View STIG - F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V2R3

b

The BIG-IP Core implementation must be configured to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.

AC-3 - Medium - CCI-000213 - V-215738 - SV-215738r557356_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-000213

Version

F5BI-LT-000003

Vuln IDs

V-215738
V-60257

Rule IDs

SV-215738r557356_rule
SV-74687

Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary and access control mechanisms are required.

Checks: C-16930r291027_chk

If the BIG-IP Core does not provide user access control intermediary services for virtual servers, this is not applicable. When user access control intermediary services are provided, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an APM policy to enforce approved authorizations for logical access to information and system resources employing identity-based, role-based, and/or attribute-based security policies. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Access Policy" section, that "Access Policy" has been set to use an access policy to enforce approved authorizations for logical access to information. If the BIG-IP Core is not configured to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies, this is a finding.

Fix: F-16928r291028_fix

If user access control intermediary services are provided, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP APM module to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies. Apply the APM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.

b

The BIG-IP Core implementation must be configured to enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.

AC-4 - Medium - CCI-001368 - V-215739 - SV-215739r557356_rule

RMF Control

AC-4

Severity

Medium

CCI

CCI-001368

Version

F5BI-LT-000005

Vuln IDs

V-215739
V-60259

Rule IDs

SV-215739r557356_rule
SV-74689

Information flow control regulates where information is allowed to travel within a network. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems. Examples of information flow control restrictions include keeping export-controlled information from being transmitted in the clear to the Internet or blocking information marked as classified but being transported to an unapproved destination. ALGs enforce approved authorizations by employing security policy and/or rules that restrict information system services, provide packet-filtering capability based on header or protocol information, and/or message filtering capability based on data content (e.g., implementing key word searches or using document characteristics).

Checks: C-16931r291030_chk

If the BIG-IP Core does not perform packet-filtering intermediary services for virtual servers, this is not applicable. When packet-filtering intermediary services are performed, verify the BIG-IP Core is configured as follows: Verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an AFM policy to enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Navigate to the Security >> Policies tab. Verify that "Network Firewall" Enforcement is set to "Policy Rules..." and "Policy" is set to use an AFM policy to enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. If the BIG-IP Core is not configured to enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic, this is a finding.

Fix: F-16929r291031_fix

If user packet-filtering intermediary services are provided, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP Advanced Firewall Manager (AFM) module to enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of source, destination, headers, and/or content of the communications traffic. Apply the AFM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to enforce approved authorizations for controlling the flow of information within the network.

c

The BIG-IP Core implementation must be configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.

AC-4 - High - CCI-001414 - V-215740 - SV-215740r557356_rule

RMF Control

AC-4

Severity

High

CCI

CCI-001414

Version

F5BI-LT-000007

Vuln IDs

V-215740
V-60261

Rule IDs

SV-215740r557356_rule
SV-74691

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious communications between interconnected networks enforces approved authorizations for controlling the flow of traffic. This requirement applies the Application Layer Gateway (ALG) when used as a gateway or boundary device that allows traffic flow between interconnected networks of differing security policies. The ALG is installed and configured in such a way that it restricts or blocks information flows based on guidance in the Ports, Protocols, and Services Management (PPSM) regarding restrictions for boundary crossing for ports, protocols and services. Information flow restrictions may be implemented based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. The ALG must be configured with policy filters (e.g., security policy, rules, and/or signatures) that restrict or block information system services; provide a packet-filtering capability based on header information; and/or perform message filtering based on message content. The policy filters used depend upon the type of application gateway (e.g., web, email, or TLS).

Checks: C-16932r291033_chk

If the BIG-IP Core does not perform packet-filtering intermediary services for virtual servers, this is not applicable. When packet-filtering intermediary services are performed, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module is configured with an AFM policy to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Navigate to the Security >> Policies tab. Verify that "Network Firewall" Enforcement is set to "Policy Rules..." and "Policy" is set to use an AFM policy to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. If the BIG-IP Core is not configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic, this is a finding.

Fix: F-16930r291034_fix

If user packet-filtering intermediary services are provided, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP AFM module to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. Apply the AFM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks.

a

The BIG-IP Core implementation must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to virtual servers.

AC-8 - Low - CCI-000048 - V-215741 - SV-215741r557356_rule

RMF Control

AC-8

Severity

Low

CCI

CCI-000048

Version

F5BI-LT-000023

Vuln IDs

V-215741
V-60263

Rule IDs

SV-215741r557356_rule
SV-74693

Display of a standardized and approved use notification before granting access to the virtual servers ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to network elements that have the concept of a user account and have the logon function residing on the network element. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." This policy only applies to ALGs (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.

Checks: C-16933r291036_chk

If the BIG-IP Core does not provide user access control intermediary services for virtual servers, this is not applicable. When user access control intermediary services are provided, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an APM policy to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the virtual servers. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Access Policy" section, that "Access Policy" has been set to use an access policy to display the Standard Mandatory DoD-approved Notice and Consent Banner. If the BIG-IP Core is not configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the virtual servers, this is a finding.

Fix: F-16931r291037_fix

If user access control intermediary services are provided, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP APM module to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the virtual servers. Apply the APM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the virtual servers.

a

The BIG-IP Core implementation must be configured to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users accessing virtual servers acknowledge the usage conditions and take explicit actions to log on for further access.

AC-8 - Low - CCI-000050 - V-215742 - SV-215742r557356_rule

RMF Control

AC-8

Severity

Low

CCI

CCI-000050

Version

F5BI-LT-000025

Vuln IDs

V-215742
V-60265

Rule IDs

SV-215742r557356_rule
SV-74695

The banner must be acknowledged by the user prior to allowing the user access to virtual servers. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. To establish acceptance of the application usage policy, a click-through banner at application logon is required. The network element must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". This policy only applies to gateways (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.

Checks: C-16934r291039_chk

If the BIG-IP Core does not provide user access control intermediary services for virtual servers, this is not applicable. When user access control intermediary services are provided, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an APM policy to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Access Policy" section, that "Access Policy" has been set to use an access policy to retain the Standard Mandatory DoD-approved Notice and Consent Banner. If the BIG-IP Core is not configured to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding.

Fix: F-16932r291040_fix

If user access control intermediary services are provided, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP APM module to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. Apply the APM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.

a

The BIG-IP Core implementation must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to publicly accessible applications.

AC-8 - Low - CCI-001384 - V-215743 - SV-215743r557356_rule

RMF Control

AC-8

Severity

Low

CCI

CCI-001384

Version

F5BI-LT-000027

Vuln IDs

V-215743
V-60267

Rule IDs

SV-215743r557356_rule
SV-74697

Display of a standardized and approved use notification before granting access to the publicly accessible network element ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to network elements that have the concept of a user account and have the logon function residing on the network element. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." This policy only applies to gateways (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services off-loaded from the application. Publicly accessed systems are used in DoD to provide benefit information, pay information, or public services. There may also be self-registration and authorization services provided by these gateways.

Checks: C-16935r291042_chk

If the BIG-IP Core does not provide user access control intermediary services for virtual servers, this is not applicable. When user access control intermediary services are provided, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an APM policy to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to publicly accessible applications. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Access Policy" section, that "Access Policy" has been set to use an access policy to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to publicly accessible applications. If the BIG-IP Core is not configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the publicly accessible systems, this is a finding.

Fix: F-16933r291043_fix

If user access control intermediary services are provided, configure the BIG-IP Core as follows: Configure a policy in the APM module to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to publicly accessible applications. Apply the APM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to publicly accessible applications.

c

The BIG-IP Core implementation must be configured to limit the number of concurrent sessions to an organization-defined number for virtual servers.

AC-10 - High - CCI-000054 - V-215744 - SV-215744r557356_rule

RMF Control

AC-10

Severity

High

CCI

CCI-000054

Version

F5BI-LT-000029

Vuln IDs

V-215744
V-60269

Rule IDs

SV-215744r557356_rule
SV-74699

Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The organization-defined number of concurrent sessions must be the same as the requirements specified for the application for which it serves as intermediary. This policy only applies to application gateways/firewalls (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.

Checks: C-16936r291045_chk

If the BIG-IP Core does not provide user access control intermediary services for virtual servers, this is not applicable. When user access control intermediary services are provided, verify the BIG-IP Core limits the number of concurrent sessions to an organization-defined number for virtual servers. Review organizational Standard Operating Procedures (SOP) to ensure there is an organization-defined threshold for the maximum number of concurrent session for each application the BIG-IP Core serves as intermediary. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select a Virtual Server from the list to verify that the connection limit is set. Select "Advanced" for "Configuration". Review the following under the "Configuration" section. Verify that 'Connection Limit' is set to the organization-defined number of concurrent connections and not set to zero (0). Verify that "Connection Rate Limit" is set to the organization-defined number of concurrent connections per second and not set to zero (0). If the BIG-IP Core is not configured to limit the number of concurrent sessions to an organization-defined number or is set to zero (0) for virtual servers, this is a finding.

Fix: F-16934r291046_fix

If user access control intermediary services are provided, configure the BIG-IP Core as follows: Configure the appropriate Virtual Server(s) in the BIG-IP LTM module to limit concurrent sessions to the organization-defined number for virtual servers.

b

The BIG-IP Core implementation must be configured to monitor inbound traffic for remote access policy compliance when accepting connections to virtual servers.

AC-17 - Medium - CCI-000067 - V-215745 - SV-215745r557356_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-000067

Version

F5BI-LT-000031

Vuln IDs

V-215745
V-60271

Rule IDs

SV-215745r557356_rule
SV-74701

Automated monitoring of remote access traffic allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by inspecting connection activities of remote access capabilities. A remote access policy establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed prior to allowing connections to the information systems. Remote access methods include both unencrypted and encrypted traffic (e.g., web portals, web content filter, TLS, and webmail). With inbound TLS inspection, the traffic must be inspected prior to being allowed on the enclave's web servers hosting TLS or HTTPS applications. With outbound traffic inspection, traffic must be inspected prior to being forwarded to destinations outside of the enclave, such as external email traffic.

Checks: C-16937r291048_chk

If the BIG-IP Core does not serve as an intermediary for remote access traffic (e.g., web content filter, TLS, and webmail) for virtual servers, this is not applicable. When intermediary services for remote access communications traffic are provided, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an ASM policy to inspect traffic or forward to a monitoring device for inspection prior to forwarding to inbound destinations. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Navigate to the Security >> Policies tab. Verify that "Application Security Policy" is Enabled and "Policy" is set to use an ASM policy to monitor inbound traffic for remote access policy compliance when accepting remote access connections to virtual servers. If the BIG-IP Core is not configured to monitor inbound traffic for compliance with remote access security policies, this is a finding.

Fix: F-16935r291049_fix

If intermediary services for remote access communications traffic are provided, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP ASM module to monitor inbound traffic for remote access policy compliance. Apply policy to the applicable Virtual Server(s) in the BIG-IP LTM module to monitor inbound traffic for remote access policy compliance when accepting connections to virtual servers.

b

The BIG-IP Core implementation must be configured to use encryption services that implement NIST SP 800-52 Revision 2 compliant cryptography to protect the confidentiality of connections to virtual servers.

AC-17 - Medium - CCI-000068 - V-215746 - SV-215746r557356_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-000068

Version

F5BI-LT-000033

Vuln IDs

V-215746
V-60273

Rule IDs

SV-215746r557356_rule
SV-74703

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Encryption provides a means to secure the remote connection so as to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information. This requirement applies to ALGs providing remote access proxy services as part of their intermediary services (e.g., OWA or TLS gateway).

