View STIG - Trend Micro TippingPoint NDM Security Technical Implementation Guide V1R1

a

The TippingPoint SMS must limit the maximum number of concurrent active sessions to one for the account of last resort.

AC-10 - Low - CCI-000054 - V-242231 - SV-242231r710700_rule

RMF Control

AC-10

Severity

Low

CCI

CCI-000054

Version

TIPP-NM-000010

Vuln IDs

V-242231

Rule IDs

SV-242231r710700_rule

Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions is defined by DoD as one based on operational environment for each system.

Checks: C-45506r710698_chk

1. Log in to the SMS client. 2. Select >> "Edit" >> "Preferences". Select "Security" under "Session Preferences". 3. Verify the setting for the "limit number of total and user sessions" option is checked. 4. Verify the active sessions allowed for a user option has a numeric value of 1. If the TippingPoint SMS does limit the maximum number of concurrent active sessions to one for the account of last resort, this is a finding.

Fix: F-45464r710699_fix

1. Log in to the SMS client. 2. Select >> "Edit" >> "Preferences". Select "Security" under "Session Preferences". Click the check box for "Limit number of total and user sessions". 3. Type 1 for the number of active sessions allowed for a user. 4. Click OK.

a

The TippingPoint SMS must limit total number of user sessions for privileged uses to a maximum of 10.

AC-10 - Low - CCI-000054 - V-242232 - SV-242232r710703_rule

RMF Control

AC-10

Severity

Low

CCI

CCI-000054

Version

TIPP-NM-000011

Vuln IDs

V-242232

Rule IDs

SV-242232r710703_rule

Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of currently allowed administrator sessions is a best practice that lowers the risk of DoS attacks.

Checks: C-45507r710701_chk

1. Log in to the SMS client. 2. Select >> "Edit" >> "Preferences". Select "Security" under "Session Preferences". 3. Verify the setting for the "limit number of total and user sessions" option is checked. 4. Verify the active sessions allowed on SMS option has a numeric value of 10 or less. If the TippingPoint SMS does not limit total number of user sessions for privileged uses to a maximum of 10, this is a finding.

Fix: F-45465r710702_fix

1. Log in to the SMS client. 2. Select >> "Edit" >> "Preferences". Select "Security" under "Session Preferences". Click the check box for "Limit number of total and user sessions". 3. Type 10 or less for the number of active sessions allowed on SMS. 4. Click OK.

a

The TippingPoint SMS must disable auto reconnect after disconnect.

AC-10 - Low - CCI-000054 - V-242233 - SV-242233r710706_rule

RMF Control

AC-10

Severity

Low

CCI

CCI-000054

Version

TIPP-NM-000012

Vuln IDs

V-242233

Rule IDs

SV-242233r710706_rule

Device management includes the ability to control the number of administrators and management sessions that manage a device. Requiring authentication for auto reconnecting expired administrator sessions is a best practice that lowers the risk of DoS attacks.

Checks: C-45508r710704_chk

1. Log in to the SMS client. 2. Select >> "Edit" >> "Preferences". Select "Security" Under "Client Preferences". 3. Verify the option for "Auto reconnect client to server after a disconnect occurs" is unchecked. If the TippingPoint SMS does not disable auto reconnect after disconnect, this is a finding.

Fix: F-45466r710705_fix

1. Log in to the SMS client. 2. Select >> "Edit" >> "Preferences". Select "Security" Under "Client Preferences". Uncheck "Auto reconnect client to server after a disconnect occurs". 3. Click OK.

b

The TippingPoint SMS must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.

AC-7 - Medium - CCI-000044 - V-242234 - SV-242234r710709_rule

RMF Control

AC-7

Severity

Medium

CCI

CCI-000044

Version

TIPP-NM-000040

Vuln IDs

V-242234

Rule IDs

SV-242234r710709_rule

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.

Checks: C-45509r710707_chk

Verify the SMS client requires locking of account after three invalid login attempts. Navigate to Edit >> Preferences. If the checkbox for "Lock user after failed login attempts" is not checked, or if the threshold is not set to 3, this is a finding.

Fix: F-45467r710708_fix

In the Trend Micro TippingPoint system, ensure the SMS client is requiring locking of account after three invalid login attempts: 1. Navigate to Edit >> Preferences. 2. Click the checkbox for "Lock user after failed login attempts". 3. Under threshold enter 3. 4. Click OK to save.

a

The TippingPoint SMS, TPS, and SMS client must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.

AC-8 - Low - CCI-000048 - V-242235 - SV-242235r710712_rule

RMF Control

AC-8

Severity

Low

CCI

CCI-000048

Version

TIPP-NM-000050

Vuln IDs

V-242235

Rule IDs

SV-242235r710712_rule

Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users. Configure banner messages to display security notices on the SMS client toolbar or when a user attempts to log in to the following interfaces: SMS client, SMS web management console, CLI, or remote SSH client. When configured, the notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access, as required by CCI-000050. Satisfies: SRG-APP-000068-NDM-000215, SRG-APP-000069-NDM-000216

Checks: C-45510r710710_chk

Determine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DTM-08-060. Verify the SMS client has a login banner configured by viewing the SMS client toolbar, client login, web login, console/CLI, or remote/SSH login. Verify the TPS login banner is enabled: 1. Click Devices, All Devices, and the TPS Device hostname. 2. Click Device Configuration. 3. Click Login Banner. If the TippingPoint SMS, TPS, and SMS client does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device, this is a finding.

