to employ organization-defined controls by type of denial-of-service (DoS) to achieve the DoS objective.

The IDPS must employ organization-defined controls by type of denial-of-service (DoS) to achieve the DoS objective.

The ICS must be configured to limit the number of concurrent sessions for user accounts to one.

The Juniper EX switch must be configured to manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

The Juniper perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the site's address space.

The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.

The Juniper router must be configured to restrict traffic destined to itself.

The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

The Juniper PE router must be configured to block any traffic that is destined to IP core infrastructure.

The Juniper PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode, or a firewall filter, enabled on all CE-facing interfaces.

The Juniper perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).

The Juniper perimeter router must be configured to block all packets with any IP options.

The Juniper PE router must be configured to ignore or block all packets with any IP options.

The Juniper router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

The Juniper router must be configured to have IP directed broadcast disabled on all interfaces.

The Juniper multicast RP router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of PIM and MSDP source-active entries.

The Juniper BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).

The Juniper SRX Services Gateway Firewall providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by implementing statistics-based screens.

The Juniper SRX Services Gateway Firewall must implement load balancing on the perimeter firewall, at a minimum, to limit the effects of known and unknown types of denial-of-service (DoS) attacks on the network.

The Juniper SRX Services Gateway Firewall must protect against known types of denial-of-service (DoS) attacks by implementing signature-based screens.

The Juniper SRX Services Gateway Firewall must block outbound traffic containing known and unknown denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.

The Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that rules are applied to outbound communications traffic.

The Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that signature-based objects are applied to outbound communications traffic.

The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.

The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing anomaly-based detection.

The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures.

The layer 2 switch must employ organization-defined controls by type of denial-of-service (DoS) to achieve the DoS objective.

The Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations.

The Palo Alto Networks security platform must protect against the use of internal systems for launching denial-of-service (DoS) attacks against external networks or endpoints.

The Palo Alto Networks security platform must block phone home traffic.

The Palo Alto Networks security platform must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.

The Palo Alto Networks security platform must have a denial-of-service (DoS) Protection Profile for outbound traffic applied to a policy for traffic originating from the internal zone going to the external zone.

The Palo Alto Networks security platform must protect against or limit the effects of known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds).

The Palo Alto Networks security platform must use a Vulnerability Protection Profile that blocks any critical, high, or medium threats.

The router must employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.

The SDN controller must be configured to employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.

The TPS must protect against or limit the effects of known types of denial-of-service (DoS) attacks by employing signatures.

The TPS must block outbound traffic containing known and unknown denial-of-service (DoS) attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic.

The VPN Gateway must employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.