Checks: C-16938r513221_chk

If the BIG-IP Core does not serve as an intermediary for remote access traffic (e.g., web content filter, TLS, and webmail) for virtual servers, this is not applicable. When intermediary services for remote access communications are provided, verify the BIG-IP Core is configured to use encryption services that implement NIST SP 800-52 Revision 2 compliant cryptography to protect the confidentiality of connections to virtual servers. Navigate to the BIG-IP System manager >> Local Traffic >> Profiles >> SSL >> Client Verify a profile exists that is FIPS compliant. Select FIPS-compliant profile. Verify "Ciphers" under "Configuration" section is configured to use FIPS-compliant ciphers. Verify the BIG-IP Core is configured to use a FIPS-compliant profile: Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Configuration" section, that FIPS-compliant profile is in the "Selected" area for "SSL Profile (Client)". If the BIG-IP Core is not configured to use encryption services that implement NIST SP 800-52 Revision 1 compliant cryptography to protect the confidentiality of connections to virtual servers, this is a finding.

Fix: F-16936r513222_fix

If intermediary services for remote access communications traffic are provided, configure the BIG-IP Core to use encryption services that implement NIST SP 800-52 Revision 2 compliant cryptography to protect the confidentiality of connections to virtual servers.

b

The BIG-IP Core implementation must be configured to comply with the required TLS settings in NIST SP 800-52 Revision 1 for TLS services to virtual servers.

AC-17 - Medium - CCI-000068 - V-215747 - SV-215747r557356_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-000068

Version

F5BI-LT-000035

Vuln IDs

V-215747
V-60275

Rule IDs

SV-215747r557356_rule
SV-74705

NIST SP 800-52 Revision 1 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to TLS gateways (also known as SSL gateways) and is not applicable to VPN devices. Application protocols such as HTTPS and DNSSEC use TLS/SSL as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 Revision 1 provides guidance. NIST SP 800-52 Revision 1 sets TLS version 1.1 as a minimum version, thus all versions of SSL are not allowed (including for client negotiation) either on DoD-only or on public facing servers.

Checks: C-16939r291054_chk

If the BIG-IP Core does not provide intermediary services for TLS, or application protocols that use TLS (e.g., DNSSEC or HTTPS) for virtual servers, this is not applicable. When intermediary services for TLS are provided, verify the BIG-IP Core is configured to implement the applicable required TLS settings in NIST PUB SP 800-52 Revision 1. Navigate to the BIG-IP System manager >> Local Traffic >> Profiles >> SSL >> Client Verify a profile exists that is FIPS compliant. Select FIPS-compliant profile. Select "Advanced" next to "Configuration". Verify "Ciphers" under "Configuration" section is configured to use FIPS-compliant ciphers. Verify the BIG-IP Core is configured to use FIPS-compliant server profile: Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Configuration" section, that the FIPS-compliant profile is in the "Selected" area for "SSL Profile (Client)". If the BIG-IP Core is not configured to implement the applicable required TLS settings in NIST PUB SP 800-52 Revision 1, this is a finding.

Fix: F-16937r291055_fix

If intermediary services for TLS are provided, configure the BIG-IP Core to comply with applicable required TLS settings in NIST PUB SP 800-52 Revision 1.

b

The BIG-IP Core implementation must be configured to use NIST SP 800-52 Revision 1 compliant cryptography to protect the integrity of remote access sessions to virtual servers.

AC-17 - Medium - CCI-001453 - V-215748 - SV-215748r557356_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-001453

Version

F5BI-LT-000037

Vuln IDs

V-215748
V-60277

Rule IDs

SV-215748r557356_rule
SV-74707

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. This requirement applies to ALGs providing remote access proxy services as part of their intermediary services (e.g., OWA or TLS gateway).

Checks: C-16940r291057_chk

If the BIG-IP Core does not serve as an intermediary for remote access traffic (e.g., web content filter, TLS gateways, and webmail proxy views) for virtual servers, this is not applicable. When intermediary services for remote access communication traffic are provided, verify the BIG-IP Core uses NIST SP 800-52 Revision 1 compliant cryptography to protect the integrity of remote access sessions to virtual servers. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Configuration" section, that a FIPS-compliant profile is in the "Selected" area for "SSL Profile (Client)" and "SSL Profile (Server)". If the BIG-IP Core is not configured to use NIST SP 800-52 Revision 1 compliant cryptography to protect the integrity of remote access sessions, this is a finding.

Fix: F-16938r291058_fix

If intermediary services for remote access communications traffic are provided, configure the BIG-IP Core to use NIST SP 800-52 Revision 1 compliant cryptography to protect the integrity of remote access sessions to virtual servers.

b

The BIG-IP Core implementation must be configured to protect audit information from unauthorized read access.

AU-9 - Medium - CCI-000162 - V-215749 - SV-215749r557356_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-000162

Version

F5BI-LT-000055

Vuln IDs

V-215749
V-60279

Rule IDs

SV-215749r557356_rule
SV-74709

Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. Thus, it is imperative that the collected log data from the various network elements, as well as the auditing tools, be secured and can only be accessed by authorized personnel.

Checks: C-16941r291060_chk

Verify the BIG-IP Core is configured to protect audit information from unauthorized read access. Navigate to the BIG-IP System manager >> System >> Logs >> Configuration >> Options. Under 'Log Access', verify unauthorized roles are set to 'Deny'. If the BIG-IP Core is not configured to protect audit information from unauthorized read access, this is a finding.

Fix: F-16939r291061_fix

Configure the BIG-IP Core to protect audit information from unauthorized read access.

b

The BIG-IP Core implementation must be configured to protect audit information from unauthorized modification.

AU-9 - Medium - CCI-000163 - V-215750 - SV-215750r557356_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-000163

Version

F5BI-LT-000057

Vuln IDs

V-215750
V-60281

Rule IDs

SV-215750r557356_rule
SV-74711

If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions and limiting log data locations. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This does not apply to audit logs generated on behalf of the device itself (management).

Checks: C-16942r291063_chk

Verify the BIG-IP Core is configured to protect audit information from unauthorized modification. Navigate to the BIG-IP System manager >> System >> Logs >> Configuration >> Options. Under 'Log Access', verify unauthorized roles are set to 'Deny'. If the BIG-IP Core is not configured to protect audit information from unauthorized modification, this is a finding.

Fix: F-16940r291064_fix

Configure the BIG-IP Core to protect audit information from unauthorized modification.

b

The BIG-IP Core implementation must be configured to protect audit information from unauthorized deletion.

AU-9 - Medium - CCI-000164 - V-215751 - SV-215751r557356_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-000164

Version

F5BI-LT-000059

Vuln IDs

V-215751
V-60283

Rule IDs

SV-215751r557356_rule
SV-74713

If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This requirement does not apply to audit logs generated on behalf of the device itself (device management).

Checks: C-16943r291066_chk

Verify the BIG-IP Core is configured to protect audit information from unauthorized deletion. Navigate to the BIG-IP System manager >> System >> Logs >> Configuration >> Options. Under 'Log Access', verify unauthorized roles are set to 'Deny'. If the BIG-IP Core is not configured to protect audit information from unauthorized deletion, this is a finding.

Fix: F-16941r291067_fix

Configure the BIG-IP Core to protect audit information from unauthorized deletion.

b

The BIG-IP Core implementation must be configured to protect audit tools from unauthorized access.

AU-9 - Medium - CCI-001493 - V-215752 - SV-215752r557356_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-001493

Version

F5BI-LT-000061

Vuln IDs

V-215752
V-60285

Rule IDs

SV-215752r557356_rule
SV-74715

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Network elements providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. This does not apply to audit logs generated on behalf of the device itself (management).

Checks: C-16944r291069_chk

Verify the BIG-IP Core is configured to protect audit tools from unauthorized access. Navigate to the BIG-IP System manager >> System >> Logs >> Configuration >> Options. Under 'Log Access', verify unauthorized roles are set to 'Deny'. If the BIG-IP Core is not configured to protect audit tools from unauthorized access, this is a finding.

Fix: F-16942r291070_fix

Configure the BIG-IP Core to protect audit tools from unauthorized access.

b

The BIG-IP Core implementation must be configured to protect audit tools from unauthorized modification.

AU-9 - Medium - CCI-001494 - V-215753 - SV-215753r557356_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-001494

Version

F5BI-LT-000063

Vuln IDs

V-215753
V-60287

Rule IDs

SV-215753r557356_rule
SV-74717

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Network elements providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the modification of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. This does not apply to audit logs generated on behalf of the device itself (management).

Checks: C-16945r291072_chk

Verify the BIG-IP Core is configured to protect audit tools from unauthorized modification. Navigate to the BIG-IP System manager >> System >> Logs >> Configuration >> Options. Under 'Log Access', verify unauthorized roles are set to 'Deny'. If the BIG-IP Core is not configured to protect audit tools from unauthorized modification, this is a finding.

Fix: F-16943r291073_fix

Configure the BIG-IP Core to protect audit tools from unauthorized modification.

b

The BIG-IP Core implementation must be configured to protect audit tools from unauthorized deletion.

AU-9 - Medium - CCI-001495 - V-215754 - SV-215754r557356_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-001495

Version

F5BI-LT-000065

Vuln IDs

V-215754
V-60289

Rule IDs

SV-215754r557356_rule
SV-74719

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Network elements providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the deletion of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. This does not apply to audit logs generated on behalf of the device itself (management).

Checks: C-16946r291075_chk

Verify the BIG-IP Core is configured to protect audit information from unauthorized read access. Navigate to the BIG-IP System manager >> System >> Logs >> Configuration >> Options. Under 'Log Access', verify unauthorized roles are set to 'Deny'. If the BIG-IP Core is not configured to protect audit information from unauthorized deletion, this is a finding.

Fix: F-16944r291076_fix

Configure the BIG-IP Core to protect audit tools from unauthorized deletion.

b

The BIG-IP Core implementation must be configured so that only functions, ports, protocols, and/or services that are documented for the server/application for which the virtual servers are providing connectivity.

CM-7 - Medium - CCI-000381 - V-215755 - SV-215755r557356_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000381

Version

F5BI-LT-000067

Vuln IDs

V-215755
V-60291

Rule IDs

SV-215755r557356_rule
SV-74721

Information systems are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The organization must determine which functions and services are required to perform the content filtering and other necessary core functionality for each component of the ALG. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The primary function of an ALG is to provide application-specific content filtering and/or proxy services. The ALG application suite may integrate related content filtering and analysis services and tools (e.g., IPS, proxy, malware inspection, black/white lists). Some gateways may also include email scanning, decryption, caching, and DLP services. However, services and capabilities which are unrelated to this primary functionality must not be installed (e.g., DNS, email client or server, FTP server, or web server). Next Generation ALGs (NGFW) and Unified Threat Management (UTM) ALGs integrate functions which have been traditionally separated. These products integrate content filtering features to provide more granular policy filtering. There may be operational drawbacks to combining these services into one device. Another issue is that NGFW and UTM products vary greatly with no current definitive industry standard.

Checks: C-16947r291078_chk

Review the BIG-IP Core configuration to determine if functions, ports, protocols, and/or services not required for operation, or not related to BIG-IP Core functionality (e.g., DNS, email client or server, FTP server, or web server) are enabled. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Review the Virtual Service List and validate all ports listed in the "Service Port" column are documented for each virtual server and are required for operation. If unnecessary services and functions are enabled on the BIG-IP Core, this is a finding. If the BIG-IP Core implementation is configured with functions, ports, protocols, and/or services that are not documented for the server/application for which the virtual servers are providing connectivity, this is a finding.

