The Juniper SRX Services Gateway Firewall must protect against known types of denial-of-service (DoS) attacks by implementing signature-based screens.
An XCCDF Rule
Description
<VulnDiscussion>If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Installation of content filtering gateways and application layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks. Juniper SRX Firewall DoS protections can be configured by either using a Screen or within the global flow options. Screens, also known as IDS-options, block various layer 3 and 4 attacks. Screen objects are configured with various screen-specific options and then assigned to a zone. The Juniper SRX can be configured with Screens to protect against the following signature-based DoS attacks: ICMP based attacks such as ping of death, IP based attacks such as IP spoofing and teardrop, and TCP based attacks such as TCP headers and land.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-214531r997548_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
The following example commands configure security screens under a profile named untrust-screen. Screen options with configurable thresholds may be customized to minimize/prevent operational impact on traffic performance.
[edit]
set security screen ids-option <zone-name> <screen name> <option name> <value>
Based on 800-53 requirements and vendor recommendations, the following signature-based screens are required, at a minimum, for use in DOD configurations.