PANW-AG-000047 - The Palo Alto Networks security platform must protect against the use of internal systems for launching denial-of-service (DoS) attacks against external networks or endpoints - DoS attacks against other networks or endpoints.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

DoS attacks from DOD sources risk the reputation of the organization. Thus, it is important to protect against the DOD system being used to launch an attack on external systems. Although Zone Protections are applied on the ingress interface, at a minimum, DOD requires a zero-trust approach.

These attacks may use legitimate internal or rogue endpoints from inside the enclave. These attacks can be simple 'floods' of traffic to saturate circuits or devices, malware that consumes CPU and memory on a device or causes it to crash, or a configuration issue that disables or impairs the proper function of a device. For example, an accidental or deliberate misconfiguration of a routing table can misdirect traffic for multiple networks.

It is important to set the Flood Protection parameters that are suitable for the enclave or system. The Administrator should characterize the traffic regularly (perform a traffic baseline) and tune these parameters based on that information.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure either a Zone-Based Protection policy or a DoS Protection policy to protect against DoS attacks originating from the enclave.

To configure a DoS Protection policy, perform the following:
Navigate to Objects >> Security Profiles >> DoS Protection.
Select 'Add' to create a new profile.
In the 'DoS Protection Profile' window, complete the required fields.
For the 'Type', select 'Classified'.
In the 'Flood Protection' tab, 'SYN Flood' sub-tab, select the 'SYN Flood' check box and select either 'Random Early Drop' (preferred in this case) or 'SYN Cookie'; complete the 'Alarm Rate', 'Activate Rate', 'Max Rate', and 'Block Duration' fields.
In the 'Flood Protection' tab, 'UDP Flood' sub-tab, select the 'UDP Flood' check box; complete the 'Alarm Rate', 'Activate Rate', 'Max Rate', and 'Block Duration' fields.
In the 'Flood Protection' tab, 'ICMP Flood' sub-tab, select the 'ICMP Flood' check box; complete the 'Alarm Rate', 'Activate Rate', 'Max Rate', and 'Block Duration' fields.
In the 'Flood Protection' tab, 'ICMPv6 Flood' sub-tab, select the 'ICMPv6 Flood' check box; complete the 'Alarm Rate', 'Activate Rate', 'Max Rate', and 'Block Duration' fields.
In the 'Flood Protection' tab, 'Other IP Flood' sub-tab, select the 'Other IP Flood' check box; complete the 'Alarm Rate', 'Activate Rate', 'Max Rate', and 'Block Duration' fields.
In the 'Resources Protection' tab, leave the 'Maximum Concurrent Sessions' check box unselected.
Select 'OK'.

Navigate to Policies >> DoS Protection.
Select 'Add' to create a new policy.
In the 'DoS Rule' window, complete the required fields.
In the 'General' tab, complete the 'Name' and 'Description' fields.
In the 'Source' tab, for 'Zone', select the 'Internal' zone, for 'Source Address', select 'Any'.
In the 'Destination' tab, 'Zone', select 'External' zone, for 'Destination Address', select 'Any'.
In the 'Option/Protection' tab:
For 'Service', select 'Any'.
For 'Action', select 'Protect'.
Select the 'Classified' check box.
In the 'Profile' field, select the configured DoS Protection profile for outbound traffic.
In the 'Address' field, select source-ip-only.
Commit changes by selecting 'Commit' in the upper-right corner of the screen.
Select 'OK' when the confirmation dialog appears.

To configure a Zone-Based Protection policy, perform the following:
Navigate to Network >> Network Profiles >> Zone Protection
Select 'Add'.
In the 'Zone Protection Profile' window, complete the required fields.
In the 'General' tab, complete the 'Name' and 'Description' fields.
In the 'Flood Protection' tab, select the 'SYN' check box, in the 'Action' field, select either 'Random Early Drop' (preferred in this case) or 'SYN Cookie'; complete the 'Alert', 'Activate', and 'Maximum' fields.
In the 'Flood Protection' tab, select the 'ICMP' check box; complete the 'Alert', 'Activate', and 'Maximum' fields.
In the 'Flood Protection' tab, select the 'ICMPv6' check box; complete the 'Alert', 'Activate', and 'Maximum' fields.
In the 'Flood Protection' tab, select the 'Other IP' check box; complete the 'Alert', 'Activate', and 'Maximum' fields.
In the 'Flood Protection' tab, select the 'UDP' check box; complete the 'Alert', 'Activate', and 'Maximum' fields.
For each of the 'Alert', 'Activate', and 'Maximum' fields, the appropriate values depend on the expected traffic of the system.
In the 'Reconnaissance Protection' tab, select the 'TCP Port Scan', 'Host Sweep', and 'UDP Port Scan' rows. In the 'Action' field, select 'Block'. The 'Interval' and 'Threshold' values can either remain as the default values or they can be changed based on the specific traffic conditions of the network (preferred).

In the 'Packet Based Attack Protection' tab:
'TCP/IP Drop' sub-tab, select the 'Spoofed IP address', and 'Mismatched overlapping TCP segment' check boxes.
In the 'IP Option Drop' section, select the 'Strict Source Routing', 'Loose Source Routing', 'Timestamp', 'Unknown', and 'Malformed' check boxes.
The 'Record Route', 'Security', and 'Stream ID' check boxes can remain unchecked.
For the 'Reject Non-SYN TCP' field, select 'yes'.
For the 'Asymmetric Path' field, select 'bypass'.

'ICMP Drop' sub-tab, select the 'ICMP Ping ID 0', 'ICMP Fragment', 'ICMP Large Packet(>1024)' check boxes.
The 'Discard ICMP embedded with error message', 'Suppress ICMP TTL Expired Error', and 'Suppress ICMP Frag Needed' boxes can remain unchecked.
Since this requirement is specifically to prevent internal systems from launching DoS attacks against other networks or endpoints, select the following from the 'ICMP Drop' sub-tab: 'ICMP Ping ID 0', 'ICMP Fragment', 'ICMP Large Packet(>1024)', 'Suppress ICMP TTL Expired Error', 'Suppress ICMP Frag Needed'.
'IPv6 Drop' sub-tab, select the 'Type 0 Routing Header', 'IPv4 compatible address', 'Anycast source address', 'Needless fragment header', 'MTU in ICMPv6 'Packet Too Big' less than 1280 bytes', 'Hop-by-Hop extension', 'Routing extension', 'Destination extension', 'Invalid IPv6 options in extension header', and 'Non-zero reserved field' check boxes.
'ICMPv6' sub-tab, select the 'ICMPv6 destination unreachable', 'ICMPv6 packet too big', 'ICMPv6 time exceeded', 'ICMPv6 parameter problem', and 'ICMPv6 redirect' check boxes.
Select 'OK'.

Apply the Zone Protection Profile to any zone that includes egress interfaces to external networks:
Navigate to Network >> Zones.
Select the zone to be configured.
In the 'Zone' window, in the 'Zone Protection Profile' window, select the configured Zone Protection Profile.
Select 'OK'.
Commit changes by selecting 'Commit' in the upper-right corner of the screen.
Select 'OK' when the confirmation dialog appears.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PAN_Y24M07_STIG.zip

Item Details

References: CAT|II, CCI|CCI-001094, CCI|CCI-004866, Rule-ID|SV-228842r997588_rule, STIG-ID|PANW-AG-000047, STIG-Legacy|SV-77057, STIG-Legacy|V-62567, Vuln-ID|V-228842

Plugin: Palo_Alto

Control ID: 887391266be85f55adc7173ca1b8c20c3d52e16ab07586099d580e4f60d6b7d1