Fix: F-16945r291079_fix

Configure Virtual Servers in the BIG-IP LTM module with only functions, ports, protocols, and/or services that are documented for the servers/applications for which the BIG-IP Core implementation is providing connectivity.

b

The BIG-IP Core implementation must be configured to remove or disable any functions, ports, protocols, and/or services that are not documented as required.

CM-7 - Medium - CCI-000381 - V-215756 - SV-215756r557356_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000381

Version

F5BI-LT-000069

Vuln IDs

V-215756
V-60293

Rule IDs

SV-215756r557356_rule
SV-74723

Unrelated or unneeded proxy services increase the attack vector and add excessive complexity to the securing of the ALG. Multiple application proxies can be installed on many ALGs. However, proxy types must be limited to related functions. At a minimum, the web and email gateway represent different security domains/trust levels. Organizations should also consider separation of gateways that service the DMZ and the trusted network.

Checks: C-16948r291081_chk

Review the BIG-IP Core configuration to determine if application proxies are installed that are not related to the purpose of the gateway. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Review the Virtual Service List and validate there are only ports listed in the "Service Port" column that are providing proxy services related to the purpose of the BIG-IP Core. If the BIG-IP Core has unrelated or unneeded application proxy services installed, this is a finding.

Fix: F-16946r291082_fix

Configure Virtual Servers in the BIG-IP LTM module with only proxy services that are related to the purpose of the BIG-IP Core.

b

The BIG-IP Core implementation must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocol, and Service Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.

CM-7 - Medium - CCI-000382 - V-215757 - SV-215757r557356_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000382

Version

F5BI-LT-000071

Vuln IDs

V-215757
V-60295

Rule IDs

SV-215757r557356_rule
SV-74725

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. ALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols, or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The ALG is a key network element for preventing these non-compliant ports, protocols, and services from causing harm to DoD information systems. The network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older versions of protocols and applications and will address most known non-secure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.

Checks: C-16949r291084_chk

Review the BIG-IP Core to verify the minimum ports, protocols, and services that are required for operation of the BIG-IP Core are configured. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Compare enabled ports, protocols, and/or services in the "Service Port" column with the PPSM and IAVM requirements. If the BIG-IP Core is configured with ports, protocols, and/or services that are not required for operations or restricted by the PPSM, this is a finding.

Fix: F-16947r291085_fix

Configure Virtual Servers in the BIG-IP LTM module to use only ports, protocols, and/or services required for operation of the BIG-IP Core.

b

The BIG-IP Core implementation must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users) when connecting to virtual servers.

IA-2 - Medium - CCI-000764 - V-215758 - SV-215758r557356_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-000764

Version

F5BI-LT-000073

Vuln IDs

V-215758
V-60297

Rule IDs

SV-215758r557356_rule
SV-74727

To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following: 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication. 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. This requirement applies to ALGs that provide user proxy services, including identification and authentication. This service must use the site's directory service (e.g., Active Directory). Directory services must not be installed onto the gateway.

Checks: C-16950r291087_chk

If the BIG-IP Core does not provide user authentication intermediary services for virtual servers, this is not applicable. When user authentication intermediary services are provided, verify the BIG-IP Core is configured as follows: Verify the BIG-IP Core is configured with an APM policy to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Access Policy" section, that "Access Policy" has been set to use an APM access policy to uniquely identify and authenticate organizational users when connecting to virtual servers. If the BIG-IP Core does not uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users), this is a finding.

Fix: F-16948r291088_fix

If user access control intermediary services are provided, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP APM module to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). Apply the APM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users) when connecting to virtual servers.

b

The BIG-IP Core implementation must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or authentication, authorization, and accounting (AAA) server) that validate user account access authorizations and privileges when providing access control to virtual servers.

IA-2 - Medium - CCI-000764 - V-215759 - SV-215759r557356_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-000764

Version

F5BI-LT-000075

Vuln IDs

V-215759
V-60299

Rule IDs

SV-215759r557356_rule
SV-74729

User account and privilege validation must be centralized in order to prevent unauthorized access using changed or revoked privileges. ALGs can implement functions such as traffic filtering, authentication, access, and authorization functions based on computer and user privileges. However, the directory service (e.g., Active Directory or LDAP) must not be installed on the ALG, particularly if the gateway resides on the untrusted zone of the Enclave.

Checks: C-16951r291090_chk

If the BIG-IP Core does not provide user access control intermediary services for virtual servers, this is not applicable. When user access control intermediary services are provided, verify the BIG-IP Core is configured an APM policy with a pre-established trust relationship and mechanisms with appropriate authorities that validate each user access authorization and privileges. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Access Policy" section, that "Access Policy" has been set to use an APM access policy that has been configured with a pre-established trust relationship and mechanisms with appropriate authorities that validate each user access authorization and privileges. If the BIG-IP Core is not configured with a pre-established trust relationship and mechanisms with appropriate authorities that validate each user access authorization and privileges, this is a finding.

Fix: F-16949r291091_fix

If user access control intermediary services are provided, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP APM module with a pre-established trust relationship and mechanisms with appropriate authorities that validate each user access authorization and privileges. Apply the APM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to validate user account access authorizations and privileges when providing access control to virtual servers.

b

The BIG-IP Core implementation providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s) when providing access control to virtual servers.

IA-2 - Medium - CCI-000764 - V-215760 - SV-215760r557356_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-000764

Version

F5BI-LT-000077

Vuln IDs

V-215760
V-60301

Rule IDs

SV-215760r557356_rule
SV-74731

User authentication can be used as part of the policy filtering rule sets. Some URLs or network resources can be restricted to authenticated users only. Users are prompted by the application or browser for credentials. Authentication service may be provided by the ALG as an intermediary for the application; however, the authentication credential must be stored in the site's directory services server. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).

Checks: C-16952r291093_chk

If the BIG-IP Core does not provide user authentication intermediary services for virtual servers, this is not applicable. When user authentication intermediary services are provided, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an APM policy to use a specific authentication server(s). Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Access Policy" section that "Access Policy" has been set to use an APM access policy that has been configured with a pre-established trust relationship and mechanisms with appropriate authorities that validate each user access authorization and privileges. If the BIG-IP Core provides user authentication intermediary services and does not restrict user authentication traffic to a specific authentication server(s), this is a finding.

Fix: F-16950r291094_fix

If user authentication intermediary services are provided, configure the BIG-IP Core to use a specific authentication server(s) as follows: Configure a policy in the BIG-IP APM module to use authentication for network access to non-privileged accounts. Apply the APM policy to the applicable Virtual Server(s) in BIG-IP LTM module to restrict user authentication traffic to specific authentication server(s) when providing access control to virtual servers.

b

The BIG-IP Core implementation providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts when granting access to virtual servers.

IA-2 - Medium - CCI-000766 - V-215761 - SV-215761r557356_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-000766

Version

F5BI-LT-000079

Vuln IDs

V-215761
V-60303

Rule IDs

SV-215761r557356_rule
SV-74733

To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include: 1) Something you know (e.g., password/PIN); 2) Something you have (e.g., cryptographic, identification device, token); and 3) Something you are (e.g., biometric). Non-privileged accounts are not authorized on the network element regardless of configuration. Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection. The DoD CAC with DoD-approved PKI is an example of multifactor authentication. This requirement applies to ALGs that provide user authentication intermediary services.

Checks: C-16953r291096_chk

If the BIG-IP Core does not provide user authentication intermediary services for virtual servers, this is not applicable. When user authentication intermediary services, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an APM policy to use multifactor authentication for network access to non-privileged accounts. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Access Policy" section, that "Access Policy" has been set to use an APM access policy that uses multifactor authentication for network access to non-privileged accounts when granting access to virtual servers. If the BIG-IP Core provides user authentication intermediary services and does not use multifactor authentication for network access to non-privileged accounts, this is a finding.

Fix: F-16951r291097_fix

If user authentication intermediary services are provided, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP APM module to use multifactor authentication for network access to non-privileged accounts. Apply APM policy to the applicable Virtual Server(s) in BIG-IP LTM module to use multifactor authentication for network access to non-privileged accounts when granting access to virtual servers.

b

The BIG-IP Core implementation must be configured to validate certificates used for TLS functions for connections to virtual servers by constructing a certification path (which includes status information) to an accepted trust anchor.

IA-5 - Medium - CCI-000185 - V-215762 - SV-215762r557356_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000185

Version

F5BI-LT-000083

Vuln IDs

V-215762
V-60305

Rule IDs

SV-215762r557356_rule
SV-74735

A trust anchor is an authoritative entity represented via a public key. Within a chain of trust, the top entity to be trusted is the "root certificate" or "trust anchor" such as a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Deploying the ALG with TLS enabled may require the CA certificates for each proxy to be used for TLS traffic decryption/encryption. The installation of these certificates in each trusted root certificate store is used by proxied applications and browsers on each client.

Checks: C-16954r291099_chk

If the BIG-IP Core does not provide intermediary services for TLS, or application protocols that use TLS (e.g., DNSSEC or HTTPS) for virtual servers, this is not applicable. When intermediary services for TLS are provided, verify the BIG-IP Core is configured to validate certificates used for TLS functions by constructing a certification path to an accepted trust anchor. Navigate to the BIG-IP System manager >> Local traffic >> Profiles >> SSL >> Server. Select a FIPS-compliant profile. Review the configuration under "Server Authentication" section. Verify "Server Certificate" is set to "Required". Verify "Trusted Certificate Authorities" is set to a DoD-approved CA bundle. If the BIG-IP Core is not configured to validate certificates used for TLS functions by constructing a certification path to an accepted trust anchor, this is a finding.

Fix: F-16952r291100_fix

If intermediary services for TLS are provided, configure the BIG-IP Core to validate certificates used for TLS functions by constructing a certification path with status information to an accepted trust anchor.

b

The BIG-IP Core implementation providing PKI-based, user authentication intermediary services must be configured to map the authenticated identity to the user account for PKI-based authentication to virtual servers.

IA-5 - Medium - CCI-000187 - V-215763 - SV-215763r557356_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000187

Version

F5BI-LT-000085

Vuln IDs

V-215763
V-60307

Rule IDs

SV-215763r557356_rule
SV-74737

Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account must be bound to a user certificate when PKI-based authentication is implemented. This requirement applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management).

Checks: C-16955r291102_chk

If the BIG-IP Core does not provide PKI-based, user authentication intermediary services for virtual servers, this is not applicable. When PKI-based, user authentication intermediary services are provided, verify the BIG-IP LTM module is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an APM policy to map the authenticated identity to the user account for PKI-based authentication. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Access Policy" section, that "Access Policy" has been set to use an APM access policy that maps the authenticated identity to the user account for PKI-based authentication to virtual servers. If the BIG-IP Core does not map the authenticated identity to the user account for PKI-based authentication, this is a finding.

Fix: F-16953r291103_fix

If PKI-based, user authentication intermediary services are provided, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP APM module to map the authenticated identity to the user account for PKI-based authentication. Apply APM policy to the applicable Virtual Server(s) in BIG-IP LTM module to map the authenticated identity to the user account for PKI-based authentication to virtual servers.

b

The BIG-IP Core implementation must be configured to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users) when connecting to virtual servers.

IA-8 - Medium - CCI-000804 - V-215764 - SV-215764r557356_rule

RMF Control

IA-8

Severity

Medium

CCI

CCI-000804

Version

F5BI-LT-000087

Vuln IDs

V-215764
V-60309

Rule IDs

SV-215764r557356_rule
SV-74739

Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users, their access to network resources can be restricted accordingly. Non-organizational users will be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access. Authorization requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multifactor authentication, some combination thereof. This control applies to application layer gateways that provide content filtering and proxy services on network segments (e.g., DMZ) that allow access by non-organizational users. This requirement focuses on authentication requests to the proxied application for access to destination resources and policy filtering decisions rather than administrator and management functions.

