Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Palo Alto Networks ALG Security Technical Implementation Guide
SRG-NET-000192-ALG-000121
SRG-NET-000192-ALG-000121
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
SRG-NET-000192-ALG-000121
1 Rule
<GroupDescription></GroupDescription>
The Palo Alto Networks security platform must protect against the use of internal systems for launching Denial of Service (DoS) attacks against external networks or endpoints.
Medium Severity
<VulnDiscussion>DoS attacks from DOD sources risk the reputation of the organization. Thus, it is important to protecting against the DOD system being used to lauch an attack on external systems. Though Zone Protections are applied on the ingress interface, at a minimum, DOD requires a zero-trust approach. These attacks may use legitimate internal or rogue endpoints from inside the enclave. These attacks can be simple "floods" of traffic to saturate circuits or devices, malware that consumes CPU and memory on a device or causes it to crash, or a configuration issue that disables or impairs the proper function of a device. For example, an accidental or deliberate misconfiguration of a routing table can misdirect traffic for multiple networks. It is important to set the Flood Protection parameters that are suitable for the enclave or system. The Administrator should characterize the traffic regularly (perform a traffic baseline) and tune these parameters based on that information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>