Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Riverbed NetProfiler Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2023-01-11
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
a
The Riverbed NetProfiler must be configured to limit the number of concurrent sessions to one for the locally defined administrator account.
AC-10 - Low - CCI-000054 - V-256071 - SV-256071r882721_rule
RMF Control
AC-10
Severity
Low
CCI
CCI-000054
Version
RINP-DM-000001
Vuln IDs
  • V-256071
Rule IDs
  • SV-256071r882721_rule
Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to denial-of-service (DOS) attacks. This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions.
Checks: C-59745r882719_chk

Go to Administration >> Account Management >> User Accounts. Click "Settings". Check under "Log-in Settings". If the "Allow only one log-in per user name/password combination" box is not checked, this is a finding.

Fix: F-59688r882720_fix

Go to Administration >> Account Management >> User Accounts. Click "Settings". Under "Log-in Settings", check the "Allow only one log-in per user name/password combination" box. Click "OK" to save the settings.

c
The Riverbed NetProfiler must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting to a central log server.
AC-2 - High - CCI-000018 - V-256072 - SV-256072r882724_rule
RMF Control
AC-2
Severity
High
CCI
CCI-000018
Version
RINP-DM-000004
Vuln IDs
  • V-256072
Rule IDs
  • SV-256072r882724_rule
Auditing can be disabled in the NetProfiler. The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. Upon gaining access to a network device, an attacker often attempts to create or change accounts to ensure continued access. Audit records and alerts with sufficient information to provide the information system security officer (ISSO) with forensic information about the incident can alert administrators to an ongoing attack attempt. The Riverbed NetProfiler audit log generates sufficient information by default to fulfill DOD requirements when the audit setting "Log all Audit Events" is selected. Sites may also fine-tune using the "Log custom set of audit events" and selecting applicable settings; however, this method may fail to capture all required audit records. Satisfies: SRG-APP-000026-NDM-000208, SRG-APP-000516-NDM-000350, SRG-APP-000027-NDM-000209, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000092-NDM-000224, SRG-APP-000095-NDM-000225, SRG-APP-000096-NDM-000226, SRG-APP-000097-NDM-000227, SRG-APP-000098-NDM-000228, SRG-APP-000099-NDM-000229, SRG-APP-000100-NDM-000230, SRG-APP-000101-NDM-000231, SRG-APP-000381-NDM-000305, SRG-APP-000080-NDM-000220, SRG-APP-000091-NDM-000223, SRG-APP-000343-NDM-000289, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321
Checks: C-59746r882722_chk

Enable all DOD-required audit requirements, including changes to user accounts and use of privileged functions. Go to Administration >> Audit Trail. Click "Audit Settings". Check under "Logging Settings". If "Log all Audit Events" is not selected, this is a finding.

Fix: F-59689r882723_fix

Go to Administration >> Audit Trail. Click "Audit Settings". Under "Logging Settings", select "Log all Audit Events". Click "OK" to save the settings.

b
The Riverbed NetProfiler must enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 30 minutes, at a minimum.
AC-7 - Medium - CCI-000044 - V-256073 - SV-256073r882727_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
RINP-DM-000008
Vuln IDs
  • V-256073
Rule IDs
  • SV-256073r882727_rule
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. in NetProfiler, the default "Number of log-in attempts before account is locked" is 3, and the default "Number of minutes to keep account locked" is 30.
Checks: C-59747r882725_chk

Go to Administration >> Account Management >> User Accounts. Click "Settings". Check under "Log-in Settings". If the "Number of log-in attempts before an account is locked" is not set to "3", and the "Number of minutes to keep account locked" is not set to "30", this is a finding.

Fix: F-59690r882726_fix

Go to Administration >> Account Management >> User Accounts. Click "Settings". Under "Log-in Settings", change the "Number of log-in attempts before account is locked" to "3", and change the "Number of minutes to keep account locked" to "30". Click "OK" to save the settings. Note that the DOD minimum setting is 15; however, the product minimum is 30.

b
The Riverbed NetProfiler must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the device.
AC-8 - Medium - CCI-000048 - V-256074 - SV-256074r882730_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
RINP-DM-000009
Vuln IDs
  • V-256074
Rule IDs
  • SV-256074r882730_rule
Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users.
Checks: C-59748r882728_chk

Go to Administration >> Account Management >> User Accounts. Click "Settings". Check under "Log-in Settings". Verify the following verbiage is used exactly as displayed with spacing and syntax as depicted in DTM-08-060: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the "Log-in splash screen display" is not set to display the Standard Mandatory DOD Notice and Consent Banner on the login screen exactly in the format required by DOD, this is a finding.