Checks: C-16956r291105_chk

If the BIG-IP Core does not provide user authentication intermediary services for virtual servers, this is not applicable. When user authentication intermediary services are provided, review the BIG-IP LTM module authentication functions to verify identification and authentication are required for non-organizational users. Verify Virtual Server(s) in the BIG-IP LTM module are configured with an APM policy to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users) when connecting to virtual servers. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. If the BIG-IP Core does not uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users) when connecting to virtual servers, this is a finding.

Fix: F-16954r291106_fix

If user authentication intermediary services are provided, configure BIG-IP Core as follows: Configure a policy in the BIG-IP APM module to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). Apply APM policy to the applicable Virtual Server(s) in BIG-IP LTM module to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users) when connecting to virtual servers.

b

The BIG-IP Core implementation must terminate all communications sessions at the end of the session or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity, and for user sessions (nonprivileged sessions), the session must be terminated after 15 minutes of inactivity.

SC-10 - Medium - CCI-001133 - V-215765 - SV-215765r947426_rule

RMF Control

SC-10

Severity

Medium

CCI

CCI-001133

Version

F5BI-LT-000093

Vuln IDs

V-215765
V-60311

Rule IDs

SV-215765r947426_rule
SV-74741

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system level network connection. ALGs may provide session control functionality as part of content filtering, load balancing, or proxy services.

Checks: C-16957r939127_chk

Verify the BIG-IP Core is configured to terminate all communications at the end of the session as follows: Verify a Protocol Profile is configured to terminate a session at the end of a specified time. Navigate to the BIG-IP System manager >> Local Traffic >> Profiles >> Protocol >> TCP. Select a profile for an in-band managed session. Verify the TCP profile "idle-timeout" is set to 600/900 seconds. Select a profile for a user session. Verify the TCP profile "idle-timeout" is set to 600/900 seconds. Verify the BIG-IP LTM is configured to use the Protocol Profile. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select the appropriate virtual server. Verify the TCP profile "idle-timeout" is set to 600/900 seconds. If the BIG-IP Core is not configured to terminate all communications session at the end of the session or as follows, this is a finding: - For in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity. - For user sessions (nonprivileged sessions), the session must be terminated after 15 minutes of inactivity.

Fix: F-16955r939188_fix

Configure BIG-IP Core to terminate all communications sessions at the end of the session or as follows: - For in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity. - For user sessions (nonprivileged sessions), the session must be terminated after 15 minutes of inactivity.

b

The BIG-IP Core implementation must be configured to protect the authenticity of communications sessions.

SC-23 - Medium - CCI-001184 - V-215766 - SV-215766r557356_rule

RMF Control

SC-23

Severity

Medium

CCI

CCI-001184

Version

F5BI-LT-000097

Vuln IDs

V-215766
V-60313

Rule IDs

SV-215766r557356_rule
SV-74743

Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. This requirement focuses on communications protection for the application session rather than for the network packet and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of TLS/TLS mutual authentication (two-way/bidirectional).

Checks: C-16958r291111_chk

Verify the BIG-IP Core is configured to protect the authenticity of communications sessions. Navigate to the BIG-IP System manager >> Local Traffic >> Profiles >> SSL >> Client Verify a profile exists that is FIPS compliant. Select FIPS-compliant profile. Select "Advanced" next to "Configuration". Verify "Ciphers" under "Configuration" section is configured to use FIPS-compliant ciphers. Verify the BIG-IP Core is configured to use FIPS-compliant profile: Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Server(s) from the list that the LTM module is managing the Client SSL side traffic. Verify under "Configuration" section, that FIPS-compliant profile is in the "Selected" area for "SSL Profile (Client)". If the BIG-IP Core is not configured to protect the authenticity of communications sessions, this is a finding.

Fix: F-16956r291112_fix

Configure BIG-IP Core to protect the authenticity of communications sessions.

b

The BIG-IP Core implementation providing intermediary services for remote access communications traffic must control remote access methods to virtual servers.

AC-17 - Medium - CCI-002314 - V-215772 - SV-215772r831460_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-002314

Version

F5BI-LT-000153

Vuln IDs

V-215772
V-60325

Rule IDs

SV-215772r831460_rule
SV-74755

Remote access devices, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). ALGs that proxy remote access must be capable of taking enforcement action (i.e., blocking, restricting, or forwarding to an enforcement mechanism) if traffic monitoring reveals unauthorized activity.

Checks: C-16964r291129_chk

If the BIG-IP Core does not serve as an intermediary for remote access traffic (e.g., web content filter, TLS, and webmail) for virtual servers, this is not applicable. When intermediary services for remote access communications are provided, verify the BIG-IP Core is configured to control remote access methods. Verify Virtual Server(s) in the BIG-IP LTM module are configured with an APM policy to control remote access methods. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Access Policy" section that "Access Policy" has been set to use an APM access policy that controls remote access methods to virtual servers. If the BIG-IP Core does not control remote access methods, this is a finding.

Fix: F-16962r291130_fix

If intermediary services for remote access communications traffic are provided, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP APM module to control remote access methods. Apply APM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to control remote access methods to virtual servers.

b

To protect against data mining, the BIG-IP Core implementation must be configured to prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields when providing content filtering to virtual servers.

AC-23 - Medium - CCI-002346 - V-215773 - SV-215773r831461_rule

RMF Control

AC-23

Severity

Medium

CCI

CCI-002346

Version

F5BI-LT-000157

Vuln IDs

V-215773
V-60327

Rule IDs

SV-215773r831461_rule
SV-74757

Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from unauthorized data mining may result in the compromise of information. Injection attacks allow an attacker to inject code into a program or query or inject malware into a computer to execute remote commands that can read or modify a database or change data on a website. Web applications frequently access databases to store, retrieve, and update information. An attacker can construct inputs that the database will execute. This is most commonly referred to as a code injection attack. This type of attack includes XPath and LDAP injections. Compliance requires the ALG to have the capability to prevent code injections. Examples include Web Application Firewalls (WAFs) or database application gateways.

Checks: C-16965r291132_chk

If the BIG-IP Core does not perform content filtering as part of the traffic management functionality for virtual servers, this is not applicable. When content filtering is performed as part of the traffic management functionality, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an ASM policy to prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Navigate to the Security >> Policies tab. Verify that "Application Security Policy" is Enabled and "Policy" is set to use an ASM policy to prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields when providing content filtering to virtual servers. If the BIG-IP Core is not configured to prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields, this is a finding.

Fix: F-16963r291133_fix

If the BIG-IP Core performs content filtering as part of the traffic management functionality, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP ASM module to prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. Apply ASM policy to the applicable Virtual Server(s) in BIG-IP LTM module to prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields when providing content filtering to virtual servers.

b

To protect against data mining, the BIG-IP Core implementation providing content filtering must be configured to prevent code injection attacks from being launched against application objects, including, at a minimum, application URLs and application code.

AC-23 - Medium - CCI-002346 - V-215774 - SV-215774r831462_rule

RMF Control

AC-23

Severity

Medium

CCI

CCI-002346

Version

F5BI-LT-000159

Vuln IDs

V-215774
V-60329

Rule IDs

SV-215774r831462_rule
SV-74759

Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from unauthorized data mining may result in the compromise of information. Injection attacks allow an attacker to inject code into a program or query or inject malware into a computer to execute remote commands that can read or modify a database or change data on a website. These attacks include buffer overrun, XML, JavaScript, and HTML injections. Compliance requires the ALG to have the capability to prevent code injections. Examples include Web Application Firewalls (WAFs) or database application gateways.

Checks: C-16966r291135_chk

If the BIG-IP Core does not perform content filtering as part of the traffic management functionality for virtual servers, this is not applicable. When content filtering is performed as part of the traffic management functionality, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an ASM policy to prevent code injection attacks from being launched against application objects, including, at a minimum, application URLs, and application code and application. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Navigate to the Security >> Policies tab. Verify that "Application Security Policy" is Enabled and "Policy" is set to use an ASM policy to prevent code injection attacks from being launched against application objects, including, at a minimum, application URLs and application code. If the BIG-IP Core is not configured to prevent code injection attacks from being launched against application objects, including, at a minimum, application URLs and application code, this is a finding.

Fix: F-16964r291136_fix

If the BIG-IP Core performs content filtering as part of the traffic management functionality, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP ASM module to prevent code injection attacks from being launched against application objects, including, at a minimum, application URLs and application code. Apply ASM policy to the applicable Virtual Server(s) in BIG-IP LTM module to prevent code injection attacks from being launched against application objects, including, at a minimum, application URLs and application code.

b

To protect against data mining, the BIG-IP Core implementation providing content filtering must be configured to prevent SQL injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, and database fields.

AC-23 - Medium - CCI-002346 - V-215775 - SV-215775r831463_rule

RMF Control

AC-23

Severity

Medium

CCI

CCI-002346

Version

F5BI-LT-000161

Vuln IDs

V-215775
V-60331

Rule IDs

SV-215775r831463_rule
SV-74761

Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from unauthorized data mining may result in the compromise of information. SQL injection attacks are the most prevalent attacks against web applications and databases. These attacks inject SQL commands that can read, modify, or compromise the meaning of the original SQL query. An attacker can spoof identity; expose, tamper, destroy, or make existing data unavailable; or gain unauthorized privileges on the database server. Compliance requires the ALG to have the capability to prevent SQL code injections. Examples include Web Application Firewalls (WAFs) or database application gateways.

Checks: C-16967r291138_chk

If the BIG-IP Core does not perform content filtering as part of the traffic management functionality for virtual servers, this is not applicable. When content filtering is performed as part of the traffic management functionality, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an ASM policy to prevent SQL injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, and database fields. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Navigate to the Security >> Policies tab. Verify that "Application Security Policy" is Enabled and "Policy" is set to use an ASM policy to prevent SQL injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, and database fields. If the BIG-IP Core is not configured to prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields, this is a finding.

Fix: F-16965r291139_fix

If the BIG-IP Core performs content filtering as part of the traffic management functionality, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP ASM module to prevent SQL injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, and database fields. Apply a policy to the applicable Virtual Server(s) in BIG-IP LTM module that was configured in the ASM module to prevent SQL injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, and database fields.

b

To protect against data mining, the BIG-IP Core implementation providing content filtering must be configured to detect code injection attacks being launched against data storage objects.

AC-23 - Medium - CCI-002347 - V-215776 - SV-215776r831464_rule

RMF Control

AC-23

Severity

Medium

CCI

CCI-002347

Version

F5BI-LT-000163

Vuln IDs

V-215776
V-60333

Rule IDs

SV-215776r831464_rule
SV-74763

Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched against organizational databases may result in the compromise of information. Injection attacks allow an attacker to inject code into a program or query or inject malware into a computer to execute remote commands that can read or modify a database or change data on a website. Web applications frequently access databases to store, retrieve, and update information. An attacker can construct inputs that the database will execute. This is most commonly referred to as a code injection attack. This type of attack includes XPath and LDAP injections. ALGs with anomaly detection must be configured to protect against unauthorized code injections. These devices must include rules and anomaly detection algorithms to monitor for atypical database queries or accesses. Examples include Web Application Firewalls (WAFs) or database application gateways.

