Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
If the device does not provide intermediary services for TLS, or application protocols that use TLS (e.g., DNSSEC or HTTPS), this is not applicable. Review the device configuration. View the configured cipher templates (if any): show slb template cipher The following cipher suites are in compliance: TLS1_RSA_AES_128_SHA TLS1_RSA_AES_128_SHA256 TLS1_RSA_AES_256_SHA TLS1_RSA_AES_256_SHA256 If any of the configured cipher templates contain any cipher suites that are not in compliance, this is a finding. View the configured SLB SSL templates: show slb template server-ssl If any of the configured SLB SSL templates list version 30, 31, 32, this is a finding. If any of the configured SLB SSL templates contain any cipher suites that are not in compliance, this is a finding.
The following command validates real servers based on their certificates: slb template server-ssl [template-name] The following sub-command specifies the version of SSL/TLS used: version [30 | 31 | 32 |33] Note: Options 30, 31, or 32 are not compliant; use option 33 or higher instead. The following sub-command specifies the cipher suite to support for certificates from servers: cipher [cipher suite] The following cipher suites are in compliance: TLS1_RSA_AES_128_SHA TLS1_RSA_AES_128_SHA256 TLS1_RSA_AES_256_SHA TLS1_RSA_AES_256_SHA256 Optionally, a cipher template containing these cipher suites can be configured and applied. The following command creates a cipher template: slb template cipher [template-name] The following command binds the cipher template to the server-ssl template: template cipher [template-name]
If the device is not used to load balance web servers, this is not applicable. Review the device configuration and ask the device Administrator which templates are used. If no SLB instance for the log server(s) is configured, this is a finding. If there is no service group with assigned members for the log servers or the service group is not included in the logging template, this is a finding. If no logging template is configured and bound to the WAF template, this is a finding.
If the device is used to load balance web servers, configure external logging for WAF data event messages. Create a server configuration for each log server. The following command adds a server: slb server [server-name] [ipaddr] The following command specifies the TCP or UDP port number on which the server will listen for log traffic: port [port-num] [tcp | udp] If multiple log servers are used, add the log servers to a service group. Use the round-robin load-balancing method, which is the default method. The following command creates the service group: slb service-group [group-name] [tcp | udp] The following command adds each log server and its TCP or UDP port to the service group: member [server-name:portnum] The following command creates a logging template: slb template logging [template-name] The following command adds the service group containing the log servers to the logging template: service-group [group-name] The following commands bind the logging template to the WAF template: slb template waf [template-name] template logging [template-name]
Review the device configuration. The following command shows the configured Server Load Balancing instances: show run | sec slb If no Server Load Balancing instance is configured with a health check to the Syslog server, this is a finding. The following command shows the device configuration and filters the output on the string "snmp": show run | inc snmp This will include which SNMP traps the device is configured to send. If the output does not include "snmp-server enable traps slb server-down", this is a finding.
The following command enables the device to send an SNMP trap when the health monitor shows the connection to the server is down: snmp-server enable traps slb server-down The following command enables the device to send an SNMP trap when the health monitor shows the connection to the server is up: snmp enable traps slb server-up The following command creates a health monitor for UDP 514 (the Syslog port): health monitor [monitor name] method udp port 514 The following command creates a Server Load Balancing instance and assigns a health monitor to it: slb server server-name [ipaddr | hostname] health-check [monitor]
Review the ALG configuration to determine if any aFleX scripts are used on the device. The following command displays all of the configured aFleX scripts: show aflex all If any scripts are present, ask the Administrator for documentation of each script. If no documents can be provided explaining the script and showing where the ISSM or other responsible Security personnel acknowledged the script is being used, this is a finding.
Do not load any unnecessary aFleX scripts on the device.
If DNS-based Global Server Load Balancing is not configured, this is not applicable. If DNS-based Global Server Load Balancing is configured, review the configuration. Check if real servers are configured for DNS. If they are not, then the device is in Server mode, and this is a finding.