Fix: F-45468r710711_fix

Configure banner message to display on the SMS client toolbar or when a user attempts to log in to the following interfaces: SMS client, SMS web management console, CLI, or remote SSH client. 1. Select Edit >> Preferences >> Banner Message. 2. Check "Enable Banner Message". 3. Add the exactly worded and formatted DoD-approved banner as presented in accordance with DTM-08-060. 4. Check all the boxes under the banner to display on check display on client toolbar, client login, web login, console/CLI, and remote/SSH login. To enable the TPS login banner: 1. Select Devices >> All Devices >> <TPS Device hostname>. 2. Select Device Configuration >> Login Banner >> Enable Banner Message. 3. Add the exactly worded and formatted DoD-approved banner as presented in accordance with DTM-08-060. 4. Click OK.

c

The TippingPoint SMS must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.

CM-7 - High - CCI-000382 - V-242236 - SV-242236r710715_rule

RMF Control

CM-7

Severity

High

CCI

CCI-000382

Version

TIPP-NM-000200

Vuln IDs

V-242236

Rule IDs

SV-242236r710715_rule

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved.

Checks: C-45511r710713_chk

In the SMS client, ensure the SMS and TPS have disabled all unnecessary and insecure protocols. 1. For SMS, click Admin and Management. 2. Ensure only Ping is enabled and the SMS is in FIPS Mode. If any other services are enabled or if the SMS is not in FIPS mode, this is a finding. 3. For TPS, click Devices, All Devices, and the subject device hostname. 4. Click Device Configuration and select Services. Ensure only TLS 1.2 is enabled. 5. Under FIPS Settings ensure the FIPS Mode is selected. If any other services are enabled or if the TPS is not in FIPS mode, this is a finding.

Fix: F-45469r710714_fix

In the SMS client, ensure the SMS and TPS have disabled all unnecessary and insecure protocols. 1. For SMS, click Admin and Management. 2. Uncheck SSH, HTTPS, and TAXII. Ensure only Ping is checked. 3. Click edit on FIPS Mode. 4. Under an approved change window only, enable FIPS Crypto Core. This will cause a reboot; only do this when authorized. 5. For TPS, click Devices, All Devices, and the subject device hostname. 6. Click Device Configuration and select Services. 7. Uncheck SSH, TLS 1.0 and TLS 1.1. Only HTTPS should be selected. 8. Under FIPS Settings ensure the FIPS Mode is selected. This should also be done in an approved change window, as a reboot will be triggered.

b

The TippingPoint SMS must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.

AC-2 - Medium - CCI-001358 - V-242237 - SV-242237r710718_rule

RMF Control

AC-2

Severity

Medium

CCI

CCI-001358

Version

TIPP-NM-000210

Vuln IDs

V-242237

Rule IDs

SV-242237r710718_rule

Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort because it is intended to be used as a last resort, and when immediate administrative access is absolutely necessary. The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.

Checks: C-45512r710716_chk

In the SMS client, ensure the SMS has only a single local account. Select Admin >> Authentication and Authorization >> Users. If more than one user is enabled under user accounts, this is a finding.

Fix: F-45470r710717_fix

In the SMS client, ensure the SMS has only a single local emergency account. 1. Select Admin >> Authentication and Authorization >> Users. 2. Delete all but the user account being used for local emergency user account/account of last resort functions. The local emergency user account must not be disabled after 35 days of inactivity. Log in to the serial console and set the following command: set pwd.emergency-user=<USERNAME>

b

The TippingPoint SMS must enforce a minimum 15-character password length.

IA-5 - Medium - CCI-000205 - V-242238 - SV-242238r710721_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000205

Version

TIPP-NM-000240

Vuln IDs

V-242238

Rule IDs

SV-242238r710721_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Checks: C-45513r710719_chk

In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click Edit and Preferences. 2. If the security level is set to anything except "3 - High", this is a finding. This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.

Fix: F-45471r710720_fix

In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click Edit and Preferences. 2. Change security level to "3 - High". This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.

b

The TippingPoint SMS must enforce password complexity by requiring that at least one uppercase character be used.

IA-5 - Medium - CCI-000192 - V-242239 - SV-242239r710724_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000192

Version

TIPP-NM-000250

Vuln IDs

V-242239

Rule IDs

SV-242239r710724_rule

Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-45514r710722_chk

In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click Edit and Preferences. 2. If the security level is set to anything except "3 - High", this is a finding. This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.

Fix: F-45472r710723_fix

In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click Edit and Preferences. 2. Change security level to "3 - High". This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.

b

The TippingPoint SMS must enforce password complexity by requiring that at least one lowercase character be used.

IA-5 - Medium - CCI-000193 - V-242240 - SV-242240r710727_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000193

Version

TIPP-NM-000260

Vuln IDs

V-242240

Rule IDs

SV-242240r710727_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-45515r710725_chk

In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click Edit and Preferences. 2. If the security level is set to anything except "3 - High", this is a finding. This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.

