Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

A10 Networks ADC NDM Security Technical Implementation Guide

V1R2 · · · Released 24 Jul 2024 · 38 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V1R1 · 15 Apr 2016 +38 −37

Comparison against the immediately-prior release (V1R1). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Added rules 38

  • V-255587 Medium The A10 Networks ADC must limit the number of concurrent sessions to one (1) for each administrator account and/or administrator account type.
  • V-255588 Medium The A10 Networks ADC must enforce the limit of three consecutive invalid logon attempts.
  • V-255589 Low The A10 Networks ADC must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
  • V-255590 Medium The A10 Networks ADC must allow only the ISSM (or individuals or roles appointed by the ISSM) Root, Read Write, or Read Only privileges.
  • V-255591 Low The A10 Networks ADC must produce audit log records containing information (FQDN, unique hostname, management or loopback IP address) to establish the source of events.
  • V-255592 Low The A10 Networks ADC must have command auditing enabled.
  • V-255593 Low The A10 Networks ADC must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
  • V-255594 Low The A10 Networks ADC must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
  • V-255595 Medium The A10 Networks ADC must disable management protocol access to all interfaces except the management interface.
  • V-255596 Medium The A10 Networks ADC must not have any shared accounts (other than the emergency administration account).
  • V-255597 High The A10 Networks ADC must not use the default admin account.
  • V-255598 Medium The A10 Networks ADC must implement replay-resistant authentication mechanisms for network access to privileged accounts.
  • V-255599 Medium The A10 Networks ADC must prohibit the use of unencrypted protocols for network access to privileged accounts.
  • V-255600 High The A10 Networks ADC must terminate management sessions after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
  • V-255601 Medium The A10 Networks ADC must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
  • V-255602 High The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are created.
  • V-255603 Medium The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are modified.
  • V-255604 Medium The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are disabled.
  • V-255605 Medium The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are removed.
  • V-255606 Medium When anyone who has access to the emergency administration account no longer requires access to it or leaves the organization, the password for the emergency administration account must be changed.
  • V-255607 Medium The A10 Networks ADC must notify System Administrators (SAs) and Information System Security Officers (ISSMs) when accounts are created, or enabled when previously disabled.
  • V-255608 Medium The A10 Networks ADC must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
  • V-255609 Low The A10 Networks ADC must send Emergency messages to the Console, Syslog, and Monitor.
  • V-255610 Low The A10 Networks ADC must compare internal information system clocks at least every 24 hours with an authoritative time server.
  • V-255611 Low The A10 Networks ADC must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
  • V-255612 Medium The A10 Networks ADC must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
  • V-255613 Medium The A10 Networks ADC must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
  • V-255614 Medium The A10 Networks ADC must authenticate Network Time Protocol sources.
  • V-255615 Medium Operators of the A10 Networks ADC must not use the Telnet client built into the device.
  • V-255616 High The A10 Networks ADC must not use SNMP Versions 1 or 2.
  • V-255617 Medium The A10 Networks ADC must off-load audit records onto a different system or media than the system being audited.
  • V-255618 Medium The A10 Networks ADC must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and IAW CJCSM 6510.01B.
  • V-255619 Medium The A10 Networks ADC must employ centrally managed authentication server(s).
  • V-255620 Medium The A10 Networks ADC must use DoD-approved PKI rather than proprietary or self-signed device certificates.
  • V-255621 Medium The A10 Networks ADC must restrict management connections to the management network.
  • V-255622 Medium The A10 Networks ADC must only allow the use of secure protocols that implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications for nonlocal maintenance sessions.
  • V-255623 High The A10 Networks ADC must not use the default enable password.
  • V-264426 High The A10 Networks NDM must be using a version supported by the vendor.