If GSLB is used, configure it for Proxy Mode. The difference is that Proxy mode has real servers configured, while Server mode does not. To configure Proxy mode, follow standard SLB configuration steps (Servers, Service Groups, VIP, etc.) that utilize “external” DNS servers and enable it for GSLB when configuring the virtual port.
Review the list of authorized applications, endpoints, services, and protocols that have been added to the PPSM database. Review the configured servers, service groups, and virtual servers. The following command shows information for SLB servers: show slb server The following command shows information for service groups (multiple servers): show slb service-group The following command shows information for virtual servers (the services visible to outside hosts): show slb virtual-server If any of the servers, service groups, or virtual servers allows traffic that is prohibited by the PPSM CAL, this is a finding.
Do not configure a server, service group, or virtual server for any port, protocol, or service that is prohibited by the PPSM CAL.
If the ALG does not provide intermediary services for TLS, or application protocols that use TLS (e.g., DNSSEC or HTTPS), this is not applicable. Verify the ALG validates certificates used for TLS functions by performing RFC 5280-compliant certification path validation. If the ALG does not validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation, this is a finding.
If intermediary services for TLS are provided, configure the device to validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation. The following command configures an authentication-server profile for an Online Certificate Status Protocol (OCSP) server: authentication-server ocsp [profile-name]
Review the configured servers, service groups, and virtual servers. The following command shows information for SLB servers: show slb server The following command shows information for service groups (multiple servers): show slb service-group The following command shows information for virtual servers (the services visible to outside hosts): show slb virtual-server Ask the Administrator for the list of approved services being provided by the device and compare this against the output of the command listed above. If there are more configured virtual servers than are approved, this is a finding.
Do not configure a server, service group, or virtual server for any unnecessary or unapproved service.
If the device is not used to load balance web servers, this is not applicable. If the device is used to load balance web servers, verify that the A10 Networks ADC strips HTTP response headers. The following command displays WAF templates: show slb template waf If the configured WAF templates do not have the "filter-resp-hdrs" option configured, this is a finding.
If the device is used to load balance web servers, configure the device to strip HTTP response headers. The following command configures a WAF template and includes the option to strip HTTP response headers: slb template waf filter-resp-hdrs
If the device is not used to load balance web servers, this is not applicable. If the device is used to load balance web servers, verify that the A10 Networks ADC replaces error response codes. The following command displays WAF templates: show slb template waf If the configured WAF templates do not have the "hide-resp-codes" option configured, this is a finding.
If the device is used to load balance web servers, configure the device to replace error response codes. The following command configures a WAF template and includes the option to cloak response codes: slb template waf hide-resp-codes
If the ADC is not used to load balance web servers where data can be entered and used in databases or other applications, this is not applicable. Interview the device administrator to determine which WAF template is used for web servers where data can be entered and used in databases or other applications. Review the device configuration. The following command displays WAF templates: show slb template waf If the configured WAF template does not have the "sqlia-check" option configured, this is a finding.
If the ADC is used to load balance web servers where data can be entered and used in databases or other applications, configure the ADC to prevent code injection attacks. A Web Application Firewall (WAF) template is configured and bound to a virtual port. The following command configures a WAF template with the SQLIA Check option: slb template waf <template name> sqlia-check [reject | sanitize] Note: The "sanitize" option is allowed but is not preferred due to the increased CPU load.
If the ADC is not used to load balance web servers where data can be entered and used in databases or other applications, this is not applicable. Interview the device administrator to determine which WAF template is used for web servers where data can be entered and used in databases or other applications. Review the device configuration. The following command displays WAF templates: show slb template waf If the configured WAF template does not have the "sqlia-check" option configured, this is a finding.
If the ADC is used to load balance web servers where data can be entered and used in databases or other applications, configure the ADC to prevent code injection attacks. A Web Application Firewall (WAF) template is configured and bound to a virtual port. The following command configures a WAF template with the SQLIA Check option: slb template waf <template name> sqlia-check [reject | sanitize] Note: The "sanitize" option is allowed but is not preferred due to the increased CPU load.