Fix: F-59691r882729_fix

Go to Administration >> Account Management >> User Accounts. Click "Settings". Under "Log-in Settings" on the "Log-in splash screen display", use the drop-down menu to select "Show until Acknowledged". Click the browse button beside "Upload new log-in splash screen" to select the banner file. Click "OK" to save the settings. NOTE: The banner file can only be uploaded in JPG format.

b
The Riverbed NetProfiler must be configured to retain the Standard Mandatory DOD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
AC-8 - Medium - CCI-000050 - V-256075 - SV-256075r882733_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000050
Version
RINP-DM-000010
Vuln IDs
  • V-256075
Rule IDs
  • SV-256075r882733_rule
The administrator must acknowledge the banner prior to the device allowing the administrator access to the network device. This provides assurance that the administrator has seen the message and accepted the conditions for access. If the administrator does not acknowledge the consent banner, DOD will not be in compliance with system use notifications required by law. To establish acceptance of the network administration policy, a click-through banner at management session logon is required. The device must prevent further activity until the administrator executes a positive action to manifest agreement. In the case of CLI access using a terminal client, entering the username and password when the banner is presented is considered an explicit action of acknowledgement. Entering the username, viewing the banner, and then entering the password is also acceptable.
Checks: C-59749r882731_chk

Go to Administration >> Account Management >> User Accounts. Click "Settings". Check under "Log-in Settings". If the "Log-in splash screen display" is not set to "Show until Acknowledged", this is a finding.

Fix: F-59692r882732_fix

Go to Administration >> Account Management >> User Accounts. Click "Settings". Under "Log-in Settings", on the "Log-in splash screen display", use the drop-down menu to select "Show until Acknowledged".

c
The Riverbed NetProfiler must change the default admin credentials so they do not use the default manufacturer passwords when deployed.
IA-5 - High - CCI-002041 - V-256076 - SV-256076r882736_rule
RMF Control
IA-5
Severity
High
CCI
CCI-002041
Version
RINP-DM-000011
Vuln IDs
  • V-256076
Rule IDs
  • SV-256076r882736_rule
Network devices not protected with strong password schemes provide the opportunity for anyone to crack the password and gain access to the device, which can result in loss of availability, confidentiality, or integrity of network traffic. Many default vendor passwords are well known or easily guessed; therefore, not removing them prior to deploying the network device into production provides an opportunity for a malicious user to gain unauthorized access to the device. By default, NetProfiler provides a single user account and password: The user name is admin with a weak default password. This user account is assigned the built-in role of Administrator, which provides the admin user account with unrestricted access to all NetProfiler features and data. At a minimum, change the default password to something less obvious and more complex. The default password is provided solely to enable logging in to the system and changing the configuration.
Checks: C-59750r882734_chk

Attempt to log in to the NetProfiler web user interface using the default "admin" user account and password. Work with the site representative to verify the root and mazu passwords have been changed to DOD-compliant passwords and stored securely with limited access. If the admin, root, or mazu passwords have not been changed, this is a finding.

Fix: F-59693r882735_fix

Upon initial setup, log in to the NetProfiler web user interface using the "admin" user account and password. Wait until the configuration wizard starts and provide the required information at the prompts. Follow the wizard and change the default password when prompted. Change default system shell account passwords as required. The appliance is shipped with shell access enabled: Configuration >> Appliance Security >> Security Compliance page "Accounts" section bootloader - The boot loader controls the image, and options are loaded with the operating system. There is no login access to this account. Password change is not required. root - Accessible only through SSH from other modules in an Enterprise NetProfiler. This has shell access from the console if login is enabled. Change to implement a DOD-compliant password. Securely store and protect the password. admin - Accessible only through the console port. This is for initial setup only; there is no shell access. Recommend use as account of last resort; however, login may be disabled only if another account of last resort is configured. Change to implement a DOD-compliant password. Securely store and protect the password. mazu - Accessible through SSH. This has shell access unless disabled. Change to implement a DOD-compliant password. Securely store and protect the password. dhcp - Accessible through SSH using keys. support - DOD does not recommend enabling Challenge Mode because it requires a code from Riverbed Support.

