Trend Micro TippingPoint IDPS Security Technical Implementation Guide

Description

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R2

Published: 2022-06-28

Updated At: 2022-08-25 11:40:25

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-242167r839140_rule TIPP-IP-000010 CCI-002346 MEDIUM To protect against unauthorized data mining, the TPS must prevent code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information. In
    SV-242168r839141_rule TIPP-IP-000020 CCI-002346 MEDIUM To protect against unauthorized data mining, the TPS must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code. Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack applications may result in the compromise of information.
    SV-242169r839142_rule TIPP-IP-000030 CCI-002346 MEDIUM To protect against unauthorized data mining, the TPS must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information. SQ
    SV-242170r839143_rule TIPP-IP-000040 CCI-002347 MEDIUM To protect against unauthorized data mining, the TPS must detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information. In
    SV-242171r839144_rule TIPP-IP-000050 CCI-002347 MEDIUM To protect against unauthorized data mining, the TPS must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code. Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack applications may result in the compromise of information.
    SV-242172r839145_rule TIPP-IP-000060 CCI-002347 MEDIUM To protect against unauthorized data mining, the TPS must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information. SQ
    SV-242173r840498_rule TIPP-IP-000070 CCI-001368 HIGH The Trend Micro TippingPoint Security Management System (SMS) must be configured to send security IPS policy to the Trend Micro Threat Protection System (TPS). The flow of all communications traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Restricting the flow of communications traffic, also known as Information flow control, regulate
    SV-242175r710068_rule TIPP-IP-000090 CCI-001414 MEDIUM The Trend Micro TPS must immediately use updates made to policy filters, rules, signatures, and anomaly analysis algorithms for traffic detection and prevention functions which are all contained in the Digital Vaccine (DV) updates. Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changes to the PPSM CAL, vulnerability assessments, or mission conditions. Changing conditions include changes in
    SV-242176r710071_rule TIPP-IP-000100 CCI-000169 MEDIUM The TPS must provide audit record generation capability for detection events based on implementation of policy filters, rules, signatures, and anomaly analysis. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. While auditing and logging are closely related, they are not the s
    SV-242177r710074_rule TIPP-IP-000110 CCI-000169 MEDIUM The TPS must provide audit record generation capability for events where communication traffic is blocked or restricted based on policy filters, rules, signatures, and anomaly analysis. To support the centralized analysis capability, the IDPS components must be able to provide the information in a format (e.g., Syslog) that can be extracted and used, allowing the application to effectively review and analyze the log records.
    SV-242178r710348_rule TIPP-IP-000120 CCI-000130 MEDIUM The SMS must produce audit records containing sufficient information to establish what type of event occurred, including, at a minimum, event descriptions, policy filter, rule or signature invoked, port, protocol, and criticality level/alert code or description by sending all audit and system logs to a centralized syslog server. Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Associating an event type with each event log entry provides a means of investigating an attack
    SV-242179r710080_rule TIPP-IP-000130 CCI-000131 MEDIUM The SMS must produce audit records containing information to establish when (date and time) the events occurred by sending all audit and system logs to a centralized syslog server. Without establishing the time (date/time) an event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Associating the date and time the event occurred with each event log entry provides a
    SV-242180r710347_rule TIPP-IP-000140 CCI-000132 MEDIUM The SMS must produce audit records containing information to establish where the event was detected, including, at a minimum, network segment, destination address, and TPS component which detected the event by sending all audit and system logs to a centralized syslog server. Associating where the event was detected with the event log entries provides a means of investigating an attack or identifying an improperly configured IDPS. This information can be used to determine what systems may have been affected. While auditing an
    SV-242181r710086_rule TIPP-IP-000150 CCI-000133 MEDIUM The SMS must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address by sending all audit and system logs to a centralized syslog server. Associating the source of the event with detected events in the logs provides a means of investigating an attack or suspected attack. While auditing and logging are closely related, they are not the same. Logging is recording data about events that take