If the ADC is not used to load balance web servers where data can be entered and used in databases or other applications, this is not applicable. Interview the device administrator to determine which WAF template is used for web servers where data can be entered and used in databases or other applications. Review the device configuration. The following command displays WAF templates: show slb template waf If the configured WAF template does not have the "sqlia-check" option configured, this is a finding.
If the ADC is used to load balance web servers where data can be entered and used in databases or other applications, configure the ADC to prevent code injection attacks. A Web Application Firewall (WAF) template is configured and bound to a virtual port. The following command configures a WAF template with the SQLIA Check option: slb template waf <template name> sqlia-check [reject | sanitize] Note: The "sanitize" option is allowed but is not preferred due to the increased CPU load.
If the ADC is not used to load balance web servers where data can be entered and used in databases or other applications, this is not applicable. Interview the device administrator to determine which WAF template is used for web servers where data can be entered and used in databases or other applications. Review the device configuration. The following command displays WAF templates: show slb template waf If the configured WAF template does not have the "sqlia-check" option configured, this is a finding.
If the ADC is used to load balance web servers where data can be entered and used in databases or other applications, configure the ADC to prevent code injection attacks. A Web Application Firewall (WAF) template is configured and bound to a virtual port. The following command configures a WAF template with the SQLIA Check option: slb template waf <template name> sqlia-check [reject | sanitize] Note: The "sanitize" option is allowed but is not preferred due to the increased CPU load.
If the ADC is not used to load balance web servers where data can be entered and used in databases or other applications, this is not applicable. Interview the device administrator to determine which WAF template is used for web servers where data can be entered and used in databases or other applications. Review the device configuration. The following command displays WAF templates: show slb template waf If the configured WAF template does not have the "sqlia-check" option configured, this is a finding.
If the ADC is used to load balance web servers where data can be entered and used in databases or other applications, configure the ADC to prevent code injection attacks. A Web Application Firewall (WAF) template is configured and bound to a virtual port. The following command configures a WAF template with the SQLIA Check option: slb template waf <template name> sqlia-check [reject | sanitize] Note: The "sanitize" option is allowed but is not preferred due to the increased CPU load.
If the ADC is not used to load balance web servers where data can be entered and used in databases or other applications, this is not applicable. Interview the device administrator to determine which WAF template is used for web servers where data can be entered and used in databases or other applications. Review the device configuration. The following command displays WAF templates: show slb template waf If the configured WAF template does not have the "sqlia-check" option configured, this is a finding.
If the ADC is used to load balance web servers where data can be entered and used in databases or other applications, configure the ADC to prevent code injection attacks. A Web Application Firewall (WAF) template is configured and bound to a virtual port. The following command configures a WAF template with the SQLIA Check option: slb template waf <template name> sqlia-check [reject | sanitize] Note: The "sanitize" option is allowed but is not preferred due to the increased CPU load.
If the A10 Networks ADC is not used for TLS/SSL decryption for application traffic, this is not applicable. If the A10 Networks ADC is used for TLS/SSL decryption for application traffic, verify the A10 Networks ADC only accepts end entity certificates issued by DoD PKI or DoD-approved PKI CAs for the establishment of protected sessions. If the A10 Networks ADC accepts non-DoD-approved PKI end entity certificates, this is a finding.
If the A10 Networks ADC is used for TLS/SSL decryption for application traffic, import the root and intermediate CA certificates. The certificates can be imported onto the device using FTP or SCP.
Review the device configuration. The following command displays the device configuration and filters the output on the string "slb conn-rate-limit": show run | inc slb conn-rate-limit If Source-IP based connection rate limiting is not configured, this is a finding. If no lockout period is configured as an action, this is a finding.
The following command configures Source-IP based connection rate limiting: slb conn-rate-limit src-ip [tcp | udp] conn-limit per [100 | 1000] [exceed-action [log] [lock-out lockout-period]] Note: Thresholds are specific to the expected traffic for the system or enclave.
Review the device configuration. Ask the Administrator which Application Delivery Services are being provided by the device. The following command displays information for Server Load Balancing: show slb If no Server Load Balancing sessions exist, this is a finding.