Removed rules 37

  • V-68031 Medium The A10 Networks ADC must limit the number of concurrent sessions to one (1) for each administrator account and/or administrator account type.
  • V-68033 Medium The A10 Networks ADC must enforce the limit of three consecutive invalid logon attempts.
  • V-68035 Low The A10 Networks ADC must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
  • V-68037 Medium The A10 Networks ADC must allow only the ISSM (or individuals or roles appointed by the ISSM) Root, Read Write, or Read Only privileges.
  • V-68039 Low The A10 Networks ADC must produce audit log records containing information (FQDN, unique hostname, management or loopback IP address) to establish the source of events.
  • V-68041 Low The A10 Networks ADC must have command auditing enabled.
  • V-68043 Low The A10 Networks ADC must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
  • V-68045 Low The A10 Networks ADC must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
  • V-68047 Medium The A10 Networks ADC must disable management protocol access to all interfaces except the management interface.
  • V-68049 Medium The A10 Networks ADC must not have any shared accounts (other than the emergency administration account).
  • V-68051 High The A10 Networks ADC must not use the default admin account.
  • V-68053 Medium The A10 Networks ADC must implement replay-resistant authentication mechanisms for network access to privileged accounts.
  • V-68055 Medium The A10 Networks ADC must prohibit the use of unencrypted protocols for network access to privileged accounts.
  • V-68057 High The A10 Networks ADC must terminate management sessions after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
  • V-68059 Medium The A10 Networks ADC must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
  • V-68061 High The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are created.
  • V-68063 Medium The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are modified.
  • V-68065 Medium The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are disabled.
  • V-68067 Medium The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are removed.
  • V-68069 Medium When anyone who has access to the emergency administration account no longer requires access to it or leaves the organization, the password for the emergency administration account must be changed.
  • V-68071 Medium The A10 Networks ADC must notify System Administrators (SAs) and Information System Security Officers (ISSMs) when accounts are created, or enabled when previously disabled.
  • V-68073 Medium The A10 Networks ADC must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
  • V-68075 Low The A10 Networks ADC must send Emergency messages to the Console, Syslog, and Monitor.
  • V-68077 Low The A10 Networks ADC must compare internal information system clocks at least every 24 hours with an authoritative time server.
  • V-68079 Low The A10 Networks ADC must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
  • V-68081 Medium The A10 Networks ADC must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
  • V-68083 Medium The A10 Networks ADC must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
  • V-68085 Medium The A10 Networks ADC must authenticate Network Time Protocol sources.
  • V-68087 Medium Operators of the A10 Networks ADC must not use the Telnet client built into the device.
  • V-68089 High The A10 Networks ADC must not use SNMP Versions 1 or 2.
  • V-68091 Medium The A10 Networks ADC must off-load audit records onto a different system or media than the system being audited.
  • V-68093 High The A10 Networks ADC must not use the default enable password.
  • V-68095 Medium The A10 Networks ADC must only allow the use of secure protocols that implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications for nonlocal maintenance sessions.
  • V-68097 Medium The A10 Networks ADC must restrict management connections to the management network.
  • V-68099 Medium The A10 Networks ADC must use DoD-approved PKI rather than proprietary or self-signed device certificates.
  • V-68101 Medium The A10 Networks ADC must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and IAW CJCSM 6510.01B.
  • V-68103 Medium The A10 Networks ADC must employ centrally managed authentication server(s).
Sort by
b
The A10 Networks ADC must limit the number of concurrent sessions to one (1) for each administrator account and/or administrator account type.
AC-10 - Medium - CCI-000054 - V-255587 - SV-255587r960735_rule
RMF Control
AC-10
Severity
M
CCI
CCI-000054
Version
AADC-NM-000001
Vuln IDs
  • V-255587
  • V-68031
Rule IDs
  • SV-255587r960735_rule
  • SV-82521
Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.
Checks: C-59260r873550_chk

Review the device configuration. The following command shows the configuration with an output modifier to display only the phrase "multiple-auth-reject": show run | inc multiple-auth-reject If the output is blank, this is a finding.

Fix: F-59203r873551_fix

The following command disables concurrent logons for any administrative account: authentication multiple-auth-reject

b
The A10 Networks ADC must enforce the limit of three consecutive invalid logon attempts.
AC-7 - Medium - CCI-000044 - V-255588 - SV-255588r960840_rule
RMF Control
AC-7
Severity
M
CCI
CCI-000044
Version
AADC-NM-000015
Vuln IDs
  • V-255588
  • V-68033
Rule IDs
  • SV-255588r960840_rule
  • SV-82523
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. The A10 Networks ADC must be configured to limit the consecutive invalid logon attempts. When someone attempts to log on, but fails repeatedly, the failed logon attempts and associated "user is disabled" message will be logged. Note: The user will still be prompted up to five times, even when the account is disabled at three failed logon attempts.
Checks: C-59261r873553_chk

Review the configuration. The following command shows the device configuration and filters the output on the keyword "lockout": show run | inc lockout View the output; it will contain these commands: admin lockout enable admin lockout reset-time 15 admin lockout threshold 3 If it does not, this is a finding.

Fix: F-59204r873554_fix

The following command enables admin lockout: admin lockout enable The following example locks the admin account after three failed logon attempts sets the A10 ADC to remember the last failed logon for 15 minutes: admin lockout threshold 3 admin lockout reset-time 15 Note: This will be applied to all administrative accounts.

a
The A10 Networks ADC must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
AC-8 - Low - CCI-000048 - V-255589 - SV-255589r960843_rule
RMF Control
AC-8
Severity
L
CCI
CCI-000048
Version
AADC-NM-000016
Vuln IDs
  • V-255589
  • V-68035
Rule IDs
  • SV-255589r960843_rule
  • SV-82525
Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users.
Checks: C-59262r873556_chk

Observe someone logging onto the device. If the device does not present a DoD-approved banner, this is a finding. For the CLI, the short form of the banner is acceptable. Use the following verbiage for applications that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."