    SV-242182r710346_rule TIPP-IP-000160 CCI-000134 MEDIUM The SMS must produce audit records containing information to establish the outcome of events associated with detected harmful or potentially harmful traffic, including, at a minimum, capturing all associated communications traffic by sending all audit and system logs to a centralized syslog server. Associating event outcome with detected events in the log provides a means of investigating an attack or suspected attack. While auditing and logging are closely related, they are not the same. Logging is recording data about events that take place in a
    SV-242183r710092_rule TIPP-IP-000170 CCI-001844 MEDIUM TPS must support centralized management and configuration of the content captured in audit records generated by all TPS components by using the Security Management System (SMS). Without the ability to centrally manage the content captured in the log records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an attack. Centralized manage
    SV-242184r710095_rule TIPP-IP-000180 CCI-001851 MEDIUM The TPS and SMS must off-load log records to a centralized log server. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in case
    SV-242185r710345_rule TIPP-IP-000190 CCI-000140 MEDIUM In the event of a logging failure, caused by loss of communications with the central logging server, the SMS must queue audit records locally by using the syslog over TCP protocol until communication is restored or until the audit records are retrieved manually or using automated synchronization tools. It is critical that when the TPS is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include: software/hardware errors, failures in the audit capturing mechanisms, and audit storage
    SV-242186r710101_rule TIPP-IP-000200 CCI-000140 MEDIUM In the event of a logging failure caused by the lack of audit record storage capacity, the SMS must continue generating and storing audit records, overwriting the oldest audit records in a first-in-first-out manner using Audit Log maintenance. It is critical that when the TPS is at risk of failing to process audit logs as required, it takes action to mitigate the failure. The IDPS performs a critical security function, so its continued operation is imperative. Since availability of the TPS is
    SV-242187r710104_rule TIPP-IP-000210 CCI-000154 MEDIUM The SMS and TPS must provide log information in a format that can be extracted and used by centralized analysis tools. Centralized review and analysis of log records from multiple SMS and TPS components gives the organization the capability to better detect distributed attacks and provides increased data points for behavior analysis techniques. These techniques are invalu
    SV-242188r710107_rule TIPP-IP-000230 CCI-000381 MEDIUM The SMS must be configured to remove or disable non-essential capabilities on SMS and TPS which are not required for operation or not related to IDPS functionality (e.g., web server, SSH, telnet, and TAXII). An IDPS can be capable of providing a wide variety of capabilities. Not all of these capabilities are necessary. Unnecessary services, functions, and applications increase the attack surface (sum of attack vectors) of a system. These unnecessary capabilit
    SV-242189r839149_rule TIPP-IP-000240 CCI-001166 MEDIUM The TPS must detect, at a minimum, mobile code that is unsigned or exhibiting unusual behavior, has not undergone a risk assessment, or is prohibited for use based on a risk assessment. Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Examples of mobile code include JavaScri
    SV-242190r839150_rule TIPP-IP-000250 CCI-001662 MEDIUM The TPS must block any prohibited mobile code at the enclave boundary when it is detected. Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Examples of mobile code include JavaScri
    SV-242191r710116_rule TIPP-IP-000260 CCI-001190 MEDIUM The TPS must fail to a secure state which maintains access control mechanisms when the IDPS hardware, software, or firmware fails on initialization/shutdown or experiences a sudden abort during normal operation (also known as "Fail closed"). Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Preserving information system state information also facilitates system restart and return to the operation
    SV-242192r840191_rule TIPP-IP-000270 CCI-002385 MEDIUM The TPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures. If the network does not provide safeguards against DoS attack, network resources will be unavailable to users. Installation of TPS detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attack
    SV-242193r710122_rule TIPP-IP-000280 CCI-001095 MEDIUM The TPS must block outbound traffic containing known and unknown DoS attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic. The TPS must include protection against DoS attacks that originate from inside the enclave which can affect either internal or external systems. These attacks may use legitimate or rogue endpoints from inside the enclave. Installation of TPS detection a