Checks: C-16968r291141_chk

If the BIG-IP Core does not perform content filtering as part of the traffic management functionality for virtual servers, this is not applicable. When content filtering is performed as part of the traffic management functionality, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an ASM policy to detect code injection attacks being launched against data storage objects. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Navigate to the Security >> Policies tab. Verify that "Application Security Policy" is Enabled and "Policy" is set to detect code injection attacks being launched against data storage objects. If the BIG-IP Core is not configured to detect code injection attacks being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields, this is a finding.

Fix: F-16966r291142_fix

If the BIG-IP Core performs content filtering as part of the traffic management functionality, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP ASM module to detect code injection attacks being launched against data storage objects. Apply a policy to the applicable Virtual Server(s) in BIG-IP LTM module that was configured in the ASM module to detect code injection attacks being launched against data storage objects.

b

To protect against data mining, the BIG-IP Core implementation providing content filtering must be configured to detect SQL injection attacks being launched against data storage objects, including, at a minimum, databases, database records, and database fields.

AC-23 - Medium - CCI-002347 - V-215777 - SV-215777r831465_rule

RMF Control

AC-23

Severity

Medium

CCI

CCI-002347

Version

F5BI-LT-000165

Vuln IDs

V-215777
V-60335

Rule IDs

SV-215777r831465_rule
SV-74765

Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched against organizational databases may result in the compromise of information. SQL injection attacks are the most prevalent attacks against web applications and databases. These attacks inject SQL commands that can read, modify, or compromise the meaning of the original SQL query. An attacker can spoof identity; expose, tamper, destroy, or make existing data unavailable; or gain unauthorized privileges on the database server. ALGs with anomaly detection must be configured to protect against unauthorized data mining attacks. These devices must include rules and anomaly detection algorithms to monitor for atypical database queries or accesses. Examples include Web Application Firewalls (WAFs) or database application gateways.

Checks: C-16969r291144_chk

If the BIG-IP Core does not perform content filtering as part of the traffic management functionality for virtual servers, this is not applicable. When content filtering is performed as part of the traffic management functionality, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an ASM policy to detect SQL injection attacks being launched against data storage objects, including, at a minimum, databases, database records, and database fields. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Navigate to the Security >> Policies tab. Verify that "Application Security Policy" is Enabled and "Policy" is set to detect SQL injection attacks being launched against data storage objects, including, at a minimum, databases, database records, and database fields. If the BIG-IP Core is not configured to detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields, this is a finding.

Fix: F-16967r291145_fix

If the BIG-IP Core performs content filtering as part of the traffic management functionality, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP ASM module to detect SQL injection attacks being launched against data storage objects, including, at a minimum, databases, database records, and database fields. Apply ASM policy to the applicable Virtual Server(s) in BIG-IP LTM module to detect SQL injection attacks being launched against data storage objects, including, at a minimum, databases, database records, and database fields.

b

The BIG-IP Core implementation must be configured to detect code injection attacks being launched against application objects, including, at a minimum, application URLs and application code, when providing content filtering to virtual servers.

AC-23 - Medium - CCI-002347 - V-215778 - SV-215778r831466_rule

RMF Control

AC-23

Severity

Medium

CCI

CCI-002347

Version

F5BI-LT-000167

Vuln IDs

V-215778
V-60337

Rule IDs

SV-215778r831466_rule
SV-74767

Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched against organizational applications may result in the compromise of information. Injection attacks allow an attacker to inject code into a program or query or inject malware into a computer to execute remote commands that can read or modify a database or change data on a website. These attacks include buffer overrun, XML, JavaScript, and HTML injections. ALGs with anomaly detection must be configured to protect against unauthorized code injections. These devices must include rules and anomaly detection algorithms to monitor for atypical database queries or accesses. Examples include Web Application Firewalls (WAFs) or database application gateways.

Checks: C-16970r291147_chk

If the BIG-IP Core does not perform content filtering as part of the traffic management functionality for virtual servers, this is not applicable. When content filtering is performed as part of the traffic management functionality, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an ASM policy to detect code injection attacks being launched against application objects, including, at a minimum, application URLs and application code. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Navigate to the Security >> Policies tab. Verify that "Application Security Policy" is Enabled and "Policy" is set to detect code injection attacks being launched against application objects, including, at a minimum, application URLs and application code, when providing content filtering to virtual servers. If the BIG-IP Core is not configured to detect code injection attacks from being launched against application objects, including, at a minimum, application URLs and application code, this is a finding.

Fix: F-16968r291148_fix

If the BIG-IP Core performs content filtering as part of the traffic management functionality, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP ASM module to detect code injection attacks being launched against application objects, including, at a minimum, application URLs and application code. Apply ASM policy to the applicable Virtual Server(s) in BIG-IP LTM module to detect code injection attacks being launched against application objects, including, at a minimum, application URLs and application code, when providing content filtering to virtual servers.

b

The BIG-IP Core implementation must require users to reauthenticate when the user's role, the information authorizations, and/or the maximum session timeout is exceeded for the virtual server(s).

IA-11 - Medium - CCI-002038 - V-215779 - SV-215779r939150_rule

RMF Control

IA-11

Severity

Medium

CCI

CCI-002038

Version

F5BI-LT-000191

Vuln IDs

V-215779
V-60339

Rule IDs

SV-215779r939150_rule
SV-74769

Without reauthentication, users may access resources or perform tasks for which authorization has been removed. In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of individuals and/or devices in other situations. Within the DOD, the minimum circumstances requiring reauthentication are privilege escalation, idle timeout, maximum session timeout, and/or role changes.

Checks: C-16971r939124_chk

If the BIG-IP Core does not provide user authentication intermediary services for virtual servers, this is not applicable. When user authentication intermediary services are provided, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an APM policy to require users to reauthenticate when required by organization-defined circumstances or situations. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Access Policy" section that "Access Policy" has been set to use an APM access policy that requires users to reauthenticate to virtual servers when the user's role, the information authorizations, and/or the maximum session timeout is exceeded for the virtual server(s). If the BIG-IP Core is not configured to require users to reauthenticate when the user's role, the information authorizations, and/or the maximum session timeout is exceeded for the virtual server(s), this is a finding.

Fix: F-16969r939125_fix

If user access control intermediary services are provided, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP APM module to reauthenticate when the user's role, the information authorizations, and/or the maximum session timeout is exceeded for the virtual server(s). Apply APM policy to the applicable virtual server(s) in the BIG-IP LTM module.

b

A BIG-IP Core implementation providing user authentication intermediary services must be configured to require multifactor authentication for remote access to non-privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

IA-2 - Medium - CCI-001951 - V-215780 - SV-215780r831468_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-001951

Version

F5BI-LT-000193

Vuln IDs

V-215780
V-60341

Rule IDs

SV-215780r831468_rule
SV-74771

For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. An example of compliance with this requirement is the use of a one-time password token and PIN coupled with a password; or the use of a CAC/PIV card and PIN coupled with a password.

Checks: C-16972r291153_chk

If the BIG-IP Core does not provide user authentication intermediary services for virtual servers, this is not applicable. When user authentication intermediary services are provided, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an APM policy to require multifactor authentication for remote access to non-privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Access Policy" section that "Access Policy" has been set to use an APM access policy to require multifactor authentication for remote access to non-privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. If the BIG-IP Core does not implement multifactor authentication for remote access to non-privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access, this is a finding.

Fix: F-16970r291154_fix

If user authentication intermediary services are provided, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP APM module to require multifactor authentication for remote access to non-privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. Apply APM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to require multifactor authentication for remote access to non-privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

b

The BIG-IP Core implementation providing user authentication intermediary services must be configured to require multifactor authentication for remote access with privileged accounts to virtual servers in such a way that one of the factors is provided by a device separate from the system gaining access.

IA-2 - Medium - CCI-001948 - V-215781 - SV-215781r831469_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-001948

Version

F5BI-LT-000195

Vuln IDs

V-215781
V-60343

Rule IDs

SV-215781r831469_rule
SV-74773

For remote access to privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.

Checks: C-16973r291156_chk

If the BIG-IP Core does not provide user authentication intermediary services for virtual servers, this is not applicable. When user authentication intermediary services are provided, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an APM policy to require multifactor authentication for remote access with privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Access Policy" section, that "Access Policy" has been set to use an APM access policy to require multifactor authentication for remote access with privileged accounts to virtual servers in such a way that one of the factors is provided by a device separate from the system gaining access. If the BIG-IP Core does not implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access, this is a finding.

Fix: F-16971r291157_fix

If user authentication intermediary services are provided, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP APM module to require multifactor authentication for remote access with privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. Apply APM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to require multifactor authentication for remote access with privileged accounts to virtual servers in such a way that one of the factors is provided by a device separate from the system gaining access.

b

The BIG-IP Core implementation must be configured to deny-by-default all PKI-based authentication to virtual servers supporting path discovery and validation if unable to access revocation information via the network.

IA-5 - Medium - CCI-001991 - V-215784 - SV-215784r878061_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-001991

Version

F5BI-LT-000203

Vuln IDs

V-215784
V-60349

Rule IDs

SV-215784r878061_rule
SV-74779

When revocation data is unavailable from the network, the system should be configured to deny-by-default to mitigate the risk of a user with a revoked certificate gaining unauthorized access. Local cached revocation data can be out of date or not able to be installed on the local system, which increases administration burden for the system. The intent of this requirement is to deny unauthenticated users access to virtual servers in case access to OCSP (required by CCI-000185) is not available. This requirement applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management).

Checks: C-16976r291165_chk

If the BIG-IP Core does not provide user authentication intermediary services for virtual servers, this is not applicable. When user authentication intermediary services are provided, verify the BIG-IP Core is configured to deny-by-default user access when revocation information is not accessible via the network. Navigate to the BIG-IP System manager >> Local Traffic >> Profiles >> SSL >> Client. Select an SSL client profile that is used for client authentication with Virtual Server(s). Review the configuration under the "Client Authentication" section. Verify that "Client Certificate" is set to "require" if not using the APM. Verify that “On Demand Cert Auth” in the access profile is set to “Require” if using APM. If the BIG-IP Core is not configured to deny-by-default when unable to access revocation information via the network, this is a finding.

Fix: F-16974r291166_fix

If user access control intermediary services are provided, configure the BIG-IP Core to deny-by-default when access to revocation information via the network is inaccessible.

b

The BIG-IP Core implementation must be able to conform to FICAM-issued profiles when providing authentication to virtual servers.

IA-8 - Medium - CCI-002014 - V-215788 - SV-215788r831471_rule

RMF Control

IA-8

Severity

Medium

CCI

CCI-002014

Version

F5BI-LT-000211

Vuln IDs

V-215788
V-60357

Rule IDs

SV-215788r831471_rule
SV-74787

Without conforming to Federal Identity, Credential, and Access Management (FICAM)-issued profiles, the information system may not be interoperable with FICAM-authentication protocols, such as SAML 2.0 and OpenID 2.0. Use of FICAM-issued profiles addresses open identity management standards. This requirement only applies to components where this is specific to the function of the device or has the concept of a non-organizational user, (e.g., ALG capability that is the front end for an application in a DMZ).

Checks: C-16980r291177_chk

If the BIG-IP Core does not provide user authentication intermediary services for virtual servers, this is not applicable. When user authentication intermediary services are provided, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an APM policy to conform to FICAM-issued profiles when providing authentication. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Access Policy" section that "Access Policy" has been set to conform to FICAM-issued profiles when providing authentication to pools/nodes. If the BIG-IP Core is not configured to conform to FICAM-issued profiles, this is a finding.