Fix: F-45473r710726_fix

In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click Edit and Preferences. 2. Change security level to "3 - High". This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.

b

The TippingPoint SMS must enforce password complexity by requiring that at least one numeric character be used.

IA-5 - Medium - CCI-000194 - V-242241 - SV-242241r710730_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000194

Version

TIPP-NM-000270

Vuln IDs

V-242241

Rule IDs

SV-242241r710730_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-45516r710728_chk

In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click Edit and Preferences. 2. If the security level is set to anything except "3 - High", this is a finding. This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.

Fix: F-45474r710729_fix

In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click Edit and Preferences. 2. Change security level to "3 - High". This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.

b

The TippingPoint SMS must enforce password complexity by requiring that at least one special character be used.

IA-5 - Medium - CCI-001619 - V-242242 - SV-242242r710733_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-001619

Version

TIPP-NM-000280

Vuln IDs

V-242242

Rule IDs

SV-242242r710733_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-45517r710731_chk

In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click Edit and Preferences. 2. If the security level is set to anything except "3 - High", this is a finding. This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.

Fix: F-45475r710732_fix

In the SMS client, ensure the SMS password complexity requirements are met. 1. Under Security, click Edit and Preferences. 2. Change security level to "3 - High". This setting ensures a 15-character minimum, uppercase, lowercase, numbers, and symbols are used.

c

The TippingPoint TPS must have FIPS Mode enforced.

IA-7 - High - CCI-000803 - V-242243 - SV-242243r754439_rule

RMF Control

IA-7

Severity

High

CCI

CCI-000803

Version

TIPP-NM-000300

Vuln IDs

V-242243

Rule IDs

SV-242243r754439_rule

Unapproved mechanisms that are used for authentication to the cryptographic module are not validated and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Network devices utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and NIST-recommended authentication algorithms.

Checks: C-45518r754431_chk

In the SMS client, verify the TPS FIPS Mode is enabled. 1. For TPS, click Devices, All Devices, and the subject device hostname. 2. Click FIPS Settings and ensure the FIPS Mode is selected. If the TPS is not in FIPS mode, this is a finding.

Fix: F-45476r754383_fix

In the SMS client, enable the TPS FIPS Mode. 1. For TPS, click Devices, All Devices, and the subject device hostname. 2. Click FIPS Settings, then check enabled. This must be done in the approved change window, as the TPS will reboot.

c

The TippingPoint SMS must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.

SC-10 - High - CCI-001133 - V-242244 - SV-242244r754440_rule

RMF Control

SC-10

Severity

High

CCI

CCI-001133

Version

TIPP-NM-000320

Vuln IDs

V-242244

Rule IDs

SV-242244r754440_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Checks: C-45519r710737_chk

In the SMS client, ensure the SMS inactivity timeouts are configured. 1. Under Security, click Edit and Preferences. 2. Under Client Preferences, if "Timeout client session after inactivity" is not checked or the Time is not set to 10 minutes, this is a finding.

Fix: F-45477r710738_fix

In the SMS client, ensure the SMS inactivity timeouts are configured. 1. Under Security, click Edit and Preferences. 2. Under Client Preferences, check the item "Timeout client session after inactivity" and ensure the Time is set to 10 minutes.

b

The Trend Micro SMS must generate an alert for all audit failure events requiring real-time alerts.

AU-5 - Medium - CCI-001858 - V-242245 - SV-242245r710742_rule

RMF Control

AU-5

Severity

Medium

CCI

CCI-001858

Version

TIPP-NM-000390

Vuln IDs

V-242245

Rule IDs

SV-242245r710742_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).

Checks: C-45520r710740_chk

In the SMS client, ensure a SNMPv3 trap destination is configured. 1. Navigate to Admin >> Server Properties >> SNMP. 2. View the NMS configuration. If an NMS Trap Destination is not configured, this is a finding.

Fix: F-45478r710741_fix

In the SMS client, configure a SNMPv3 trap destination is configured. Audit failure alerts are generated via SNMPv3 traps. 1. Navigate to Admin >> Server Properties >> SNMP >> Add. 2. Enter the IPv4 or IPv6 address, Version 3, with the username, and authPriv keys configured that match the site's required attributes.

b

The TippingPoint SMS must be configured to synchronize internal information system clocks using redundant authoritative time sources.

CM-6 - Medium - CCI-000366 - V-242246 - SV-242246r710745_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

TIPP-NM-000400

Vuln IDs

V-242246

Rule IDs

SV-242246r710745_rule

The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.

Checks: C-45521r710743_chk

In the SMS client, ensure two NTP sources are configured. 1. Select Admin, Server Properties, and Network. 2. If Enable NTP is not checked or at least two NTP servers are not configured under Date/Time, this is a finding.

Fix: F-45479r710744_fix

In the SMS client, ensure two NTP sources are configured. 1. Select Admin, Server Properties, and Network. 2. Check Enable NTP. 3. Enter a server IPv4 address in NTP Server 1 and NTP Server. 4. Ensure this is done under an approved change window as it will cause a reboot.

b

The TippingPoint SMS must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).

AU-8 - Medium - CCI-001890 - V-242247 - SV-242247r710748_rule

RMF Control

AU-8

Severity

Medium

CCI

CCI-001890

Version

TIPP-NM-000410

Vuln IDs

V-242247

Rule IDs

SV-242247r710748_rule

If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.