b
The Riverbed NetProfiler must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
CM-7 - Medium - CCI-000382 - V-256077 - SV-256077r882739_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
RINP-DM-000026
Vuln IDs
  • V-256077
Rule IDs
  • SV-256077r882739_rule
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, it must be documented and approved. NOTE: Configuration of the network firewall is out of scope for this STIG. However, the network firewall must be configured to ONLY allow the following ports to the Riverbed NetProfiler. - TCP/22 – (SSH) Used for secure shell access to SteelCentral software components and for the appliance to obtain information from servers via scripts. - TCP/443 – Used to secure web-based management interfaces. - TCP/8443 – Used for exchange of encryption certificates between SteelCentral products. - TCP/41017 – Used for encrypted communication between NetProfiler and Flow Gateway, NetShark, and AppResponse appliances. - TCP/5432 – (ODBC) Enable this port if plans are to enable other applications' access to the NetProfiler internal database via ODBC. - TCP/42999 – Enable traffic on this port if the intent is to use the NetProfiler user identification feature with a Microsoft Active Directory domain controller. - UDP/123 – (NTP) Used for synchronization of time between a Flow Gateway and NetProfiler. - UDP/161 – (SNMP) Used by the NetProfiler or Flow Gateway to obtain interface information from switches, routers, firewalls, SteelHeads, and any sFlow or Netflow sources. Also, management systems use this port to read the SteelCentral product Management Information Base (MIB). - Vulnerability scanner ports – Use of the NetProfiler vulnerability scan feature requires allowing traffic on the port the SteelCentral product uses to access the vulnerability scanner server. Obtain the vulnerability scanner server addresses and port numbers from the administrator of those systems. The default ports are: - Nessus: 1241 - nCircle: 443 - Rapid7: 3780 - Qualys: Requires external https access to qualysapi.qualys.com (Note: This is separate from qualysguard.qualys.com.) - Foundstone: 3800
Checks: C-59751r882737_chk

Work with the site representative to identify unnecessary and/or nonsecure functions, ports, protocols, and/or services that are enabled. If unnecessary and/or nonsecure functions, ports, protocols, and/or services are enabled, this is a finding.

Fix: F-59694r882738_fix

Remove unused or unnecessary services that are not being used. Example: If the AUX port is not being used, go to the Configuration >> General Settings page, AUX interface configuration section, and deselect the "Configure AUX Interface" option. This disables the AUX interface. If any static routes were added for the configuration that are no longer needed, remove them in the Static Routes section.

b
The Riverbed NetProfiler must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.
AC-2 - Medium - CCI-001358 - V-256078 - SV-256078r882742_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001358
Version
RINP-DM-000027
Vuln IDs
  • V-256078
Rule IDs
  • SV-256078r882742_rule
Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort because it is intended to be used as a last resort and when immediate administrative access is absolutely necessary. The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.
Checks: C-59752r882740_chk

Navigate to the Configuration >> Account Management >> User Accounts page. If accounts exist other than the "admin" account, this is a finding.

Fix: F-59695r882741_fix

Use of the factory-created "admin" account as the account of last resort is strongly recommended. It must have a DOD-compliant password and be securely stored in a safe for emergency but not day-to-day use. Go to the Configuration >> Manage Accounts >> User Accounts >> Settings page. In the Global account settings configuration window, ensure the "Prevent user 'admin' from being locked out via a DOS attack" feature applies to only the factory-created admin account.

c
The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.
AU-9 - High - CCI-000163 - V-256079 - SV-256079r882745_rule
RMF Control
AU-9
Severity
High
CCI
CCI-000163
Version
RINP-DM-000029
Vuln IDs
  • V-256079
Rule IDs
  • SV-256079r882745_rule
The lack of role-based access control could result in the immediate compromise of and unauthorized access to sensitive information. Additionally, without mapping the PKI certificate to a unique user account, the ability to determine the identities of individuals or assert nonrepudiation is lost. Individual accountability mandates that each administrator is uniquely identified. For public key infrastructure (PKI)-based authentication, the device must be configured to map validated certificates to unique user accounts. This requirement applies to accounts or roles created and managed on or by the network device. Satisfies: SRG-APP-000153-NDM-000249, SRG-APP-000119-NDM-000236, SRG-APP-000120-NDM-000237, SRG-APP-000121-NDM-000238, SRG-APP-000122-NDM-000239, SRG-APP-000123-NDM-000240, SRG-APP-000329-NDM-000287, SRG-APP-000177-NDM-000263, SRG-APP-000033-NDM-000212
Checks: C-59753r882743_chk