Fix: F-59205r873557_fix

The following command sets the banner to be displayed when an administrator logs onto the CLI: banner login multi-line "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. I've read and consent to the terms in the IS User Agreement." Note: The " is the end-marker that delineates the banner text. The following process adds a Logon Banner to CLI and a Web Logon Message: In the WebGUI, navigate to Config Mode >> System >> Settings >> Terminal >> Banner For Banner Type: Select multi-line. Enter the approved text (short version) in the Logon Banner: text entry area. Enter the approved text (either version) in the Web Logon Message: text entry area. Use the following verbiage for applications that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." Select the "OK" box at the bottom of the screen.

b
The A10 Networks ADC must allow only the ISSM (or individuals or roles appointed by the ISSM) Root, Read Write, or Read Only privileges.
AU-12 - Medium - CCI-000171 - V-255590 - SV-255590r961863_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000171
Version
AADC-NM-000023
Vuln IDs
  • V-255590
  • V-68037
Rule IDs
  • SV-255590r961863_rule
  • SV-82527
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Administrators with Root, Read Write, or Read Only privileges can view the audit and system logs.
Checks: C-59263r873559_chk

Review the device configuration. Enter the following command to view detailed information about the administrative accounts: show admin detail The output of this command will show the Access type, Privilege level, and GUI role, among other parameters. If persons other than the ISSM (or individuals or roles appointed by the ISSM) have Root, Read Write, or Read Only privileges, this is a finding.

Fix: F-59206r873560_fix

Do not configure accounts with Root, Read Write, or Read Only privileges for anyone other than the ISSM (or individuals or roles appointed by the ISSM).

a
The A10 Networks ADC must produce audit log records containing information (FQDN, unique hostname, management or loopback IP address) to establish the source of events.
AU-3 - Low - CCI-000133 - V-255591 - SV-255591r960900_rule
RMF Control
AU-3
Severity
L
CCI
CCI-000133
Version
AADC-NM-000029
Vuln IDs
  • V-255591
  • V-68039
Rule IDs
  • SV-255591r960900_rule
  • SV-82529
In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know the source of the event. The source may be a component, module, or process within the device or an external session, administrator, or device. Associating information about where the source of the event occurred provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured device. When the event log or system log is written to a syslog server, the hostname is included with each record.
Checks: C-59264r873562_chk

Observe someone logging onto the device. The prompt will appear after a successful logon. If the prompt is not a unique hostname assigned by the organization, this is a finding. Note: The device automatically includes the hostname in each Syslog message.

Fix: F-59207r873563_fix

The following command will change the hostname: hostname [string] The string can contain 1 to 31 characters and can contain the following characters: a-z A-Z 0-9 - . ( ) Note: The device automatically includes the hostname in each Syslog message.

a
The A10 Networks ADC must have command auditing enabled.
AU-3 - Low - CCI-000135 - V-255592 - SV-255592r960909_rule
RMF Control
AU-3
Severity
L
CCI
CCI-000135
Version
AADC-NM-000032
Vuln IDs
  • V-255592
  • V-68041
Rule IDs
  • SV-255592r960909_rule
  • SV-82531
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. The additional information required is dependent on the type of information (i.e., sensitivity of the data and the environment within which it resides). At a minimum, the organization must audit full-text recording of privileged commands.
Checks: C-59265r873565_chk

Review the device configuration. The following command displays the configuration and includes an output modifier to filter on the word "audit": show run | inc audit If the output does not include "audit enable privilege", this is a finding.

Fix: F-59208r873566_fix

The following command enables command auditing: audit enable privilege The privilege option enables logging of Privileged EXEC commands also. Without this option, only configuration commands are logged. Use this option.

a
The A10 Networks ADC must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
AU-5 - Low - CCI-000139 - V-255593 - SV-255593r961863_rule
RMF Control
AU-5
Severity
L
CCI
CCI-000139
Version
AADC-NM-000033
Vuln IDs
  • V-255593
  • V-68043
Rule IDs
  • SV-255593r961863_rule
  • SV-82533
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Since the A10 Networks ADC can monitor connectivity to servers, it can be configured to perform a health check of the Syslog servers. When connectivity is lost or the health check fails for another reason, it can send an SNMP trap notifying authorized personnel.
Checks: C-59266r873568_chk

Review the device configuration. The following command shows the configured Server Load Balancing instances: show run | sec slb If no Server Load Balancing instance is configured with a health check to the Syslog server, this is a finding. The following command shows the device configuration and filters the output on the string "snmp": show run | inc snmp This will include which SNMP traps the device is configured to send. If the output does not include "snmp-server enable traps slb server-down", this is a finding.