Checks: C-45522r710746_chk

In the SMS client, ensure the GMT/UTC time zone is configured. 1. Select Admin, Server Properties, and Network. 2. If a time zone other than UTC is selected, this is a finding.

Fix: F-45480r710747_fix

In the SMS client, ensure the GMT/UTC time zone is configured. 1. Select Admin, Server Properties, and Network. 2. Under time zone, select UTC. 3. Ensure this is done under an approved change window as it will cause a reboot.

b

The TippingPoint SMS must enforce access restrictions associated with changes to device configuration.

CM-5 - Medium - CCI-001813 - V-242248 - SV-242248r710751_rule

RMF Control

CM-5

Severity

Medium

CCI

CCI-001813

Version

TIPP-NM-000420

Vuln IDs

V-242248

Rule IDs

SV-242248r710751_rule

Failure to provide logical access restrictions associated with changes to device configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the device can potentially have significant effects on the overall security of the device. Accordingly, only qualified and authorized individuals should be allowed to obtain access to device components for the purposes of initiating changes, including upgrades and modifications. Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).

Checks: C-45523r710749_chk

In the Trend Micro TippingPoint system, ensure the SMS client is using CAC authentication and LDAPS authorization. 1. Log in to the SMS client. 2. Navigate to Authentication and Authorization >> Authentication. If "Use CAC authentication" is not selected, this is a finding.

Fix: F-45481r710750_fix

Follow these configuration steps to enable CAC/LDAPS authentication and authorization to the Trend Micro TippingPoint SMS client. The Site's LDAPS/AD environment must be configured to audit all account actions. I. Certificate Load Steps: 1. Log in to the SMS client. 2. Select Certificate Management >> CA certificates >> Import. 3. Find the CA signing certificate bundle for the LDAPS servers on your machine. 4. Enter the name, then select browse to find the CA certificate. 5. Click OK. 6. Repeat steps for all other DoD Root and Intermediate CAs being used for the administrator’s admin-token/CACs. II. LDAP Authorization configuration steps: 1. Select Authentication and Authorization >> Groups >> New. 2. Type the name of the LDAP group exactly as it appears as the CN in the active directory domain. 3. Add all site-specific details including which role to map superuser, admin, or operator. 4. Under Active Directory Group Mapping ensure the item "map this group to the same named group in active directory" is selected. 5. Select OK. III. LDAPS Server configuration - ensure a DNS resolver has been configured in accordance with the admin guide, and this DNS resolver knows how to resolve the domain the SMS will log into: 1. Under Admin, navigate to Authentication and CAC >> Edit. 2. Enter the Server address: ensure it is the fully qualified domain name as the LDAPS certificate will likely have it. 3. Enable SSL: must be checked for LDAPS. 4. Current certificate: must be the intermediate root certificate/issuing CA certificate for the domain controllers - this is the CA certificate loaded in the first section. 5. Port: 636 or your DoD LDAPS port, if different. 6. Timeout: 30 seconds is the default. 7. Admin name: the account that has privileges to access the directory schema – format is username@domain.name 8. Admin password: password of previous admin account. 9. User search base: this is the LDAP directory tree for the accounts that will be allowed. Example: ou=Trend Micro,dc=dod,dc=disa,dc=mil 10. User search attribute: normally in DoD this is userPrincipalName. 11. User display attribute: normally in DoD this is sAMAccountName. 12. Group search base: this is the LDAP directory tree for the groups that will be allowed. Example: ou=Trend Micro,dc=dod,dc=disa,dc=mil 13. Group name attribute: normally it is cn. 14. Select the test button to ensure all configurations provided function correctly. 15. Select OK. IV. Enable OCSP revocation checking: 1. Under OCSP Settings, navigate to Certificate Management and Revocation >> New >> Certificate Authority. 2. Type the full OCSP URI (e.g. http://ocsp.disa.mil). 3. Repeat this step for all CA certificates in the CAC trust chain. 4. Optionally, to add a CRL click New under Certificate Revocation Lists. 5. Select the Certificate Authority. 6. Type the full CRL path including to the specific CRL file (e.g. http://crl.disa.mil/certificate.crl). V. Enable CAC authentication/LDAPS authorization: 1. Navigate to Admin >> Authentication and Groups >> Edit. 2. Click Use CAC Authentication (ensure the local emergency user account is checked for local access in case of emergency troubleshooting). 3. Select OK. 4. Close the SMS client. VI. Test CAC authentication: 1. Ensure one other smartcard reader is enabled in the device manager of the computer you are using. 2. Open the SMS client. 3. Type the hostname/IP of the SMS server. 4. Ensuring the CAC/admin token is inserted in the reader, type the PIN of the CAC. 5. Select the certificate to use to login. 6. Select OK. 7. User should be taken to the dashboard and configuration area of the SMS. VII. Troubleshooting: 1. If you receive errors logging in with CAC go to the serial console of the SMS server. 2. Login with the local account of last resort. 3. Type the command "set cac.disable = yes" - this will give your local admin login access to the SMS client to troubleshoot any configuration errors.

c

The TippingPoint SMS must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

IA-3 - High - CCI-001967 - V-242249 - SV-242249r710754_rule

RMF Control

IA-3

Severity

High

CCI

CCI-001967

Version

TIPP-NM-000440

Vuln IDs

V-242249

Rule IDs

SV-242249r710754_rule

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.