Review the site's System Security Plan (SSP) to determine which personnel are assigned to each NetProfiler role. Go to Administration >> Account Management >> User Accounts. Go to the Roles-Attributes Mapping section of the RADIUS, TACACS+, or SAML tab of the Configuration >> Account Management >> Remote Authentication page. If account roles are not configured, or if the roles assigned do not match the site's SSP, this is a finding.

Fix: F-59696r882744_fix

Although all individual admin accounts must be configured on an authentication server, the NetProfiler must be configured to point to a PKI-based authentication server and the NetProfiler roles must be mapped to the authorization attributes on the authentication server. The following is an example using RADIUS. Refer to the user's guide for instructions for TACACS+ or SAML. Users who do not have a NetProfiler or NetExpress account must have both their authentication information (login name, password) and authorization information (user role indicated by the value of the Class attribute or the Cascade-User-Role attribute) specified on the RADIUS server. The values of the RADIUS authorization attributes must be mapped to their corresponding user roles on NetProfiler or NetExpress. The values on the RADIUS server and the values on NetProfiler or NetExpress must match for the user to be logged on. To map the NetProfiler or NetExpress user roles to RADIUS authorization attributes: 1. Click "Edit" in the Roles-Attributes Mapping section of the RADIUS tab of the Configuration >> Account Management >> Remote Authentication page. 2. For the first user role, click "Add new attribute" to display an edit box. 3. Select the RADIUS authorization attribute (Class or Cascade-User-Role). (If assigning the Restricted user account role, use the Restricted-Filter attribute to limit the account to traffic specified by traffic expressions. Refer to the in-product help system for additional information about Restricted user accounts.) 4. Enter the value of the attribute that is required for a RADIUS-authorized user to be logged on in this user role. 5. If applicable, click "Add new attribute" to add another mapping. 6. Continue with the next user role that is to be authorized by RADIUS. 7. When the RADIUS authorization attributes have been mapped to their corresponding NetProfiler user roles, click "Save".

b
The Riverbed NetProfiler must be configured to enforce a minimum 15-character password length.
IA-5 - Medium - CCI-000195 - V-256080 - SV-256080r882748_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000195
Version
RINP-DM-000031
Vuln IDs
  • V-256080
Rule IDs
  • SV-256080r882748_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. Satisfies: SRG-APP-000164-NDM-000252, SRG-APP-000170-NDM-000329
Checks: C-59754r882746_chk

Go to Administration >> Account Management >> User Accounts. Click the "Settings" button. Check under "Password Requirements". If "Minimum number of characters" is set not to "15", this is a finding.

Fix: F-59697r882747_fix

Go to Administration >> Account Management >> User Accounts. Click the "Settings" button. Under "Password Requirements", change the "Minimum number of characters" to "15".

b
The Riverbed NetProfiler must configure the local account password to "require mixed case".
IA-5 - Medium - CCI-000192 - V-256081 - SV-256081r882751_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
RINP-DM-000032
Vuln IDs
  • V-256081
Rule IDs
  • SV-256081r882751_rule
Use of complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using public key infrastructure (PKI) is not available and for the account of last resort and root account. Satisfies: SRG-APP-000166-NDM-000254, SRG-APP-000167-NDM-000255
Checks: C-59755r882749_chk

Go to Administration >> Account Management >> User Accounts. Click the "Settings" button. Check under "Password Requirements". If the "Require mixed case" rule is not checked, this is a finding.