Fix: F-59209r873569_fix

The following command enables the device to send an SNMP trap when the health monitor shows the connection to the server is down: snmp-server enable traps slb server-down The following command enables the device to send an SNMP trap when the health-monitor shows the connection to the server is up: snmp enable traps slb server-up The following command creates a health monitor for UDP 514 (the Syslog port): health monitor [monitor name] method udp port 514 The following command creates a Server Load Balancing instance and assigns a health monitor to it: slb server server-name [ipaddr | hostname] health-check [monitor]

a
The A10 Networks ADC must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
AU-9 - Low - CCI-001348 - V-255594 - SV-255594r961863_rule
RMF Control
AU-9
Severity
L
CCI
CCI-001348
Version
AADC-NM-000042
Vuln IDs
  • V-255594
  • V-68045
Rule IDs
  • SV-255594r961863_rule
  • SV-82535
Protection of log data includes assuring log data is not accidentally lost or deleted. Regularly backing up audit records to a different system or onto separate media than the system being audited helps to assure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. There are two ways to meet this requirement; either by configuring the device to send the audit and event log to the syslog servers or by scheduling periodic exports of the audit and event logs.
Checks: C-59267r873571_chk

This requirement can be met by use of a syslog/audit log server if the device is configured to send logs to that server. Review the device configuration. Enter the command to view the logging policy: sho log policy If the output shows syslog hosts are configured, this not is a finding. If the output shows syslog as enabled, this is not a finding. If it is not configured to send audit and event logs to a syslog server, enter the command to view the scheduled backup of the log: show backup If the there is no backup configured, this is a finding. If the backup period is not seven days or less, this is a finding. If the last backup failed and it has been more than seven days since the last backup, this is a finding.

Fix: F-59210r873572_fix

To configure the network device to send audit and event logs to a syslog server: The following command enables logging using the syslog protocol: logging syslog [severity-level] The severity level can be any one of the following options: emergency, alert, critical, error, warning, notification, information, debugging. The following command specifies where to send syslog messages: logging host [ipaddr][port protocol-port] "ipaddr" is the IP address of the syslog server. Up to 10 remote logging servers are supported. "port" is the protocol port number to which to send messages. All logging servers must use the same port. The default port is 514. The following command sends the audit log records to a specific syslog server (Note: The event log and the audit log are separate logs): logging auditlog host [ipaddr | hostname] [facility facility-name] "ipaddr" is the IP address of the syslog server. "hostname" is the hostname of the syslog server. "facility" is the facility code to use for messages sent from the device. To configure the network device to backup logs to a file server: The following command periodically backs up (copies) the log to a specific server: backup periodically log [hour num | day num | week num] [use-mgmt-port] url The hour, day, and week options are the frequency of backups. The use-mgmt-port option uses the management interface as the source interface for the connection to the remote device. The url specifies the file transfer protocol, username (if required), and directory path. Since secure protocols are required, use either SCP or SFTP: scp://[user@]host/file/ or sftp://[user@]host/file/ "user" is the account configured on the backup server. "host" is the backup server. "file" is the name of the file on the backup server. When the command is entered, the device will prompt for the password of the backup server. This password is saved to a profile.

b
The A10 Networks ADC must disable management protocol access to all interfaces except the management interface.
CM-7 - Medium - CCI-000382 - V-255595 - SV-255595r960966_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
AADC-NM-000046
Vuln IDs
  • V-255595
  • V-68047
Rule IDs
  • SV-255595r960966_rule
  • SV-82537
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
Checks: C-59268r873574_chk

Review the device configuration. The following command displays the types of management access allowed on each of the device's interfaces: show management If SSH, Telnet, HTTP, HTTPS, or SNMP is "on" for any of the interfaces other than the management interface, this is a finding. Note: Ping may be used on inward-facing interfaces.

Fix: F-59211r873575_fix

The following command disables ping, SSH, Telnet, HTTP, HTTPS, and SNMP to a range of interfaces: no enable-management service all ethernet [number] to [number] Note: Ping may be used on inward-facing interfaces.

b
The A10 Networks ADC must not have any shared accounts (other than the emergency administration account).
IA-2 - Medium - CCI-000764 - V-255596 - SV-255596r961863_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000764
Version
AADC-NM-000047
Vuln IDs
  • V-255596
  • V-68049
Rule IDs
  • SV-255596r961863_rule
  • SV-82539
To assure accountability and prevent unauthenticated access, organizational administrators must be uniquely identified and authenticated for all network management accesses to prevent potential misuse and compromise of the system. This means that there must be no shared accounts. The only exception is for the emergency administration account. Note: The number of emergency administration accounts is restricted to at least one, but no more than operationally required as determined by the ISSO.
Checks: C-59269r873577_chk

Review the device configuration. Enter the following command to view all administrative accounts: show admin detail If there are any shared accounts other than the emergency administration account, this is a finding. Obtain the list of accounts configured on the authentication server. If there are any shared accounts other than the emergency administration account, this is a finding.