Checks: C-45524r710752_chk

In the SMS client, ensure a SNMPv3 trap destination and SNMPv3 Requests are configured. 1. Select Admin and Server Properties. 2. Select SNMP. If an NMS Trap Destination is not configured, or if SNMPv3 requests are not configured, or if the SNMPv3 protocol does not use as least AES-128 for privacy and SHA1 for authentication, then this is a finding.

Fix: F-45482r710753_fix

In the SMS client, ensure a SNMPv3 trap destination is configured. 1. Select Admin and Server Properties. 2. Select SNMP. 3. Click Add. 4. Enter the IPv4 or IPv6 address, Version 3, with the username, and authPriv keys configured that match the site's required attributes. The authentication must at least be SHA1 and the privacy must be at least AES 128. 5. Select edit under the SNMP tab. 6. Check enable SNMP requests. 7. Select only v3. 8. Enter the username and the authentication and privacy keys. The authentication must at least be SHA1 and the privacy must be at least AES 128. 9. Select OK.

c

The TippingPoint SMS must authenticate Network Time Protocol sources using authentication that is cryptographically based.

IA-3 - High - CCI-001967 - V-242250 - SV-242250r710757_rule

RMF Control

IA-3

Severity

High

CCI

CCI-001967

Version

TIPP-NM-000450

Vuln IDs

V-242250

Rule IDs

SV-242250r710757_rule

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.

Checks: C-45525r710755_chk

In the SMS client, ensure NTP authentication is enabled. 1. Log in to the serial console or ESXi virtual console. 2. Run the command ntp-auth. If NTP auth is not enabled for client and server, this is a finding.

Fix: F-45483r710756_fix

In the SMS client, ensure NTP authentication is enabled. 1. Log in to the serial console or ESXi virtual console. 2. Run the command ntp-auth. 3. Select "Y" to change the NTP Authentication settings. 4. Select “A”, enter a key ID. 5. Select "V" to add the key value. 6. Select "T" and ensure SHA1 is added. 7. Select "K" and enter the key ID number. 8. Select "U" and "E" for enable for client and server authentication.

c

The TippingPoint TPS must have FIPS mode enforced.

MA-4 - High - CCI-002890 - V-242251 - SV-242251r754441_rule

RMF Control

MA-4

Severity

High

CCI

CCI-002890

Version

TIPP-NM-000470

Vuln IDs

V-242251

Rule IDs

SV-242251r754441_rule

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules. Satisfies: SRG-APP-000411-NDM-000330, SRG-APP-000412-NDM-000331

Checks: C-45526r754433_chk

In the SMS client: 1. Click Admin and Management. 2. Ensure the SMS is in FIPS Mode. If the SMS is not in FIPS mode, this is a finding.

Fix: F-45484r754434_fix

Enable the SMS FIPS Mode: 1. Click Admin and Management. 2. Click Enable FIPS Mode by selecting Edit. This must be done in an approved change window since the SMS will reboot.

b

The TippingPoint SMS must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.

SC-5 - Medium - CCI-002385 - V-242252 - SV-242252r710763_rule

RMF Control

SC-5

Severity

Medium

CCI

CCI-002385

Version

TIPP-NM-000490

Vuln IDs

V-242252

Rule IDs

SV-242252r710763_rule

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of network devices to mitigate the impact of DoS attacks that have occurred or are ongoing on device availability. For each network device, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the device opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. The security safeguards cannot be defined at the DoD level because they vary according to the capabilities of the individual network devices and the security controls applied on the adjacent networks (for example, firewalls performing packet filtering to block DoS attacks).

Checks: C-45527r710761_chk

In the SMS client, verify the SMS and TPS have DoS protections enabled. 1. Navigate to Devices and select the SMS hostname. 2. Select Device Configuration >> Select Host IP filters. If no filters exist or the default action is set to "allow", this is a finding.

Fix: F-45485r710762_fix

In the SMS client, ensure the SMS and TPS have DoS protections enabled. 1. Navigate to Devices and select the SMS hostname. 2. Select Device Configuration >> Select Host IP filters. 3. Add each allowed management subnet. 4. Select Deny as the default action and click OK. 5. Select OK.

a

The TippingPoint SMS must generate audit records when successful/unsuccessful logon attempts occur.

AU-12 - Low - CCI-000172 - V-242253 - SV-242253r710766_rule

RMF Control

AU-12

Severity

Low

CCI

CCI-000172

Version

TIPP-NM-000520

Vuln IDs

V-242253

Rule IDs

SV-242253r710766_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).

Checks: C-45528r710764_chk

In the SMS client, ensure the remote system is configured to generate all audit records. 1. Navigate to Admin >> Server properties >> Syslog. 2. Verify the configuration enables TCP. 3. Verify Device Audit, Device System, SMS Audit, and SMS System log types are enabled and configured. If syslog is not configured to use TCP or does not include the four log types, this is a finding.