Fix: F-59698r882750_fix

Require the user password to have at least one uppercase and one lowercase character. Go to Administration >> Account Management >> User Accounts. Click the "Settings" button. Under "Password Requirements", select the "Require mixed case" rule.

b
The Riverbed NetProfiler must require that at least one special character be used.
IA-5 - Medium - CCI-001619 - V-256082 - SV-256082r882754_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-001619
Version
RINP-DM-000035
Vuln IDs
  • V-256082
Rule IDs
  • SV-256082r882754_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using public key infrastructure (PKI) is not available and for the account of last resort and root account.
Checks: C-59756r882752_chk

Go to Administration >> Account Management >> User Accounts. Click the "Settings" button. Check under "Password Requirements". If the "Require nonalphanumeric characters" rule is not checked, this is a finding.

Fix: F-59699r882753_fix

Go to Administration >> Account Management >> User Accounts. Click the "Settings" button. Under "Password Requirements", select the "Require nonalphanumeric characters" rule.

b
The Riverbed NetProfiler must be configured to terminate all sessions and network connections when nonlocal device maintenance is completed.
MA-4 - Medium - CCI-000879 - V-256083 - SV-256083r882757_rule
RMF Control
MA-4
Severity
Medium
CCI
CCI-000879
Version
RINP-DM-000041
Vuln IDs
  • V-256083
Rule IDs
  • SV-256083r882757_rule
If a device management session or connection remains open after management is completed, it may be hijacked by an attacker and used to compromise or damage the network device. Nonlocal device management and diagnostic activities are conducted by individuals communicating through an external network (e.g., the internet) or an internal network. Logging out of NetProfiler ends the session with NetProfiler. It does not close sessions with the SAML identity provider involved with the initial authentication process or those for any other Riverbed product involved in cross-product drill downs. Therefore, it is recommended to close all browser tabs and close the browser when finished accessing NetProfiler authentication.
Checks: C-59757r882755_chk

Ask if the system administrators are trained to log out and close browsers upon finishing with management sessions. Verify the inactivity timeout is set. Go to Configuration >> Appliance Security >> Password Security. Under "Inactivity Timeout", verify the "Enable Maximum Inactivity Timeout" box is checked and the timer is set for 10 minutes. If the inactivity timeout is not enabled, and/or the timer is not set to 10 minutes, this is a finding.

Fix: F-59700r882756_fix

To ensure all management sessions or connections are closed upon termination or abort, system administrators must be trained to log out after each session, the inactivity timeout must be configured, and all browser sessions must be closed. Go to Configuration >> Appliance Security >> Password Security. Under "Inactivity Timeout", check the "Enable Maximum Inactivity Timeout" box and set the timer for 10 minutes. NOTE: Logging out of NetProfiler ends the session with NetProfiler. It does not close sessions with the SAML identity provider involved with the initial authentication process or those for any other Riverbed product involved in cross-product drill downs. Therefore, it is recommended to close all browser tabs and close the browser when finished accessing NetProfiler authentication.

c
The Riverbed NetProfiler must be configured to terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SC-10 - High - CCI-001133 - V-256084 - SV-256084r882760_rule
RMF Control
SC-10
Severity
High
CCI
CCI-001133
Version
RINP-DM-000042
Vuln IDs
  • V-256084
Rule IDs
  • SV-256084r882760_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Checks: C-59758r882758_chk

Go to Configuration >> Appliance Security >> Password Security. Under "Inactivity Timeout", verify the "Enable Maximum Inactivity Timeout" box is checked and the timer is set for 10 minutes. If the inactivity timeout is not enabled, and/or the timer is not set to 10 minutes, this is a finding.

Fix: F-59701r882759_fix

Go to Configuration >> Appliance Security >> Password Security. Under "Inactivity Timeout", check the "Enable Maximum Inactivity Timeout" box and set the timer for 10 minutes.

b
The Riverbed NetProfiler must be configured to synchronize internal information system clocks using redundant authoritative time sources.
CM-6 - Medium - CCI-000366 - V-256085 - SV-256085r882763_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RINP-DM-000047
Vuln IDs
  • V-256085
Rule IDs
  • SV-256085r882763_rule
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must use an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
Checks: C-59759r882761_chk

Go to Administration >> General Settings. Under "Time Configuration", verify that at least the IP address for both Server 1 and Server 2 has been configured. If redundant time servers have not been configured, this is a finding.