Fix: F-59212r873578_fix

Do not configure any shared accounts, either on the A10 ADC itself or on the authentication servers. The only exception to this is the emergency administration account.

c
The A10 Networks ADC must not use the default admin account.
IA-2 - High - CCI-000764 - V-255597 - SV-255597r961863_rule
RMF Control
IA-2
Severity
H
CCI
CCI-000764
Version
AADC-NM-000048
Vuln IDs
  • V-255597
  • V-68051
Rule IDs
  • SV-255597r961863_rule
  • SV-82541
To assure accountability and prevent unauthenticated access, organizational administrators must be uniquely identified and authenticated for all network management accesses to prevent potential misuse and compromise of the system. The use of a default password for any account, especially one for administrative access, can quickly lead to a compromise of the device and subsequently, the entire enclave or system. The "admin" account is intended solely for the initial setup of the device and must be disabled when the device is initially configured. The default password for this account must immediately be changed at the first logon of an authorized administrator. The ACOS device comes with one admin account, "admin", by default. The "admin" account has global Read Write privileges. The admin account, and other admin accounts with global Read Write privileges, can configure additional admin accounts. Since this account, if misused, can easily compromise the device, it must be disabled.
Checks: C-59270r873580_chk

Attempt to log on to the device using the default administrator logon and password. If the logon is successful, this is a finding. Review the device configuration. The following command shows all of the configured accounts on the device: show admin If the admin account is enabled, this is a finding.

Fix: F-59213r873581_fix

The following command changes the admin password for the account "admin" to the character string entered: admin admin password [newpassword] The prompt will change to show that the admin account is being configured. The following command disables the account: disable

b
The A10 Networks ADC must implement replay-resistant authentication mechanisms for network access to privileged accounts.
IA-2 - Medium - CCI-001941 - V-255598 - SV-255598r960993_rule
RMF Control
IA-2
Severity
M
CCI
CCI-001941
Version
AADC-NM-000052
Vuln IDs
  • V-255598
  • V-68053
Rule IDs
  • SV-255598r960993_rule
  • SV-82543
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. Of the three authentication protocols for device management on the A10 Networks ADC, none are inherently replay-resistant. If LDAP or TACACS+ is selected, TLS must also be used. If RADIUS is used, the device must be a FIPS mode platform.
Checks: C-59271r873583_chk

Review the device configuration. Since the device supports RADIUS, TACACS+, and LDAP, one of these must be configured. The following is a sample verification for TACACS+. The following command shows the parts of the configuration with the word "tacplus": show run | inc tacplus If the output is blank, this is a finding. The following command shows information for all configured TACACS servers: show tacacs-server If no servers are configured, this is a finding. If RADIUS is used, ask the Administrator whether or not the device is a FIPS version of the platform. This is identified by the designation "FIPS" in the stock keeping unit (SKU). The following command shows the version of ACOS used and other related information: show version If the output does not include "Platform features: fips", this is a finding.

Fix: F-59214r873584_fix

Since the device supports RADIUS, TACACS+, and LDAP, one of these must be configured. The following is a sample configuration for TACACS+. The following command sets the authentication method to TACACS+ for administrative access to the device: authentication type tacplus The local database (local option) must be included as one of the authentication sources, regardless of the order is which the sources are used. Authentication using only a remote server is not supported. The following command configures the device to use a TACACS+ server: tacacs-server host [hostname | ipaddr] secret [secret-string] "hostname | ipaddr" is the hostname or IP address of the TACACS+ server. "secret-string" is the secret key to authenticate the switch to the TACACS+ server. Up to two TACACS+ servers can be configured. The secondary server is used only if the primary server does not respond. The servers are used in the order in which you add them to the configuration. Use a separate command for each of the servers. If RADIUS is used, the device must be the FIPS version of the platform. The FIPS version of the platform is identified by the designation "FIPS" in the stock keeping unit (SKU) when purchasing the device. It is imperative that the correct version of the device be procured.

b
The A10 Networks ADC must prohibit the use of unencrypted protocols for network access to privileged accounts.
IA-5 - Medium - CCI-000197 - V-255599 - SV-255599r961029_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000197
Version
AADC-NM-000062
Vuln IDs
  • V-255599
  • V-68055
Rule IDs
  • SV-255599r961029_rule
  • SV-82545
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Network devices can accomplish this by making direct function calls to encryption modules or by leveraging operating system encryption capabilities.
Checks: C-59272r873586_chk

Review the device configuration. The following command show the types of management access allowed on each of the interfaces: show management [ipv4 | ipv6] The following command shows IPv4 management access information: show management ipv4 If either Telnet or HTTP is listed as "on" for any interface, this is a finding. The following command shows IPv6 management access information: show management ipv6 If either Telnet or HTTP is listed as "on" for any interface, this is a finding. Verify that HTTP for management is disabled. show web-service If HTTP is enabled, this is a finding. HTTPS is allowed for management and is enabled by default.