Fix: F-45486r710765_fix

In the SMS client, ensure the remote system is configured to generate all audit records. 1. Navigate to Admin >> Server properties >> Syslog >> New. 2. Click enable. 3. Click TCP (required for DoD). 4. Under Log Type, select "Device Audit". 5. Facility is "Log Audit". 6. Timestamp: SMS Current Time. 7. Check "Include SMS hostname in Header". 8. Click OK. 9. Repeat these steps for the following three other Log Types: Device System, SMS Audit, and SMS System.

c

The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.

AC-3 - High - CCI-000213 - V-242254 - SV-242254r754442_rule

RMF Control

AC-3

Severity

High

CCI

CCI-000213

Version

TIPP-NM-000570

Vuln IDs

V-242254

Rule IDs

SV-242254r754442_rule

Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000516-NDM-000335, SRG-APP-000033-NDM-000212, SRG-APP-000038-NDM-000213, SRG-APP-000153-NDM-000249, SRG-APP-000329-NDM-000287 SRG-APP-000156-NDM-000250, SRG-APP-000340-NDM-000288, SRG-APP-000380-NDM-000304, SRG-APP-000408-NDM-000314

Checks: C-45529r710767_chk

Configure the Trend Micro TippingPoint system to ensure the SMS client is using CAC authentication and LDAPS authorization. 1. Log in to the SMS client. 2. Click on Authentication and Authorization. 3. Click authentication. 4. Ensure "Use CAC authentication" is currently selected. If the TippingPoint SMS is not configured to use an authentication server for the purpose of authenticating users prior to granting administrative access, this is a finding.

Fix: F-45487r710768_fix

Follow these configuration steps to enable CAC/LDAPS authentication and authorization to the Trend Micro TippingPoint SMS client. The Site's LDAPS/AD environment must be configured to audit all account actions. I. Certificate Load Steps: 1. Log in to the SMS client. 2. Select certificate management. 3. Click CA certificates. 4. Select import. 5. Find the CA signing certificate bundle for the LDAPS servers on your machine. 6. Enter the name, then select browse to find the CA certificate. 7. Click OK. 8. Repeat steps for all other DoD Root and Intermediate CAs being used for the administrator’s admin-token/CACs. II. LDAP Authorization configuration steps: 1. Click Authentication and Authorization. 2. Select Groups. 3. Click New. 4. Type the name of the LDAP group exactly as it appears as the CN in the active directory domain. 5. Add all site-specific details including which role to map superuser, admin, or operator. 6. Under Active Directory Group Mapping ensure the item "map this group to the same named group in active directory" is selected. 7. Select OK. III. LDAPS Server configuration - ensure a DNS resolver has been configured in accordance with the admin guide, and this DNS resolver knows how to resolve the domain the SMS will log into: 1. Under Admin, click Authentication and CAC. 2. Click edit. 3. Enter the Server address: ensure it is the fully qualified domain name as the LDAPS certificate will likely have it. 4. Enable SSL: must be checked for LDAPS. 5. Current certificate: must be the intermediate root certificate/issuing CA certificate for the domain controllers - this is the CA certificate loaded in the first section. 6. Port: 636 (or if your DoD LDAPS port is different add this). 7. Timeout: 30 seconds is the default. 8. Admin name: this must be the account that has privileges to access the directory schema – format is username@domain.name. 9. Admin password: password of previous admin account. 10. User search base: this is the LDAP directory tree for the accounts that will be allowed. Example: ou=Trend Micro,dc=dod,dc=disa,dc=mil 11. User search attribute: normally in DoD this is userPrincipalName. 12. User display attribute: normally in DoD this is sAMAccountName. 13. Group search base: this is the LDAP directory tree for the groups that will be allowed. Example: ou=Trend Micro,dc=dod,dc=disa,dc=mil 14. Group name attribute: normally it is cn. 15. Select the test button to ensure all configurations provided function correctly. 16. Select OK. IV. Enable OCSP revocation Checking: 1. Select Certificate Management and Revocation. 2. Click New under OCSP Settings. 3. Select the Certificate Authority. Type the full OCSP URI (e.g. http://ocsp.disa.mil). 4. Repeat this step for all CA certificates in the CAC trust chain. 5. Optionally, to add a CRL click New under Certificate Revocation Lists. 6. Select the Certificate Authority. 7. Type the full CRL path including to the specific CRL file (e.g. http://crl.disa.mil/certificate.crl). V. Enable CAC authentication/LDAPS authorization: 1. Click Admin, click Authentication and Groups. 2. Select Edit. 3. Click Use CAC Authentication (ensure the local emergency user account is checked for local access in case of emergency troubleshooting). 4. Select OK. 5. Close the SMS client. VI. Test CAC authentication: 1. Ensure one other smartcard reader is enabled in the device manager of the computer you are using. 2. Open the SMS client. 3. Type the hostname/IP of the SMS server. 4. Ensuring the CAC/admin token is inserted in the reader, type the PIN of the CAC. 5. Select the certificate to use to login. 6. Select OK. 7. User should be taken to the dashboard and configuration area of the SMS. VII. Troubleshooting: 1. If you receive errors logging in with CAC go to the serial console of the SMS server. 2. Login with the local emergency user account. 3. Type the command "set cac.disable = yes" - this will give your local admin login access to the SMS client to troubleshoot any configuration errors. VIII. Ensure the site's LDAP/Active Directory infrastructure is reconfigured to audit account creation, modification, disabling, and removals.

b

The TippingPoint SMS must be configured to conduct backups of system level information contained in the information system when changes occur.