    SV-242194r840196_rule TIPP-IP-000290 CCI-001312 MEDIUM The TPS must block outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages. Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the sender to support diagnostics. However, some messages can also provide host information and network topology
    SV-242195r840193_rule TIPP-IP-000300 CCI-001312 MEDIUM The TPS must block malicious ICMP packets by properly configuring ICMP signatures and rules. Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the sender to support diagnostics. However, some messages can also provide host information, network topology, an
    SV-242196r710131_rule TIPP-IP-000320 CCI-001247 MEDIUM The TPS must automatically install updates to signature definitions, detection heuristics, and vendor-provided rules. Failing to automatically update malicious code protection mechanisms, including application software files, signature definitions, and vendor-provided rules, leaves the system vulnerable to exploitation by recently developed attack methods and programs. A
    SV-242197r754437_rule TIPP-IP-000330 CCI-001240 HIGH The SMS must install updates on the TPS for application software files, signature definitions, detection heuristics, and vendor-provided rules when new releases are available in accordance with organizational configuration management policy and procedures. Failing to update malicious code protection mechanisms, including application software files, signature definitions, and vendor-provided rules, leaves the system vulnerable to exploitation by recently developed attack methods and programs. The TPS is a
    SV-242198r839154_rule TIPP-IP-000350 CCI-001243 MEDIUM The TPS must block malicious code. Configuring the TPS to delete and/or quarantine based on local organizational incident handling procedures minimizes the impact of this code on the network.
    SV-242199r754438_rule TIPP-IP-000360 CCI-001242 HIGH The TPS must generate a log record so an alert can be configured to, at a minimum, the system administrator when malicious code is detected. Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis and detect rate-based and other anomalies will be impeded. The TPS generates an immediate (within seconds) a
    SV-242200r710143_rule TIPP-IP-000370 CCI-002656 MEDIUM SMS and TPS components, including sensors, event databases, and management consoles must integrate with a network-wide monitoring capability. An integrated, network-wide intrusion detection capability increases the ability to detect and prevent sophisticated distributed attacks based on access patterns and characteristics of access. Integration is more than centralized logging and a centralize
    SV-242201r839155_rule TIPP-IP-000380 CCI-002683 MEDIUM The TPS must detect network services that have not been authorized or approved by the ISSO or ISSM, at a minimum, through use of a site-approved TPS device profile. Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services. Examples of network services include service-oriented architectures (SOAs), cloud
    SV-242202r839156_rule TIPP-IP-000400 CCI-002684 MEDIUM The IDPS must generate an alert to the ISSM and ISSO, at a minimum, when unauthorized network services are detected. Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services. Automated mechanisms can be used to send automatic alerts or notifications. Such a
    SV-242203r839157_rule TIPP-IP-000410 CCI-002661 MEDIUM The IDPS must continuously monitor inbound communications traffic for unusual/unauthorized activities or conditions. If inbound communications traffic is not continuously monitored for unusual/unauthorized activities or conditions, there will be times when hostile activity may not be noticed and defended against. Although some of the components in the site's content s
    SV-242204r839158_rule TIPP-IP-000420 CCI-002662 MEDIUM The TPS must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions. If outbound communications traffic is not continuously monitored for unusual/unauthorized activities or conditions, there will be times when hostile activity may not be noticed and defended against. Although some of the components in the site's content
    SV-242205r710158_rule TIPP-IP-000430 CCI-002664 MEDIUM The TPS must send an alert to, at a minimum, the ISSM and ISSO when intrusion detection events are detected which indicate a compromise or potential for compromise. Without an alert, security personnel may be unaware of intrusion detection incidents that require immediate action and this delay may result in the loss or compromise of information. In accordance with CCI-001242, the TPS is a real-time intrusion detecti
    SV-242206r710161_rule TIPP-IP-000440 CCI-002664 MEDIUM The site must register with the Trend Micro TippingPoint Threat Management Center (TMC) in order to receive alerts on threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected which indicate a compromise or potential for compromise. Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis and detect rate-based and other anomalies will be impeded. Alerts may be transmitted, for example, telephoni