Fix: F-59215r873587_fix

Configure the device to prohibit the use of Telnet and HTTP for device management. The following commands enable management access to the device and the use of SSH, HTTPS, Syslog, and SNMP: enable-management service ssh https syslog snmp snmp-trap Disable HTTP on the management interface: no enable-management service http management Note: Do not configure any management protocols on any of the other interfaces. Disable the web server (HTTP for management). no web-service server

c
The A10 Networks ADC must terminate management sessions after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SC-10 - High - CCI-001133 - V-255600 - SV-255600r961068_rule
RMF Control
SC-10
Severity
H
CCI
CCI-001133
Version
AADC-NM-000070
Vuln IDs
  • V-255600
  • V-68057
Rule IDs
  • SV-255600r961068_rule
  • SV-82547
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Checks: C-59273r873589_chk

Review the device configuration. The following command shows the terminal settings: show terminal If the idle-timeout is greater than 10 minutes or is set to zero (no timeout), this is a finding. The following command shows the web management (GUI) settings: show web-service If the idle time is greater than 10 minutes or is set to zero (no timeout), this is a finding.

Fix: F-59216r873590_fix

The following command sets the terminal idle timeout to 10 minutes: terminal idle-timeout 10 The following command sets the Web GUI timeout to 10 minutes: web-service timeout-policy idle 10 Note: 10 minutes is the default setting.

b
The A10 Networks ADC must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
SI-11 - Medium - CCI-001314 - V-255601 - SV-255601r961863_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001314
Version
AADC-NM-000076
Vuln IDs
  • V-255601
  • V-68059
Rule IDs
  • SV-255601r961863_rule
  • SV-82549
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state. Additionally, sensitive account information must not be revealed through error messages to unauthorized personnel or their designated representatives. In the A10 Networks ADC, the audit log is maintained in a separate file separate from the system log. Access to the audit log is role-based. The audit log messages that are displayed for an admin depend upon that administrator’s role (privilege level). Administrators with Root, Read Write, or Read Only privileges who view the audit log can view all the messages, for all system partitions.
Checks: C-59274r873592_chk

Review the device configuration. Enter the following command to view detailed information about the administrative accounts: show admin detail The output of this command will show the Access type, Privilege level, and GUI role, among other parameters. If persons other than other than the authorized individuals (ISSO, ISSM, and SA) have Root, Read Write, or Read Only privileges, this is a finding.

Fix: F-59217r873593_fix

Do not assign anyone who is not the ISSO, ISSM, and authorized System Administrators to be Administrators with Root, Read Write, or Read Only privileges. Do not configure accounts with Root, Read Write, or Read Only privileges for anyone other than the authorized individuals (ISSO, ISSM, and SA).

c
The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are created.
AC-2 - High - CCI-001683 - V-255602 - SV-255602r961863_rule
RMF Control
AC-2
Severity
H
CCI
CCI-001683
Version
AADC-NM-000078
Vuln IDs
  • V-255602
  • V-68061
Rule IDs
  • SV-255602r961863_rule
  • SV-82551
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of accounts and notifies administrators and Information System Security Officers (ISSO). Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. The A10 Networks ADC records in the audit log when an account is created. This appears as the command that created the account and contains the keyword "admin". These messages must be forwarded to the ISSO and administrators. Configuring the device to forward all audit log messages to an actively monitored syslog server or SNMP management station meets this requirement.
Checks: C-59275r873595_chk

The A10 Networks ADC records in the audit log when an account is created. This appears as the command that created the account and contains the keyword "admin". These messages must be forwarded to the ISSO and administrators. This is met by sending audit log messages to the Syslog servers or SNMP management station, which is continuously monitored. Review the device configuration. The following command shows the portion of the device configuration that includes the word "host": show run | inc host If the output does not display the "logging host" and "logging auditlog host" commands (no log targets are configured), this is a finding. The following command shows the logging policy: show log policy If Syslog logging is disabled, this is a finding.