CP-9 - Medium - CCI-000537 - V-242255 - SV-242255r710772_rule

RMF Control

CP-9

Severity

Medium

CCI

CCI-000537

Version

TIPP-NM-000580

Vuln IDs

V-242255

Rule IDs

SV-242255r710772_rule

System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who utilize this critical network component. This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.

Checks: C-45530r710770_chk

In the SMS client, ensure backups are enabled and scheduled. 1. Select Admin >> Database >> Backup. 2. If no scheduled backup is configured, or if the backup is not configured at least weekly, this is a finding.

Fix: F-45488r710771_fix

In the SMS client, ensure backups are enabled and scheduled. 1. Select Admin >> Database >> Backup. 2. Select New. 3. Enter a name, weekly, the date and time to backup, and no end date. 4. Include the most recent TOS and DV, include the certificate and keys, and then encrypt the backup. Provide a password. 5. Click Next. 6. Select SFTP. 7. Enter the SFTP URL, path, and location, username, and password in the following example format: "192.168.1.1:/home/sms/backup.bak". 8. Select Next >> Finish.

b

The TippingPoint SMS must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.

CM-6 - Medium - CCI-000366 - V-242256 - SV-242256r710775_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

TIPP-NM-000590

Vuln IDs

V-242256

Rule IDs

SV-242256r710775_rule

Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system configuration and security settings. If this information were not backed up, and a system failure were to occur, the security settings would be difficult to reconfigure quickly and accurately. Maintaining a backup of information system and security-related documentation provides for a quicker recovery time when system outages occur. This control requires the network device to support the organizational central backup process for user account information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.

Checks: C-45531r710773_chk

In the SMS client, ensure backups are enabled and scheduled. 1. Select Admin >> Database >> Backup. 2. If no scheduled backup is configured, or if the backup is not configured at least weekly then this is a finding.

Fix: F-45489r710774_fix

In the SMS client, ensure backups are enabled and scheduled. 1. Select Admin >> Database >> Backup. 2. Select New. 3. Enter a name, weekly, the date and time to backup, and no end date. 4. Include the most recent TOS and DV, include the certificate and keys, and then encrypt the backup. Provide a password. 5. Click Next. 6. Select SFTP. 7. Enter the SFTP URL, path, and location, username, and password in the following example format: "192.168.1.1:/home/sms/backup.bak". 8. Select Next >> Finish.

b

The TippingPoint SMS must obtain its public key certificates from an appropriate certificate policy through an approved service provider.

CM-6 - Medium - CCI-000366 - V-242257 - SV-242257r710778_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

TIPP-NM-000600

Vuln IDs

V-242257

Rule IDs

SV-242257r710778_rule

For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice.

Checks: C-45532r710776_chk

In the SMS client, ensure the certificate is signed by an authorized DoD Certificate Authority. Select Admin >> Certificate Management >> Certificates. If there is no certificate, or the certificate is signed by a CA that is not authorized in the DoD, this is a finding.

Fix: F-45490r710777_fix

In the SMS client, ensure the certificate is signed by an authorized DoD Certificate Authority. 1. Select Admin >> Certificate Management >> Certificates. 2. Select import. 3. The SMS can import a certificate with a private key file separately, or can import a PKCS12/PFX file. The user can use OpenSSL on a separate system to generate the certificate signing request (CSR) or can use the CSR generation tool on the SMS under Admin, Certificate Management, Signing Requests. The CSR must ensure the following attributes are added to the CSR if using the SMS tool: 2048 RSA key size and a DNS Subject Alternative Name (SAN) - if required.

b

The TippingPoint SMS must be running an operating system release that is currently supported by the vendor.

CM-6 - Medium - CCI-000366 - V-242258 - SV-242258r710781_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

TIPP-NM-000620

Vuln IDs

V-242258

Rule IDs

SV-242258r710781_rule

Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.

Checks: C-45533r710779_chk

Verify the operating system version under devices and version in the SMS Software under Admin and General is still under security support by Trend Micro on the https://tmc.tippingpoint.com/TMC/ support website. If the operating system version is not under support, this is a finding.

Fix: F-45491r710780_fix

The system owner must ensure that the operating system version under Devices and SMS Software under Admin and General is still under security support by Trend Micro on the https://tmc.tippingpoint.com/TMC/ support website. 1. Select Release >> Software, and select either SMS or TPS. 2. The versions there will be the supported releases. 3. Ensure the site SMS and TPS have one of these supported releases.

c

The TippingPoint SMS must automatically generate audit records for account changes and actions with containing information needed for analysis of the event that occurred on the SMS and TPS.