Fix: F-59702r882762_fix

Go to Administration >> General Settings. Under "Time Configuration", configure the IP address for at least both Server 1 and Server 2. Select the type of encryption and configure both the key and index for each of the server entries.

b
The Riverbed NetProfiler must be configured to record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC).
AU-8 - Medium - CCI-001890 - V-256086 - SV-256086r882766_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001890
Version
RINP-DM-000048
Vuln IDs
  • V-256086
Rule IDs
  • SV-256086r882766_rule
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is commonly expressed in UTC, a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.
Checks: C-59760r882764_chk

Go to Administration >> General Settings. Under "Time Configuration", verify the Time Zone is set to "UTC". If the Time Zone is not "UTC", this is a finding.

Fix: F-59703r882765_fix

Go to Administration >> General Settings. Under "Time Configuration", configure the Time Zone to "UTC".

b
The Riverbed NetProfiler must be configured to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
AU-8 - Medium - CCI-001889 - V-256087 - SV-256087r882769_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001889
Version
RINP-DM-000049
Vuln IDs
  • V-256087
Rule IDs
  • SV-256087r882769_rule
Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the application include date and time. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks.
Checks: C-59761r882767_chk

Go to Administration >> General Settings. Under "Time Configuration", verify that redundant NTP servers have been configured. If NTP is not configured, this is a finding.

Fix: F-59704r882768_fix

Go to Administration >> General Settings. Under "Time Configuration", enable and configure redundant NTP servers. This requirement is part of using the NTP protocol.

b
The Riverbed NetProfiler must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).
IA-3 - Medium - CCI-001967 - V-256088 - SV-256088r882772_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001967
Version
RINP-DM-000051
Vuln IDs
  • V-256088
Rule IDs
  • SV-256088r882772_rule
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to apply the requirement only to those limited number (and type) of devices that truly need to support this capability.
Checks: C-59762r882770_chk

Go to Administration >> Appliance Security >> Security Compliance. Under "Operational Modes", verify "Strict Security Mode" is enabled. If it is not enabled, this is a finding.

Fix: F-59705r882771_fix

Go to Administration >> Appliance Security >> Security Compliance. Under "Operational Modes", enable "Strict Security Mode".

b
The Riverbed NetProfiler must be configured to authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.
IA-3 - Medium - CCI-001967 - V-256089 - SV-256089r882775_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001967
Version
RINP-DM-000052
Vuln IDs
  • V-256089
Rule IDs
  • SV-256089r882775_rule
If NTP is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.
Checks: C-59763r882773_chk

Go to Administration >> General Settings. Under "Time Configuration", verify the "Encryption" for the NTP servers is set to "SHA-1" and the Key and Index columns have a value that corresponds to each NTP server. If SHA-1 is not configured for the NTP servers, this is a finding.

Fix: F-59706r882774_fix

Go to Administration >> General Settings. Under "Time Configuration", change the "Encryption" for the NTP Servers to "SHA-1", and under the Key and Index columns, enter the value that corresponds to each NTP server.

c
The Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.
IA-5 - High - CCI-000196 - V-256090 - SV-256090r882778_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000196
Version
RINP-DM-000054
Vuln IDs
  • V-256090
Rule IDs
  • SV-256090r882778_rule
If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and allowing hijacking of maintenance sessions. Network devices using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and NIST-recommended authentication algorithms. Currently, HMAC is the only FIPS-validated algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2/140-3 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules. All protocols (e.g., SNMPv3, SSHv2, NTP, HTTPS, HMAC, password authentication, remote communications, password encryption, random number/session ID generation, and other protocols and cryptograph applications/functions that require server/client authentication) are to be FIPS 140-2/140-3 validated. Where SSH is used, the SSHv2 protocol suite is required because it includes Layer 7 protocols such as SCP and SFTP, which can be used for secure file transfers. Satisfies: SRG-APP-000412-NDM-000331, SRG-APP-000156-NDM-000250, SRG-APP-000171-NDM-000258, SRG-APP-000172-NDM-000259, SRG-APP-000179-NDM-000265, SRG-APP-000224-NDM-000270, SRG-APP-000411-NDM-000330
Checks: C-59764r882776_chk

Go to Administration >> Appliance Security >> Security Compliance. Check under "Operational Modes". If "FIPS 140-2 Compatible Cryptography" is not enabled, this is a finding.