Configure the device to balance the traffic load of provided services. This will require configuring Server Load Balancing.
Review the device configuration. The following command displays the device configuration and filters the output on the string "anomaly-drop": show run | inc anomaly-drop The output should display the following commands: ip anomaly-drop ip-option ip anomaly-drop land-attack ip anomaly-drop ping-of-death ip anomaly-drop frag ip anomaly-drop tcp-no-flag ip anomaly-drop tcp-syn-fin ip anomaly-drop tcp-syn-frag ip anomaly-drop out-of-sequence [threshold] ip anomaly-drop ping-of-death ip anomaly-drop zero-window [threshold] ip anomaly-drop bad-content If the output does not show these commands, this is a finding.
The following commands configure DDoS filters: ip anomaly-drop ip-option ip anomaly-drop land-attack ip anomaly-drop ping-of-death ip anomaly-drop frag ip anomaly-drop tcp-no-flag ip anomaly-drop tcp-syn-fin ip anomaly-drop tcp-syn-frag ip anomaly-drop out-of-sequence [threshold] ip anomaly-drop ping-of-death ip anomaly-drop zero-window [threshold] ip anomaly-drop bad-content Note: Thresholds are specific to the expected traffic for the system or enclave.
If the device is not used to load balance web servers, this is not applicable. Review the device configuration. The following command displays WAF templates: show slb template waf If the configured WAF template does not have the "uri-wlistcheck" option configured, this is a finding.
If the device is used to load balance web servers, configure the URI White List. The following commands configure the ADC to compare incoming traffic against the URI White List: slb template waf [template-name] uri-wlistcheck [file-name]
If the device is not used to load balance web servers, this is not applicable. Review the device configuration and ask the device Administrator which templates are used. If no SLB instance for the log server(s) is configured, this is a finding. If there is no service group with assigned members for the log servers or the service group is not included in the logging template, this is a finding. If no logging template is configured and bound to the WAF template, this is a finding.
If the device is used to load balance web servers, configure external logging for WAF data event messages. Create a server configuration for each log server. The following command adds a server: slb server [server-name] [ipaddr] The following command specifies the TCP or UDP port number on which the server will listen for log traffic: port [port-num] [tcp | udp] If multiple log servers are used, add the log servers to a service group. Use the round-robin load-balancing method, which is the default method. The following command creates the service group: slb service-group [group-name] [tcp | udp] The following command adds each log server and its TCP or UDP port to the service group: member [server-name:portnum] The following command creates a logging template: slb template logging [template-name] The following command adds the service group containing the log servers to the logging template: service-group [group-name] The following commands bind the logging template to the WAF template: slb template waf [template-name] template logging [template-name]
Review the device configuration. The following command displays the device configuration and filters the output on the string "log": show run | inc log If the output does not include the command "system anomaly log", this is a finding.
The following command enables logging of packet anomaly events: system anomaly log
Ask the device administrator which method is used to send messages when threats are detected. Review the device configuration. If there is no method and target configured, this is a finding.
These are two of the three possible methods of notification that can be configured. The following command enables SNMP traps: snmp-server enable traps Note: This will enable sending all traps. The following command configures the SNMPv3 trap receiver (target): snmp-server host trap-receiver version v3 Up to 16 trap receivers can be configured. For security, SNMP and SNMP trap are disabled on all data interfaces. Use the enable-management command to enable SNMP on the management interface. The following command configures log email settings: logging email buffer number [num] time [minutes] By default, emailing of log messages is disabled. If this is enabled, the buffer options have the following default values: number – 50, time – 10. The following command configures an email filter: logging email filter filter-num conditions operators [trigger] Since there are alerts that require immediate action, use the "trigger" option. This immediately sends the messages rather than buffering them. The following command specifies the email address to which to email the log messages: logging email-address [address] More than one email address can be set.
Review the device configuration. The following command displays the device configuration and filters the output on the string "log": show run | inc log If the output does not include the command "system attack log", this is a finding.