Fix: F-16978r291178_fix

If user authentication intermediary services are provided, configure BIG-IP Core as follows: Configure a policy in the BIG-IP APM module to conform to FICAM-issued profiles when providing authentication. Apply APM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to conform to FICAM-issued profiles when providing authentication to virtual servers.

b

The F5 BIG-IP appliance providing user authentication intermediary services must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.

SC-23 - Medium - CCI-002470 - V-215789 - SV-215789r947428_rule

RMF Control

SC-23

Severity

Medium

CCI

CCI-002470

Version

F5BI-LT-000213

Vuln IDs

V-215789
V-60359

Rule IDs

SV-215789r947428_rule
SV-74789

Non-DOD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place that are sufficient for DOD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users. The authoritative list of DOD-approved PKIs is published at https://cyber.mil/pki-pke/interoperability. DOD-approved PKI CAs may include Category I, II, and III certificates. Category I DOD-Approved External PKIs are PIV issuers. Category II DOD-Approved External PKIs are Non-Federal Agency PKIs cross-certified with the Federal Bridge Certification Authority (FBCA). Category III DOD-Approved External PKIs are Foreign, Allied, or Coalition Partner PKIs. This requirement focuses on communications protection for the application session rather than for the network packet. Thus, a critical part of the PKI configuration for BIG-IP appliances includes requiring mutual TLS (mTLS). Use of mTLS ensures session nonrepudiation, communication integrity, and confidentiality. This approach substantially reduces the likelihood of successful server-side exploits and cookie hijacking. In the Client Authentication section of the Client SSL Profile applied to the pertinent Virtual Server, the Client Certificate configuration session must be altered from "request/ignore" to "require". This modification mandates all connecting clients to furnish a Client Certificate issued from a credible source. If a client fails to comply with this requirement, they will be issued a TCP reset.

Checks: C-16981r947341_chk

If the BIG-IP appliance does not provide PKI-based user authentication intermediary services, this is not applicable. Client SSL Profile: From the BIG-IP GUI: 1. Local Traffic. 2. Profiles. 3. SSL. 4. Client. 5. Click the name of the client SSL profile. 6. Change "Configuration" to "Advanced". 7. Under "Client Authentication", verify a DOD PKI certificate or bundle is used for "Trusted Certificate Authorities". 8. Verify the Client Certificate configuration setting is set to "require" and frequency is set to "always". Virtual Server: From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. Virtual Server List. 4. Click the name of the Virtual Server. 5. Verify that "SSL Profile (Client)" is using an SSL profile that uses a DOD PKI certificate or bundle for "Trusted Certificate Authorities". 6. Repeat for other Virtual Servers. If the BIG-IP appliance accepts non-DOD approved PKI end entity certificates, this is a finding.

Fix: F-16979r947427_fix

Update the Client SSL Profile. From the BIG-IP GUI: 1. Local Traffic. 2. Profiles. 3. SSL. 4. Client. 5. Click on the Name of the SSL Profile. 6. Change "Configuration" to "Advanced". 7. Under "Client Authentication", configure a DOD PKI certificate or bundle for "Trusted Certificate Authorities". 8. Change the Client Certificate configuration setting to "require". 9. Set the frequency to "always". 10. Click "Update". 11. Repeat for other SSL Profiles in use. Update the Virtual Server. From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. Virtual Server List. 4. Click the name of the Virtual Server. 5. Configure "SSL Profile (Client)" to use an SSL profile that uses a DOD PKI certificate or bundle for "Trusted Certificate Authorities". 6. Click "Update". 7. Repeat for other Virtual Servers.

c

The BIG-IP Core implementation must be configured to protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis when providing content filtering to virtual servers.

SC-5 - High - CCI-002385 - V-215790 - SV-215790r831473_rule

RMF Control

SC-5

Severity

High

CCI

CCI-002385

Version

F5BI-LT-000215

Vuln IDs

V-215790
V-60361

Rule IDs

SV-215790r831473_rule
SV-74791

If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Installation of content filtering gateways and application layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type. Detection components that use rate-based behavior analysis can detect attacks when signatures for the attack do not exist or are not installed. These attacks include zero-day attacks, which are new attacks for which vendors have not yet developed signatures. Rate-based behavior analysis can detect sophisticated, Distributed DoS (DDoS) attacks by correlating traffic information from multiple network segments or components. This requirement applies to the functionality of the ALG as it pertains to handling communications traffic rather than to the ALG device itself.

Checks: C-16982r291183_chk

If the BIG-IP Core does not perform content filtering as part of the traffic management functionality for virtual servers, this is not applicable. When content filtering is performed as part of the traffic management functionality, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with a security policy to protect against or limit the effects of known and unknown types of DoS attacks by employing rate-based attack prevention behavior analysis. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Navigate to the Security >> Policies tab. Verify that "DoS Protection Profile" is Enabled and "Profile" is set to use locally configured DoS protection Profile. Verify the DoS protection profile that is set for the Virtual Server is set to employ rate-based attack prevention: Navigate to the BIG-IP System manager >> Security >> DoS Protection >> DoS Profiles. Select the DoS Protection Profile set for the Virtual Server. Verify that "Application Security" is Enabled under "General Configuration". Verify that the following are selected for "Prevention Policy" under TPS-base Anomaly in accordance with the organization requirements: "Source IP-Based Client Side Integrity Defense" "URL-Based Client Side Integrity Defense" "Site-wide" Client-Side Integrity Defense" "Source IP-Base Rate Limiting" "URL-Based Rate Limiting" "Site-wide Rate Limiting" Verify the Criteria for each of the selected Prevention Policies is set in accordance with organization requirements. If the BIG-IP Core is not configured to protect against or limit the effects of known and unknown types of DoS attacks by employing rate-based attack prevention behavior analysis, this is a finding.

Fix: F-16980r291184_fix

If the BIG-IP Core performs content filtering as part of the traffic management functionality, configure the BIG-IP Core to protect against or limit the effects of known and unknown types of DoS attacks by employing rate-based attack prevention behavior analysis.

c

The BIG-IP Core implementation must be configured to implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks to virtual servers.

SC-5 - High - CCI-002385 - V-215791 - SV-215791r831474_rule

RMF Control

SC-5

Severity

High

CCI

CCI-002385

Version

F5BI-LT-000217

Vuln IDs

V-215791
V-60363

Rule IDs

SV-215791r831474_rule
SV-74793

If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Load balancing provides service redundancy; which service redundancy reduces the susceptibility of the ALG to many DoS attacks. The ALG must be configured to prevent or mitigate the impact on network availability and traffic flow of DoS attacks that have occurred or are ongoing. This requirement applies to the functionality of the device as it pertains to handling network traffic. Some types of attacks may be specialized to certain network technologies, functions, or services. For each technology, known and potential DoS attacks must be identified and solutions for each type implemented.

Checks: C-16983r291186_chk

Verify the BIG-IP Core implements load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks. Navigate to the BIG-IP System manager >> System >> Configuration >> Local Traffic >> General. Verify "Reaper High-water Mark" is set to 95 and "Reaper Low-water Mark" is set to 85. If the device does not implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks, this is a finding.

Fix: F-16981r291187_fix

Configure the BIG-IP Core to implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks. Navigate to the BIG-IP System manager >> System >> Configuration >> Local Traffic >> General. Make the following configurations under "Properties". Set "Reaper High-water Mark" to 95. Set "Reaper Low-water Mark" to 85.

c

The BIG-IP Core implementation must be configured to protect against known types of Denial of Service (DoS) attacks by employing signatures when providing content filtering to virtual servers.

SC-5 - High - CCI-002385 - V-215792 - SV-215792r831475_rule

RMF Control

SC-5

Severity

High

CCI

CCI-002385

Version

F5BI-LT-000219

Vuln IDs

V-215792
V-60365

Rule IDs

SV-215792r831475_rule
SV-74795

If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Installation of content filtering gateways and application layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume, type, or protocol usage. Detection components that use signatures can detect known attacks by using known attack signatures. Signatures are usually obtained from and updated by the ALG component vendor. This requirement applies to the communications traffic functionality of the ALG as it pertains to handling communications traffic rather than to the ALG device itself.

Checks: C-16984r291189_chk

If the BIG-IP Core does not perform content filtering as part of the traffic management functionality for virtual servers, this is not applicable. When content filtering is performed as part of the traffic management functionality, verify the BIG-IP Core is configured to protect against known types of DoS attacks by employing signatures. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Navigate to the Security >> Policies tab. Verify that "DoS Protection Profile" is Enabled and "Profile" is set to use locally configured DoS protection Profile. If the BIG-IP Core does not protect against known types of DoS attacks by employing signatures, this is a finding.

Fix: F-16982r291190_fix

If the BIG-IP Core performs content filtering as part of the traffic management functionality, configure the BIG-IP Core to protect against or limit the effects of known types of DoS attacks by employing signatures.

c

The BIG-IP Core implementation must be configured to protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing pattern recognition pre-processors when providing content filtering to virtual servers.

SC-5 - High - CCI-002385 - V-215793 - SV-215793r831476_rule

RMF Control

SC-5

Severity

High

CCI

CCI-002385

Version

F5BI-LT-000221

Vuln IDs

V-215793
V-60367

Rule IDs

SV-215793r831476_rule
SV-74797

If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Installation of content filtering gateways and application layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks. Detection components that use pattern recognition pre-processors can detect attacks when signatures for the attack do not exist or are not installed. These attacks include zero-day attacks, which are new attacks for which vendors have not yet developed signatures. This requirement applies to the communications traffic functionality of the ALG as it pertains to handling communications traffic, rather than to the ALG device itself.

Checks: C-16985r291192_chk

If the BIG-IP Core does not perform content filtering as part of the traffic management functionality for virtual servers, this is not applicable. When content filtering is performed as part of the traffic management functionality, verify the BIG-IP Core protects against or limits the effects of known and unknown types of DoS attacks by employing pattern recognition pre-processors. Verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an ASM policy to protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing pattern recognition pre-processors when providing content filtering to virtual servers. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Navigate to the Security >> Policies tab. Verify that "DoS Protection Profile" is Enabled and "Profile" is set to use a locally configured DoS protection Profile. Verify the DoS protection profile that is set for the Virtual Server is set to employ pattern recognition pre-processors: Navigate to the BIG-IP System manager >> Security >> DoS Protection >> DoS Profiles. Select the DoS Protection Profile set for the Virtual Server. Verify that "Application Security" is Enabled under "General Configuration". Verify that the following are selected for "Prevention Policy" under TPS-base Anomaly in accordance with the organization requirements: "Source IP-Based Client Side Integrity Defense" "URL-Based Client Side Integrity Defense" "Site-wide" Client-Side Integrity Defense" Verify the Criteria for each of the selected Prevention Policies is set in accordance with organization requirements. If the BIG-IP Core is not configured to protect against or limit the effects of known and unknown types of DoS attacks by employing pattern recognition pre-processors, this is a finding.

Fix: F-16983r291193_fix

If the BIG-IP Core performs content filtering as part of the traffic management functionality, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP ASM module to protect against or limit the effects of known and unknown types of DoS attacks by employing pattern recognition pre-processors. Apply ASM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to protect against or limit the effects of known and unknown types of DoS attacks by employing pattern recognition pre-processors when providing content filtering to virtual servers.

b

The BIG-IP Core implementation must be configured to only allow incoming communications from authorized sources routed to authorized destinations.