Fix: F-59218r873596_fix

The following command specifies the severity levels of event messages to send to a Syslog server: logging syslog [severity-level] The following command specifies a Syslog server to which to send event messages: logging host ipaddr [ipaddr...][port protocol-port] "ipaddr" is the IP address of the Syslog server. You can enter IP addresses for up to 10 remote logging Syslog servers. "protocolport" is the port number to which to send messages. Only one protocol port can be specified with the command. All servers must use the same port to listen for syslog messages. Since the Audit log is separate from the Event log, it must have its own target to write messages to: logging auditlog host [ipaddr | hostname][facility facility-name] "ipaddr | hostname" is the IP address or hostname of the server. "facility-name" is the name of a log facility.

b
The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are modified.
AC-2 - Medium - CCI-001684 - V-255603 - SV-255603r961863_rule
RMF Control
AC-2
Severity
M
CCI
CCI-001684
Version
AADC-NM-000079
Vuln IDs
  • V-255603
  • V-68063
Rule IDs
  • SV-255603r961863_rule
  • SV-82553
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Notification of account modification is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the modification of device administrator accounts and notifies administrators and Information System Security Officers (ISSO). Such a process greatly reduces the risk that accounts will be surreptitiously modified and provides logging that can be used for forensic purposes. The A10 Networks ADC records in the audit log when an account is modified. This appears as the command that created the account and contains the keyword "admin". These messages must be forwarded to the ISSO and administrators. Configuring the device to forward all audit log messages to an actively monitored syslog server or SNMP management station meets this requirement.
Checks: C-59276r873598_chk

The A10 Networks ADC records in the audit log when an account is modified. This appears as the command that created the account and contains the keyword "admin". These messages must be forwarded to the ISSO and administrators. This is met by sending audit log messages to the Syslog servers or SNMP management station which is continuously monitored. Review the device configuration. The following command shows the portion of the device configuration that includes the word "host". show run | inc host If the output does not display the "logging host" and "logging auditlog host" commands (no log targets are configured), this is a finding. The following command shows the logging policy: show log policy If Syslog logging is disabled, this is a finding.

Fix: F-59219r873599_fix

The following command specifies the severity levels of event messages to send to a Syslog server: logging syslog [severity-level] The following command specifies a Syslog server to which to send event messages: logging host ipaddr [ipaddr...][port protocol-port] "ipaddr" is the IP address of the Syslog server. IP addresses can be entered for up to 10 remote logging Syslog servers. "protocolport" is the port number to which to send messages. Only one protocol port can be specified with the command. All servers must use the same port to listen for syslog messages. Since the Audit log is separate from the Event log, it must have its own target to write messages to: logging auditlog host [ipaddr | hostname][facility facility-name] "ipaddr | hostname" is the IP address or hostname of the server. "facility-name" is the name of a log facility.

b
The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are disabled.
AC-2 - Medium - CCI-001685 - V-255604 - SV-255604r961863_rule
RMF Control
AC-2
Severity
M
CCI
CCI-001685
Version
AADC-NM-000080
Vuln IDs
  • V-255604
  • V-68065
Rule IDs
  • SV-255604r961863_rule
  • SV-82555
When application accounts are disabled, administrator accessibility is affected. Accounts are utilized for identifying individual device administrators or for identifying the device processes themselves. In order to detect and respond to events that affect administrator accessibility and device processing, devices must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that device accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. The A10 Networks ADC records in the audit log when an account is disabled. This appears as the command that created the account and contains the keyword "admin". These messages must be forwarded to the ISSO and administrators. Configuring the device to forward all audit log messages to an actively monitored syslog server or SNMP management station meets this requirement.
Checks: C-59277r873601_chk

The A10 Networks ADC records in the audit log when an account is disabled. This appears as the command that created the account and contains the keyword "admin". These messages must be forwarded to the ISSO and administrators. This is met by sending audit log messages to the Syslog servers or SNMP management station, which is continuously monitored. Review the device configuration. The following command shows the portion of the device configuration that includes the word "host": show run | inc host If the output does not display the "logging host" and "logging auditlog host" commands (no log targets are configured), this is a finding. The following command shows the logging policy: show log policy If Syslog logging is disabled, this is a finding.