The following command enables logging of DDoS attacks: system attack log
If the ADC is not used to load balance web servers, this is not applicable. Interview the device administrator to determine which WAF template is used for web servers. Review the device configuration. The following command displays the configuration and filters the output on the WAF template section: show run | sec slb template waf If there is no WAF template, this is a finding. If the WAF template allows the HTTP TRACE method, this is a finding.
The following commands configure the ADC to restrict the HTTP methods: slb template waf [template-name] allowed-http-methods GET POST HEAD PUT DELETE CONNECT PURGE Note: GET and POST are the default values and are the safest choices. Restricting the methods to GET and POST is recommended.
Review the device configuration. Enter the following command to view detailed information about the administrative accounts: show admin detail The output of this command will show the Access type, the Privilege level, and GUI role among other parameters. If persons other than other than the authorized individuals (ISSO, ISSM, and SA) have Root, Read Write, or Read Only privileges, this is a finding.
Do not assign anyone who is not the ISSO, ISSM, and authorized System Administrators to be Administrators with Root, Read Write, or Read Only privileges. Do not configure accounts with Root, Read Write, or Read Only privileges for anyone other than the authorized individuals (ISSO, ISSM, and SA).
Review the device configuration. The following command shows the portion of the device configuration that includes the string "host": show run | inc host If the output does not display the "logging auditlog host" commands, this is a finding. The following command shows the logging policy: show log policy If Syslog logging is disabled, this is a finding.
Since the Audit log is separate from the Event log, it must have its own target to write messages to: logging auditlog host [ipaddr | hostname][facility facility-name] “ipaddr | hostname” is the IP address or hostname of the server. “facility-name” is the name of a log facility.
Review the device configuration. The following command displays the configuration and filters the output on the WAF template section: show run | sec slb template waf If the output contains either "deploy-mode passive" or "deploy-mode learning", this is a finding. Note: Since deploy-mode active is the default value, it will not appear in the output.
The following command sets the deployment mode of the WAF template: slb template waf [template name] deploy-mode active
Review the device configuration and ask the device Administrator which templates are used for masking sensitive data. The following command displays the configuration and filters the output on the WAF template section: show run | sec slb template waf If there is no WAF template with the required Mask Request checks, this is a finding.
Review the system or enclave documentation and confer with the data owner(s) if necessary. If any data must be masked before it leaves the enclave (such as credit card numbers, Social Security numbers, or other sensitive information), configure the CCN Mask, SSN Mask, and PCRE Mask Request checks. These checks are applied to a WAF template. The following command replaces all but the last four digits of credit card numbers with an “x” character: ccn-mask The following command replaces all but the last four digits of US Social Security numbers with an “x” character: ssn-mask The following command cloaks patterns in a response that match the specified PCRE pattern: pcre-scrub [pcre-pattern] [keep-end [num-length] |keep-start [num-length] |mask [character]]
Review the device configuration. The following command displays the device configuration and filters the output on the string "icmp-rate-limit": show run | inc icmp-rate-limit If ICMP rate limiting is not configured, this is a finding. If no lockout period and maximum rates are configured as an action, this is a finding.
The following command configures ICMP rate limiting: icmp-rate-limit [normal-rate] lockup [max-rate] [lockup-time]
Review the device configuration. The following command displays the device configuration and filters the output on the string "syn-cookie": show run | inc syn-cookie If SYN cookies are not enabled, this is a finding.
The following command enables hardware-based SYN cookies: syn-cookie on-threshold [num] off-threshold [num] Note: Hardware-based SYN cookies are available only on some models. If the "on-threshold" and "off-threshold" options are omitted, SYN cookies are enabled and are always on regardless of the number of half-open TCP connections.
The following command shows the version of ACOS used and other related information: show version If the output does not include "Platform features: fips", this is a finding.
Verify that the units deployed are the FIPS-compliant versions. This is identified by the designation "FIPS" in the stock keeping unit (SKU).
This STIG is sunset and no longer updated. Compare the version running to the supported version by the vendor. If the system is using an unsupported version from the vendor, this is a finding.
Upgrade to a version supported by the vendor.