SC-7 - Medium - CCI-002403 - V-215794 - SV-215794r831477_rule

RMF Control

SC-7

Severity

Medium

CCI

CCI-002403

Version

F5BI-LT-000223

Vuln IDs

V-215794
V-60369

Rule IDs

SV-215794r831477_rule
SV-74799

Unrestricted traffic may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. Access control policies and access control lists implemented on devices that control the flow of network traffic (e.g., application-level firewalls and Web content filters), ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the Internet or CDS) must be kept separate.

Checks: C-16986r291195_chk

If the BIG-IP Core does not perform packet-filtering intermediary services for virtual servers, this is not applicable. When packet-filtering intermediary services are performed, verify the BIG-IP Core is configured to only allow incoming communications from authorized sources routed to authorized destinations as follows: Verify Virtual Server(s) are configured in the BIG-IP LTM module with policies to only allow incoming communications from authorized sources routed to authorized destinations. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Navigate to the Security >> Policies tab. Verify that "Network Firewall" Enforcement is set to "Policy Rules..." and "Policy" is set to use an AFM policy to only allow incoming communications from authorized sources routed to authorized destinations. If the BIG-IP Core is configured to allow incoming communications from unauthorized sources routed to unauthorized destinations, this is a finding.

Fix: F-16984r291196_fix

If user packet-filtering intermediary services are provided, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP AFM module to only allow incoming communications from authorized sources routed to authorized destinations. Apply the AFM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to only allow incoming communications from authorized sources routed to authorized destinations.

b

The BIG-IP Core implementation must be configured to handle invalid inputs in a predictable and documented manner that reflects organizational and system objectives.

SI-10 - Medium - CCI-002754 - V-215795 - SV-215795r831478_rule

RMF Control

SI-10

Severity

Medium

CCI

CCI-002754

Version

F5BI-LT-000229

Vuln IDs

V-215795
V-60371

Rule IDs

SV-215795r831478_rule
SV-74801

A common vulnerability of network elements is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state. The behavior will be derived from the organizational and system requirements and includes, but is not limited to, notification of the appropriate personnel, creating an audit record, and rejecting invalid input. This requirement applies to gateways and firewalls that perform content inspection or have higher-layer proxy functions.

Checks: C-16987r291198_chk

Verify the BIG-IP Core is configured to handle invalid inputs in a predictable and documented manner that reflects organizational and system objectives. This can be demonstrated by the SA sending an invalid input to a virtual server. Provide evidence that the virtual server was able to handle the invalid input and maintain operation. If the BIG-IP Core is not configured to handle invalid inputs in a predictable and documented manner that reflects organizational and system objectives, this is a finding.

Fix: F-16985r291199_fix

Configure the BIG-IP Core to handle invalid inputs in a predictable and documented manner that reflects organizational and system objectives.

b

The BIG-IP Core implementation must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.

SI-4 - Medium - CCI-002661 - V-215796 - SV-215796r831479_rule

RMF Control

SI-4

Severity

Medium

CCI

CCI-002661

Version

F5BI-LT-000239

Vuln IDs

V-215796
V-60373

Rule IDs

SV-215796r831479_rule
SV-74803

If inbound communications traffic is not continuously monitored, hostile activity may not be detected and prevented. Output from application and traffic monitoring serves as input to continuous monitoring and incident response programs. Internal monitoring includes the observation of events occurring on the network crossing internal boundaries at managed interfaces such as web content filters. Depending on the type of ALG, organizations can monitor information systems by monitoring audit activities, application access patterns, characteristics of access, content filtering, or unauthorized exporting of information across boundaries. Unusual/unauthorized activities or conditions may include large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses.

Checks: C-16988r291201_chk

If the BIG-IP Core does not perform content filtering as part of the traffic management functionality for virtual servers, this is not applicable. When content filtering is performed as part of the traffic management functionality, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an ASM policy to continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Navigate to the Security >> Policies tab. Verify that "Application Security Policy" is Enabled and "Policy" is set to use an ASM policy to continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions. If the BIG-IP Core is not configured to continuously monitor inbound communications traffic for unusual or unauthorized activities or conditions, this is a finding.

Fix: F-16986r291202_fix

If the BIG-IP Core performs content filtering as part of the traffic management functionality, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP ASM module to continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions. Apply ASM policy to the applicable Virtual Server(s) in BIG-IP LTM module to continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.

b

The BIG-IP Core implementation must be configured to check the validity of all data inputs except those specifically identified by the organization.

SI-10 - Medium - CCI-001310 - V-215797 - SV-215797r557356_rule

RMF Control

SI-10

Severity

Medium

CCI

CCI-001310

Version

F5BI-LT-000261

Vuln IDs

V-215797
V-60375

Rule IDs

SV-215797r557356_rule
SV-74805

Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior potentially leading to an application or information system compromise. Invalid input is one of the primary methods employed when attempting to compromise an application. Network devices with the functionality to perform application layer inspection may be leveraged to validate data content of network communications. Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software typically follows well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If network elements use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Pre-screening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks. This requirement applies to gateways and firewalls that perform content inspection or have higher-layer proxy functionality. Note: A limitation of ~200 policies per cluster currently exists on the BIG-IP Core. If this requirement cannot be met due to this limitation, documentation from the AO is required.

Checks: C-16989r291204_chk

If the BIG-IP Core does not perform content inspection as part of the traffic management functionality for virtual servers, this is not applicable. When content inspection is performed as part of the traffic management functionality, verify the BIG-IP Core is configured to check the validity of all data inputs except those specifically identified by the organization. Verify Virtual Server(s) in the BIG-IP LTM module are configured with an ASM policy to check the validity of all data inputs except those specifically identified by the organization. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Navigate to the Security >> Policies tab. Verify that "Application Security Policy" is Enabled and "Policy" is set to use an ASM policy to check the validity of all data inputs except those specifically identified by the organization. If the BIG-IP Core is not configured to check the validity of all data inputs except those specifically identified by the organization, this is a finding.

Fix: F-16987r291205_fix

If the BIG-IP Core performs content inspection as part of the traffic management functionality, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP ASM module to check the validity of all data inputs except those specifically identified by the organization. Apply ASM policy to the applicable Virtual Server(s) in BIG-IP LTM module to check the validity of all data inputs except those specifically identified by the organization.

b

The BIG-IP Core implementation must be configured to implement NIST FIPS-validated cryptography to generate cryptographic hashes when providing encryption traffic to virtual servers.

SC-13 - Medium - CCI-002450 - V-215798 - SV-215798r831480_rule

RMF Control

SC-13

Severity

Medium

CCI

CCI-002450

Version

F5BI-LT-000291

Vuln IDs

V-215798
V-60377

Rule IDs

SV-215798r831480_rule
SV-74807

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This requirement applies only to ALGs that provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC).

Checks: C-16990r291207_chk

If the BIG-IP Core does not provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC) for virtual servers, this is not applicable. When encryption intermediary services are provided, verify the BIG-IP Core is configured to implement NIST FIPS-validated cryptography to generate cryptographic hashes. Navigate to the BIG-IP System manager >> Local traffic >> Profiles >> SSL >> Client. Verify a profile exists that is FIPS Compliant. Select a FIPS-compliant profile. Select "Advanced" next to "Configuration". Verify "Ciphers" under "Configuration" section is configured to use FIPS-compliant ciphers. Verify applicable virtual servers are configured in the BIG-IP LTM to use a FIPS-compliant client profile: Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Configuration" section, that a FIPS-compliant profile is in the "Selected" area of "SSL Profile (Client)". If the BIG-IP Core is not configured to implement NIST FIPS-validated cryptography to generate cryptographic hashes, this is a finding.

Fix: F-16988r291208_fix

If encryption intermediary services are provided, configure the BIG-IP Core to implement NIST FIPS-validated cryptography to generate cryptographic hashes.

b

The BIG-IP Core implementation must be configured to implement NIST FIPS-validated cryptography for digital signatures when providing encrypted traffic to virtual servers.

SC-13 - Medium - CCI-002450 - V-215799 - SV-215799r831481_rule

RMF Control

SC-13

Severity

Medium

CCI

CCI-002450

Version

F5BI-LT-000293

Vuln IDs

V-215799
V-60379

Rule IDs

SV-215799r831481_rule
SV-74809

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This requirement applies only to ALGs that provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC).

Checks: C-16991r291210_chk

If the BIG-IP Core does not provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC) for virtual servers, this is not applicable. When encryption intermediary services are provided, verify the BIG-IP Core is configured to implement NIST FIPS-validated cryptography for digital signatures. Navigate to the BIG-IP System manager >> Local traffic >> Profiles >> SSL >> Client. Verify a profile exists that is FIPS Compliant. Select a FIPS-compliant profile. Select "Advanced" next to "Configuration". Verify "Ciphers" under "Configuration" section is configured to use FIPS-compliant ciphers. Verify applicable virtual servers are configured in the BIG-IP LTM to use a FIPS-compliant client profile: Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Configuration" section, that a FIPS-compliant profile is in the "Selected" area of "SSL Profile (Client)". If the BIG-IP Core does not implement NIST FIPS-validated cryptography for digital signatures, this is a finding.

Fix: F-16989r291211_fix

If encryption intermediary services are provided, configure the BIG-IP Core to implement NIST FIPS-validated cryptography for digital signatures.

b

The BIG-IP Core implementation must be configured to use NIST FIPS-validated cryptography to implement encryption services when providing encrypted traffic to virtual servers.

SC-13 - Medium - CCI-002450 - V-215800 - SV-215800r831482_rule

RMF Control

SC-13

Severity

Medium

CCI

CCI-002450

Version

F5BI-LT-000295

Vuln IDs

V-215800
V-60381

Rule IDs

SV-215800r831482_rule
SV-74811

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This requirement applies only to ALGs that provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC).

Checks: C-16992r291213_chk

If the BIG-IP Core does not provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC) for virtual servers, this is not applicable. When encryption intermediary services are provided, verify the BIG-IP Core is configured to use NIST FIPS-validated cryptography to implement encryption services. Navigate to the BIG-IP System manager >> Local traffic >> Profiles >> SSL >> Client. Verify a profile exists that is FIPS Compliant. Select a FIPS-compliant profile. Select "Advanced" next to "Configuration". Verify "Ciphers" under "Configuration" section is configured to use FIPS-compliant ciphers. Verify applicable virtual servers are configured in the BIG-IP LTM to use a FIPS-compliant client profile: Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Configuration" section, that a FIPS-compliant profile is in the "Selected" area of "SSL Profile (Client)". If the BIG-IP Core is not configured to use NIST FIPS-validated cryptography to implement encryption services, this is a finding.

Fix: F-16990r291214_fix

If encryption intermediary services are provided, configure the BIG-IP Core to use NIST FIPS-validated cryptography to implement encryption services.

b

The BIG-IP Core implementation must be configured to inspect for protocol compliance and protocol anomalies in inbound SMTP and Extended SMTP communications traffic to virtual servers.

SC-7 - Medium - CCI-001125 - V-215801 - SV-215801r557356_rule

RMF Control

SC-7

Severity

Medium

CCI

CCI-001125

Version

F5BI-LT-000303

Vuln IDs

V-215801
V-60383

Rule IDs

SV-215801r557356_rule
SV-74813

Application protocol anomaly detection examines application layer protocols such as SMTP to identify attacks based on observed deviations in the normal RFC behavior of a protocol or service. This type of monitoring allows for the detection of known and unknown exploits that exploit weaknesses of commonly used protocols. Since protocol anomaly analysis examines the application payload for patterns or anomalies, an SMTP proxy must be included in the ALG. This ALG will be configured to inspect inbound SMTP and Extended SMTP communications traffic to detect protocol anomalies such as malformed message and command insertion attacks.

