CASA-FW-000150 - The Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

A firewall experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering, resulting in route flapping and will eventually black-hole production traffic.

The device must be configured to contain and limit a DoS attack's effect on the device's resource utilization. The use of redundant components and load balancing are examples of mitigating 'flood-type' DoS attacks through increased capacity.

Solution

Configure threat detection as shown in the example below.

ASA(config)# threat-detection basic-threat

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_Y23M01_STIG.zip

Item Details

References: CAT|II, CCI|CCI-001095, Rule-ID|SV-239860r863229_rule, STIG-ID|CASA-FW-000150, Vuln-ID|V-239860

Plugin: Cisco

Control ID: b732e80803deef5f9c692c6c72144684f617f3bbcc01cb85ae509b83549719f8