CM-6 - High - CCI-000366 - V-242259 - SV-242259r754443_rule

RMF Control

CM-6

Severity

High

CCI

CCI-000366

Version

TIPP-NM-000670

Vuln IDs

V-242259

Rule IDs

SV-242259r754443_rule

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. Auditing account changes provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes. Associating event types, date/time of the event, identity of any individual or process associated with the event, source/destination of the event, location of the event, and the outcome of the event provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured network device. Satisfies: SRG-APP-000026-NDM-000208, SRG-APP-000027-NDM-000209, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000319-NDM-000283, SRG-APP-000091-NDM-000223, SRG-APP-000095-NDM-000225, SRG-APP-000096-NDM-000226, SRG-APP-000097-NDM-000227, SRG-APP-000099-NDM-000229, SRG-APP-000100-NDM-000230, SRG-APP-000100-NDM-000231, SRG-APP-000100-NDM-000289, SRG-APP-000100-NDM-000305, SRG-APP-000100-NDM-000318, SRG-APP-000100-NDM-000319, SRG-APP-000100-NDM-000321, SRG-APP-000100-NDM-000325, SRG-APP-000100-NDM-000334, SRG-APP-000100-NDM-000250

Checks: C-45534r710782_chk

In the SMS client, ensure the remote system is configured to generate all audit records. 1. Navigate to Admin >> Server properties >> Syslog. 2. Verify the configuration enables TCP. 3. Verify Device Audit, Device System, SMS Audit, and SMS System log types are enabled and configured. If syslog is not configured to use TCP or does not include the four log types, this is a finding.

Fix: F-45492r710783_fix

In the SMS client, ensure the remote system is configured to generate all audit records. 1. Navigate to Admin >> Server properties >> Syslog >> New. 2. Click enable. 3. Click TCP (required for DoD). 4. Under Log Type, select "Device Audit". 5. Facility is "Log Audit". 6. Timestamp: SMS Current Time. 7. Check "Include SMS hostname in Header". 8. Click OK. 9. Repeat these steps for the following three other Log Types: Device System, SMS Audit, and SMS System.

b

The password for the local account of last resort and the device password (if configured) must be changed when members who had access to the password leave the role and are no longer authorized access.

AC-2 - Medium - CCI-002142 - V-242260 - SV-242260r710787_rule

RMF Control

AC-2

Severity

Medium

CCI

CCI-002142

Version

TIPP-NM-000950

Vuln IDs

V-242260

Rule IDs

SV-242260r710787_rule

If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. There may also be instances when specific user actions need to be performed on the network device without unique administrator identification or authentication. A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account.

Checks: C-45535r710785_chk

Have the local representative show password change logs or documentation to show this is a local process. If the password for the local account of last resort is not changed when members who had access to the password leave the role and are no longer authorized access, this is a finding.

Fix: F-45493r710786_fix

Change the password for the account of last resort. 1. Navigate to Admin >> Authentication and Authorization >> Users. 2. Select the account of last resort. 3. Click Edit and Select Authentication. 4. Enter and confirm the password. To change the password for managed devices, if configured: Navigate to Devices >> All Devices >> Member Summary >> Device Users. The Device User Accounts screen displays a table that lists the user accounts available on managed devices.

Trend Micro TippingPoint NDM Security Technical Implementation Guide

Compare

View

Checks: C-45506r710698_chk

Fix: F-45464r710699_fix

Checks: C-45507r710701_chk

Fix: F-45465r710702_fix

Checks: C-45508r710704_chk

Fix: F-45466r710705_fix

Checks: C-45509r710707_chk

Fix: F-45467r710708_fix

Checks: C-45510r710710_chk

Fix: F-45468r710711_fix

Checks: C-45511r710713_chk

Fix: F-45469r710714_fix

Checks: C-45512r710716_chk

Fix: F-45470r710717_fix

Checks: C-45513r710719_chk

Fix: F-45471r710720_fix

Checks: C-45514r710722_chk

Fix: F-45472r710723_fix

Checks: C-45515r710725_chk

Fix: F-45473r710726_fix

Checks: C-45516r710728_chk

Fix: F-45474r710729_fix

Checks: C-45517r710731_chk

Fix: F-45475r710732_fix

Checks: C-45518r754431_chk

Fix: F-45476r754383_fix

Checks: C-45519r710737_chk

Fix: F-45477r710738_fix

Checks: C-45520r710740_chk

Fix: F-45478r710741_fix

Checks: C-45521r710743_chk

Fix: F-45479r710744_fix

Checks: C-45522r710746_chk

Fix: F-45480r710747_fix

Checks: C-45523r710749_chk

Fix: F-45481r710750_fix

Checks: C-45524r710752_chk

Fix: F-45482r710753_fix

Checks: C-45525r710755_chk

Fix: F-45483r710756_fix

Checks: C-45526r754433_chk

Fix: F-45484r754434_fix

Checks: C-45527r710761_chk

Fix: F-45485r710762_fix

Checks: C-45528r710764_chk

Fix: F-45486r710765_fix

Checks: C-45529r710767_chk

Fix: F-45487r710768_fix

Checks: C-45530r710770_chk

Fix: F-45488r710771_fix

Checks: C-45531r710773_chk

Fix: F-45489r710774_fix

Checks: C-45532r710776_chk

Fix: F-45490r710777_fix

Checks: C-45533r710779_chk

Fix: F-45491r710780_fix

Checks: C-45534r710782_chk

Fix: F-45492r710783_fix

Checks: C-45535r710785_chk

Fix: F-45493r710786_fix