Fix: F-59707r882777_fix

Go to Administration >> Appliance Security >> Security Compliance. Under "Operational Modes", enable "FIPS 140-2 Compatible Cryptography". NOTE: Configuring FIPS mode is the required DOD configuration. However, the severity of this requirement can be decreased to a CAT III if the alternative manual configuration is used to configure individual protocols because this allows non-FIPS validated algorithms to be used for some functions.

b
The Riverbed NetProfiler must be configured to protect against known types of denial-of-service (DOS) attacks by restricting web and SSH access to the appliance.
SC-5 - Medium - CCI-002385 - V-256091 - SV-256091r882781_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
RINP-DM-000055
Vuln IDs
  • V-256091
Rule IDs
  • SV-256091r882781_rule
DOS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of network devices to mitigate the impact of DOS attacks that have occurred or are ongoing on device availability. For each network device, known and potential DOS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DOS attacks (e.g., limiting processes or restricting the number of sessions the device opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DOS attacks. The security safeguards cannot be defined at the DOD level because they vary according to the capabilities of the individual network devices and the security controls applied on the adjacent networks (for example, firewalls performing packet filtering to block DOS attacks).
Checks: C-59765r882779_chk

Go to configuration >> Appliance Security >> Password Security. Under Access >> Remote Access, verify the "Restrict Web access to" radio button and the "Restrict SSH access to" radio button are selected, and the boxes contain the authorized range of IP addresses. If this is not set, this is a finding.

Fix: F-59708r882780_fix

Go to configuration >> Appliance Security >> Password Security. Under Access >> Remote Access, select the "Restrict Web access to" radio button and the "Restrict SSH access to" radio button, and fill the corresponding boxes with the authorized range of IP addresses.

b
The Riverbed NetProfiler must be configured to use redundant Syslog servers that are configured on a different system than the NetProfiler appliance.
AU-4 - Medium - CCI-001851 - V-256092 - SV-256092r882784_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
RINP-DM-000057
Vuln IDs
  • V-256092
Rule IDs
  • SV-256092r882784_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity.
Checks: C-59766r882782_chk

Go to Administration >> General Settings. Under "Syslog", verify the entries for Server 1 Host and Server 2 Host are configured. Verify "Audit Trail" and "Events" are selected for each Syslog server. If this is not true, this is a finding.

Fix: F-59709r882783_fix

Go to Administration >> General Settings. Configure the entry for Server 1 Host. Configure the entry for Server 2 Host. Check "Audit Trail" and "Events" for each configured server.

c
The Riverbed NetProfiler must be configured to use an authentication server to authenticate users prior to granting administrative access.
CM-6 - High - CCI-000366 - V-256093 - SV-256093r882787_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
RINP-DM-000060
Vuln IDs
  • V-256093
Rule IDs
  • SV-256093r882787_rule
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.
Checks: C-59767r882785_chk

Go to Administration >> Account Management >> Remote Authentication. Verify that RADIUS, TACACS+, or SAML 2.0 are enabled and configured. If this is not true, this is a finding.

Fix: F-59710r882786_fix

This requirement does not apply to the local account of last resort or system accounts. Go to Administration >> Account Management >> Remote Authentication. Configure and enable RADIUS, TACACS+, or SAML 2.0. The following is an example using RADIUS. Refer to the user's guide for instructions for TACACS+ or SAML.

b
The Riverbed NetProfiler must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.
CM-6 - Medium - CCI-000366 - V-256094 - SV-256094r882790_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RINP-DM-000061
Vuln IDs
  • V-256094
Rule IDs
  • SV-256094r882790_rule
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this certification authority will suffice.
Checks: C-59768r882788_chk

Go to Configuration >> Appliance Security >> Encryption Key Management. Under the "Local Credentials" tab, look for the "Apache SSL certificate". Under the "Action" column, click the drop-down menu and select "View Certificate". Verify the Privacy Enhanced Mail (PEM) format for the certificate and key match the certification authority-provided certificate and the certificate is signed by a DOD-approved certificate authority. If this is not true, this is a finding.

Fix: F-59711r882789_fix

Go to Configuration >> Appliance Security >> Encryption Key Management. Under the "Local Credentials" tab, look for the "Apache SSL certificate". Under the "Action" column, click the drop-down menu and select "Change Key/Cert". Paste the private key and certificate in PEM format and click "Save". Restart the web browser to avoid connection errors.

c
The Riverbed NetProfiler must be configured to run an operating system release that is currently supported by the vendor.
CM-6 - High - CCI-000366 - V-256095 - SV-256095r882793_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
RINP-DM-000063
Vuln IDs
  • V-256095
Rule IDs
  • SV-256095r882793_rule
Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.
Checks: C-59769r882791_chk

Go to System >> Update. Verify the current version is higher than 10.0.0 and currently supported by the vendor by checking the vendor's website (support.riverbed.com). If this is not true, this is a finding.