Checks: C-16993r291216_chk

If the BIG-IP Core does not provide intermediary/proxy services for SMTP communications traffic for virtual servers, this is not applicable. When intermediary/proxy services for SMTP communication traffic are provided, verify the BIG-IP Core is configured as follows: Verify the BIG-IP LTM module is configured to inspect for protocol compliance and protocol anomalies in inbound SMTP and Extended SMTP communications traffic. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select a Virtual Server that has been configured as an SMTP proxy. Verify that "SMTP Profile" under the "Configuration" section is set to a locally configured SMTP profile. Verify the configuration of the selected SMTP profile: Navigate to the BIG-IP System manager >> Local Traffic >> Profiles >> Services >> SMTP. Select the SMTP profile that was to configure the Virtual Server. Verify that "Protocol Security" is Enabled under the "Settings" section. If the BIG-IP Core does not inspect inbound SMTP and Extended SMTP communications traffic for protocol compliance and protocol anomalies, this is a finding.

Fix: F-16991r291217_fix

If the BIG-IP Core provides intermediary/proxy services for SMTP communications traffic, configure the BIG-IP Core as follows: Configure the BIG-IP LTM module to inspect for protocol compliance and protocol anomalies in inbound SMTP and Extended SMTP communications traffic.

b

The BIG-IP Core implementation must be configured to inspect for protocol compliance and protocol anomalies in inbound FTP and FTPS communications traffic to virtual servers.

CM-6 - Medium - CCI-000366 - V-215802 - SV-215802r557356_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

F5BI-LT-000305

Vuln IDs

V-215802
V-60385

Rule IDs

SV-215802r557356_rule
SV-74815

Application protocol anomaly detection examines application layer protocols such as FTP to identify attacks based on observed deviations in the normal RFC behavior of a protocol or service. This type of monitoring allows for the detection of known and unknown exploits that exploit weaknesses of commonly used protocols. Since protocol anomaly analysis examines the application payload for patterns or anomalies, an FTP proxy must be included in the ALG. This ALG will be configured to inspect inbound FTP and FTPS communications traffic to detect protocol anomalies such as malformed message and command insertion attacks.

Checks: C-16994r291219_chk

If the BIG-IP Core does not provide intermediary/proxy services for FTP and FTPS communications traffic for virtual servers, this is not applicable. When intermediary/proxy services for FTP and FTPS communications traffic are provided, verify the BIG-IP Core is configured as follows: Verify the BIG-IP LTM module is configured to inspect for protocol compliance and protocol anomalies in inbound FTP and FTPS communications traffic. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select a Virtual Server that has been configured as an FTP proxy. Verify that "FTP Profile" under the "Configuration" section is set to a locally configured FTP profile. Verify the configuration of the selected FTP profile: Navigate to the BIG-IP System manager >> Local Traffic >> Profiles >> Services >> FTP. Select the FTP profile that was to configure the Virtual Server. Verify that "Protocol Security" is Enabled under the "Settings" section. If the BIG-IP Core does not inspect inbound FTP and FTPS communications traffic for protocol compliance and protocol anomalies, this is a finding.

Fix: F-16992r291220_fix

If the BIG-IP Core provides intermediary/proxy services for FTP and FTPS communications traffic, configure the BIG-IP Core as follows: Configure the BIG-IP LTM module to inspect for protocol compliance and protocol anomalies in inbound FTP and FTPS communications traffic.

b

The BIG-IP Core implementation must be configured to inspect for protocol compliance and protocol anomalies in inbound HTTP and HTTPS traffic to virtual servers.

CM-6 - Medium - CCI-000366 - V-215803 - SV-215803r557356_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

F5BI-LT-000307

Vuln IDs

V-215803
V-60387

Rule IDs

SV-215803r557356_rule
SV-74817

Application protocol anomaly detection examines application layer protocols such as HTTP to identify attacks based on observed deviations in the normal RFC behavior of a protocol or service. This type of monitoring allows for the detection of known and unknown exploits that exploit weaknesses of commonly used protocols. Since protocol anomaly analysis examines the application payload for patterns or anomalies, an HTTP proxy must be included in the ALG. This ALG will be configured to inspect inbound HTTP and HTTPS communications traffic to detect protocol anomalies such as malformed message and command insertion attacks. Note that if mutual authentication is enabled, there will be no way to inspect HTTPS traffic with MITM.

Checks: C-16995r291222_chk

If the BIG-IP Core does not provide intermediary/proxy services for HTTP and HTTPS communications traffic for virtual servers, this is not applicable. When intermediary/proxy services for HTTP and HTTPS communications traffic are provided, verify the BIG-IP Core is configured as follows: Verify the BIG-IP LTM module is configured to inspect for protocol compliance and protocol anomalies in inbound HTTP and HTTPS communications traffic. Navigate to the BIG-IP System manager >> Security >> Protocol Security >> Security Profiles >> HTTP. Verify there is at least one profile for managing HTTP traffic. Select a Profile from the list to verify. Review each of the following tabs to verify the proper criteria are selected and are set to "Alarm" at a minimum: "HTTP Protocol Checks" "Request Checks" "Blocking Page" If the BIG-IP Core does not inspect inbound HTTP and HTTPS communications traffic for protocol compliance and protocol anomalies, this is a finding.

Fix: F-16993r291223_fix

If the BIG-IP Core provides intermediary/proxy services for HTTP and HTTPS communications traffic, configure the BIG-IP Core to inspect inbound HTTP and HTTPS communications traffic for protocol compliance and protocol anomalies.

b

The BIG-IP Core implementation must automatically terminate a user session for a user connected to virtual servers when organization-defined conditions or trigger events occur that require a session disconnect.

CM-6 - Medium - CCI-000366 - V-230214 - SV-230214r856822_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

F5BI-LT-000147

Vuln IDs

V-230214
V-60321

Rule IDs

SV-230214r856822_rule
SV-74751

Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. This capability is typically reserved for specific system functionality where the system owner, data owner, or organization requires additional trigger events based on specific mission needs. Conditions or trigger events requiring automatic session termination can include, for example, targeted responses to certain types of incidents and time-of-day restrictions on information system use. This policy only applies to gateways (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.

Checks: C-16962r291123_chk

If the BIG-IP Core does not provide user access control intermediary services for virtual servers, this is not applicable. When user access control intermediary services are provided, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an APM policy to automatically terminate user sessions for users connected to virtual servers when organization-defined conditions or trigger events occur that require a session disconnect. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Access Policy" section that "Access Policy" has been set to use an APM access policy to automatically terminate a user session when organization-defined conditions or trigger events occur that require a session disconnect. If the BIG-IP Core is not configured to automatically terminate a user session when organization-defined conditions or trigger events occur that require a session disconnect, this is a finding.

Fix: F-16960r291124_fix

If user access control intermediary services are provided, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP APM module to automatically terminate a user session when organization-defined conditions or trigger events occur that require a session disconnect. Apply APM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to automatically terminate a user session for a user connected to virtual servers when organization-defined conditions or trigger events occur that require a session disconnect.

b

The BIG-IP Core must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions when providing access to virtual servers.

AC-12 - Medium - CCI-002364 - V-230215 - SV-230215r856824_rule

RMF Control

AC-12

Severity

Medium

CCI

CCI-002364

Version

F5BI-LT-000151

Vuln IDs

V-230215
V-60323

Rule IDs

SV-230215r856824_rule
SV-74753

If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated. Logoff messages for access, for example, can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions including, for example, remote logon, information systems typically send logoff messages as final messages prior to terminating sessions. This policy only applies to ALGs (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.

Checks: C-16963r291126_chk

If the BIG-IP Core does not provide user access control intermediary services for virtual servers, this is not applicable. When user access control intermediary services are provided, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an APM policy to display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions when providing access to virtual servers. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Access Policy" section, that "Access Policy" has been set to use an APM access policy that displays an explicit logoff message to users indicating the reliable termination of authenticated communications sessions. If the BIG-IP Core is not configured to display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions, this is a finding.

Fix: F-16961r291127_fix

If user access control intermediary services are provided, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP APM module to display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions. Apply APM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions when providing access to virtual servers.

b

The BIG-IP Core implementation must be configured to activate a session lock to conceal information previously visible on the display for connections to virtual servers.

AU-9 - Medium - CCI-001494 - V-230216 - SV-230216r561161_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-001494

Version

F5BI-LT-000139

Vuln IDs

V-230216
V-60315

Rule IDs

SV-230216r561161_rule
SV-74745

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. The network element session lock event must include an obfuscation of the display screen so as to prevent other users from reading what was previously displayed. Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information. This policy only applies to gateways (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.

Checks: C-16959r291114_chk

If the BIG-IP Core does not provide user access control intermediary services for virtual servers, this is not applicable. When user access control intermediary services are provided, verify the BIG-IP LTM is configured to conceal, via a session lock, information previously visible on the display with a publicly viewable image. Navigate to the BIG-IP System manager >> Local Traffic >> Profiles >> Protocol >> TCP. Select a TCP Profile for user sessions. Verify "Reset On Timeout" is Enabled under the "Settings" section Verify the BIG-IP LTM is configured to use the Protocol Profile. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select appropriate virtual server. Verify "Protocol Profile (Client)" is set to a profile that limits session timeout. If the BIG-IP Core does not conceal, via a session lock, information previously visible on the display with a publicly viewable image, this is a finding.

Fix: F-16957r291115_fix

If user access control intermediary services are provided, configure the BIG-IP Core to conceal, via a session lock, information previously visible on the display with a publicly viewable image.

b

The F5 BIG-IP appliance must configure OCSP to ensure revoked credentials are prohibited from establishing an allowed session.

IA-5 - Medium - CCI-000185 - V-260048 - SV-260048r947413_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000185

Version

F5BI-LT-000317

Vuln IDs

V-260048

Rule IDs

SV-260048r947413_rule

A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.

Checks: C-63779r947346_chk

If the BIG-IP appliance does not provide intermediary services for TLS, or application protocols that use TLS (e.g., DNSSEC or HTTPS), this is not applicable. If the BIG-IP is performing Client Certificate Authentication: Client SSL Profile: From the BIG-IP GUI: 1. Local Traffic. 2. Profiles. 3. SSL. 4. Client. 5. Click the name of the SSL profile. 6. Under "Client Authentication", verify that "Trusted Certificate Authorities" is configured with a trusted CA certificate or bundle. 7. If the BIG-IP is performing Client Certificate Constrained Delegation, verify an OCSP responder is selected under "Client Certificate Constrained Delegation". 8. Verify the OCSP Responder is configured correctly by going to System >> Certificate Management >> Traffic Certificate Management >> OCSP. If the BIG-IP appliance is not configured to use OCSP to ensure revoked user credentials are prohibited from establishing an allowed session, this is a finding.

Fix: F-63686r947347_fix

If the BIG-IP is performing Client Certificate Authentication add the Client SSL Profile. From the BIG-IP GUI: 1. Local Traffic. 2. Profiles. 3. SSL. 4. Client. 5. Click the name of the SSL profile. 6. Under "Client Authentication", select a trusted CA certificate or bundle under "Trusted Certificate Authorities". Note: To create a Trusted CA certificate or bundle, go to System >> Certificate Management >> Traffic Certificate Management >> SSL Certificate List. 7. If the BIG-IP is performing Client Certificate Constrained Delegation, select an OCSP responder under "Client Certificate Constrained Delegation". Note: To create an OCSP Responder, click the "+" next to "OCSP" or go to System >> Certificate Management >> Traffic Certificate Management >> OCSP. 8. Click "Update".