DBN-6300 IDPS Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2017-09-15

Updated At: 2018-09-23 19:12:46

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-79467r1_rule DBNW-IP-000032 CCI-002346 MEDIUM To help detect unauthorized data mining, the DBN-6300 must detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information. SQ
    SV-79489r1_rule DBNW-IP-000009 CCI-000140 MEDIUM In the event of a logging failure, caused by loss of communications with the central logging server, the DBN-6300 must queue audit records locally until communication is restored or until the audit records are retrieved manually or using automated synchronization tools. It is critical that when the IDPS is at risk of failing to process audit logs as required, it take action to mitigate the failure. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage
    SV-79491r1_rule DBNW-IP-000010 CCI-000140 MEDIUM In the event of a logging failure caused by the lack of log record storage capacity, the DBN-6300 must continue generating and storing audit records if possible, overwriting the oldest audit records in a first-in-first-out manner. It is critical that when the IDPS is at risk of failing to process audit logs as required, it takes action to mitigate the failure. The DBN-6300 performs a critical security function, so its continued operation is imperative. Since availability of the
    SV-79493r1_rule DBNW-IP-000012 CCI-000169 MEDIUM The DBN-6300 must generate log events for detection events based on anomaly analysis. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. While auditing and logging are closely related, they are not the
    SV-79495r1_rule DBNW-IP-000024 CCI-001240 MEDIUM The DBN-6300 must install system updates when new releases are available in accordance with organizational configuration management policy and procedures. Failing to update malicious code protection mechanisms, including application software files, signature definitions, and vendor-provided rules, leaves the system vulnerable to exploitation by recently developed attack methods and programs. The IDPS is
    SV-79497r1_rule DBNW-IP-000034 CCI-002346 MEDIUM To protect against unauthorized data mining, the DBN-6300 must monitor for and detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information. Th
    SV-79499r1_rule DBNW-IP-000035 CCI-002347 MEDIUM To protect against unauthorized data mining, the DBN-6300 must detect SQL code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information. In
    SV-79501r1_rule DBNW-IP-000036 CCI-002347 MEDIUM To protect against unauthorized data mining, the DBN-6300 must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code/input fields. Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack applications may result in the compromise of information.
    SV-79503r1_rule DBNW-IP-000037 CCI-002347 MEDIUM To protect against unauthorized data mining, the DBN-6300 must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information.
    SV-79505r1_rule DBNW-IP-000038 CCI-001844 MEDIUM The DBN-6300 must support centralized management and configuration of the content captured in audit records generated by all DBN-6300 components. Without the ability to centrally manage the content captured in the log records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an attack. Centralized manage
    SV-79507r1_rule DBNW-IP-000039 CCI-001851 MEDIUM The DBN-6300 must off-load log records to a centralized log server. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in case
    SV-79509r1_rule DBNW-IP-000046 CCI-002656 MEDIUM The DBN-6300 must integrate with a network-wide monitoring capability. An integrated, network-wide intrusion detection capability increases the ability to detect and prevent sophisticated distributed attacks based on access patterns and characteristics of access. Integration is more than centralized logging and a centrali
    SV-79511r1_rule DBNW-IP-000050 CCI-002661 MEDIUM The DBN-6300 must continuously monitor inbound communications traffic between the application tier and the database tier for unusual/unauthorized activities or conditions at the SQL level. If inbound communications traffic is not continuously monitored for unusual/unauthorized activities or conditions, there will be times when hostile activity may not be noticed and defended against. Although some of the components in the site's content
    SV-79513r1_rule DBNW-IP-000059 CCI-001851 MEDIUM The DBN-6300 must off-load log records to a centralized log server in real time. Off-loading ensures audit information is not overwritten if the limited audit storage capacity is reached and also protects the audit record in case the system/component being audited is compromised. Off-loading is a common process in information syste
    SV-79515r1_rule DBNW-IP-000060 CCI-000366 MEDIUM When implemented for protection of the database tier, the DBN-6300 must be logically connected for maximum database traffic visibility. Configuring the IDPS to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture
    SV-79549r1_rule DBNW-IP-000061 CCI-000366 MEDIUM When implemented for discovery protection against unidentified or rogue databases, the DBN-6300 must provide a catalog of all visible databases and database services. If the DBN-6300 is installed incorrectly in the site's network architecture, vulnerable or unknown databases may not be detected and consequently may remain vulnerable and unprotected. For proper functionality of the DBN-6300, it is necessary to examin