Fix: F-59712r882792_fix

Check the vendor's website (support.riverbed.com) to verify the current version installed on the NetProfiler appliance is supported. Go to System >> Update. Under "Add a different update version", select the" Update File:" radio button, click "Browse", find the update downloaded from a DOD authorized source, and select "Update Now".

a
The Riverbed NetProfiler must be configured to conduct backups of system-level information and system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
CM-6 - Low - CCI-000366 - V-256096 - SV-256096r882796_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RINP-DM-000064
Vuln IDs
  • V-256096
Rule IDs
  • SV-256096r882796_rule
System-level information includes default and customized settings and security attributes, including access control lists (ACLs) that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial-of-service condition is possible for all who use this critical network component. This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups. The backup feature securely copies traffic and configuration information to a specified backup system. NetProfiler cannot be configured to automatically run backups, but backups can be configured and run manually via the Backup page. Manually back up the system periodically in accordance with the site System Security Plan (SSP). NetExpress packet logs and index files are not backed up. Additionally, capture jobs are not restored if the backup and restore operations are performed from a physical NetExpress to a virtual edition or vice versa. The NetProfiler uses the SSH public key to connect to a backup server for running backups. Satisfies: SRG-APP-000516-NDM-000340, SRG-APP-000516-NDM-000341
Checks: C-59770r882794_chk

Review the SSP to determine the site's network device backup policy. Check the NetProfiler backup log to verify regular backups are being performed. Go to System >> Backup. View if there is a recent backup. If the site does not conduct backups of system-level information contained in the information system when changes occur, this is a finding.

Fix: F-59713r882795_fix

Manually back up via the configuration periodically in accordance with the SSP. Go to System >> Backup. Enter details about what information must be backed up, where it is backed up, and who is notified when the backup is completed. Click "Run Backup".

b
The network device must terminate shared/group account credentials when members leave the group.
AC-2 - Medium - CCI-002142 - V-256097 - SV-256097r882799_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-002142
Version
RINP-DM-000091
Vuln IDs
  • V-256097
Rule IDs
  • SV-256097r882799_rule
A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account. If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. There may also be instances when specific user actions need to be performed on the network device without unique administrator identification or authentication. Examples of credentials include passwords and group membership certificates. The “mazu” account is the local Linux OS account created and used by the NetProfiler and Flow Gateway application for ownership of application, configuration, and data files stored on the appliance. Operations such as changing appliance settings and running reports on a cluster, as well as using backup/restore functionality rely on the existence of the “mazu” user. The account is required for proper operation of the solution. However, the ability to login to this account can be disabled on the Security Compliance page, as well as firewall rules can be used to restrict the remote access.
Checks: C-59771r882797_chk

Review the site's System Security Plan (SSP) to verify the password for the account of last resort and/or the root account are changed when a system administrator with knowledge of the password leaves or no longer has a need to know/access. If the credentials for the account of last resort are not changed when administrators who know the credential leave the organization, this is a finding.

Fix: F-59714r882798_fix

Change the account of last resort to a new password when administrators who know the credential leave the organization. Document this process in the SSP. Set the password for the account of last resort and/or root as needed based on what the person departing had access to. Change default system shell account passwords as required: Go to Configuration >> Appliance Security >> Security Compliance page Accounts section to change or disable the following passwords. root - Accessible only through SSH from other modules in an Enterprise NetProfiler. This has shell access from the console if login is enabled. Change to implement a DOD-compliant password. Securely store and protect the password. admin - Accessible only through the console port. This is for initial setup only with no shell access. Recommend use as account of last resort; however, login may be disabled only if another account of last resort is configured. Change to implement a DOD-compliant password. Securely store and protect the password. The following system account must be configured to comply with this requirement. mazu - Accessible through SSH; this has shell access unless disabled. Disable the password (DOD preferred) or change to implement a DOD-compliant password. Securely store and protect the password.