Fix: F-59220r873602_fix

The following command specifies the severity levels of event messages to send to a Syslog server: logging syslog [severity-level] The following command specifies a Syslog server to which to send event messages: logging host ipaddr [ipaddr...][port protocol-port] "ipaddr" is the IP address of the Syslog server. IP addresses can be entered for up to 10 remote logging Syslog servers. "protocolport" is the port number to which to send messages. Only one protocol port can be specified with the command. All servers must use the same port to listen for syslog messages. Since the Audit log is separate from the Event log, it must have its own target to write messages to: logging auditlog host [ipaddr | hostname][facility facility-name] "ipaddr | hostname" is the IP address or hostname of the server. "facility-name" is the name of a log facility.

b
The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are removed.
AC-2 - Medium - CCI-001686 - V-255605 - SV-255605r961863_rule
RMF Control
AC-2
Severity
M
CCI
CCI-001686
Version
AADC-NM-000081
Vuln IDs
  • V-255605
  • V-68067
Rule IDs
  • SV-255605r961863_rule
  • SV-82557
When application accounts are removed, administrator accessibility is affected. Accounts are utilized for identifying individual device administrators or for identifying the device processes themselves. In order to detect and respond to events that affect administrator accessibility and device processing, devices must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that device accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. The A10 Networks ADC records in the audit log when an account is removed. This appears as the command that created the account and contains the keyword "admin". These messages must be forwarded to the ISSO and administrators. Configuring the device to forward all audit log messages to an actively monitored syslog server or SNMP management station meets this requirement.
Checks: C-59278r873604_chk

The A10 Networks ADC records in the audit log when an account is removed. This appears as the command that created the account and contains the keyword "admin". These messages must be forwarded to the ISSO and administrators. These messages must be forwarded to the ISSO and administrators. This is met by sending audit log messages to the Syslog servers or SNMP management station, which is continuously monitored. Review the device configuration. The following command shows the portion of the device configuration that includes the word "host": show run | inc host If the output does not display the "logging host" and "logging auditlog host" commands (no log targets are configured), this is a finding. The following command shows the logging policy: show log policy If Syslog logging is disabled, this is a finding.

Fix: F-59221r873605_fix

The following command specifies the severity levels of event messages to send to a Syslog server: logging syslog [severity-level] The following command specifies a Syslog server to which to send event messages: logging host ipaddr [ipaddr...][port protocol-port] "ipaddr" is the IP address of the Syslog server. IP addresses can be entered for up to 10 remote logging Syslog servers. "protocolport" is the port number to which to send messages. Only one protocol port can be specified with the command. All servers must use the same port to listen for syslog messages. Since the Audit log is separate from the Event log, it must have its own target to write messages to: logging auditlog host [ipaddr | hostname][facility facility-name] "ipaddr | hostname" is the IP address or hostname of the server. "facility-name" is the name of a log facility.

b
When anyone who has access to the emergency administration account no longer requires access to it or leaves the organization, the password for the emergency administration account must be changed.
AC-2 - Medium - CCI-002142 - V-255606 - SV-255606r984107_rule
RMF Control
AC-2
Severity
M
CCI
CCI-002142
Version
AADC-NM-000085
Vuln IDs
  • V-255606
  • V-68069
Rule IDs
  • SV-255606r984107_rule
  • SV-82559
A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account. If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. There may also be instances when specific user actions need to be performed on the network device without unique administrator identification or authentication. Examples of credentials include passwords and group membership certificates. Group accounts are not allowed except for the emergency administration account, which is an account can be created on the device's local database for use in an emergency, such as when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is also referred to as the account of last resort since the emergency administration account is strictly intended to be used only as a last resort and immediate administrative access is absolutely necessary.
Checks: C-59279r873607_chk

Review the list of personnel who are authorized access to the emergency administration account and determine when someone either changed roles or left the organization. Compare this against the documented last change of the emergency administration account password. If the emergency administration account was not changed, this is a finding.

Fix: F-59222r873608_fix

When anyone who has access to the emergency administration account no longer requires access to it or leaves the organization, change the password for the emergency administration account.

b
The A10 Networks ADC must notify System Administrators (SAs) and Information System Security Officers (ISSMs) when accounts are created, or enabled when previously disabled.
AC-2 - Medium - CCI-002132 - V-255607 - SV-255607r961863_rule
RMF Control
AC-2
Severity
M
CCI
CCI-002132
Version
AADC-NM-000087
Vuln IDs
  • V-255607
  • V-68071
Rule IDs
  • SV-255607r961863_rule
  • SV-82561
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies SAs and ISSMs. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. In order to detect and respond to events that affect network administrator accessibility and device processing, network devices must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event.
Checks: C-59280r873610_chk

The A10 Networks ADC records in the audit log when an account is created (enabled). This appears as the command that created the account and contains the keyword "admin". These messages must be forwarded to the ISSO and administrators. This is met by sending audit log messages to the Syslog servers. Review the device configuration. The following command shows the portion of the device configuration that includes the word "host": show run | inc host If the output does not display the "logging host" and "logging auditlog host" commands (no log targets are configured), this is a finding. The following command shows the logging policy: show log policy If Syslog logging is disabled, this is a finding.

Fix: F-59223r873611_fix

The following command specifies the severity levels of event messages to send to a Syslog server: logging syslog [severity-level] The following command specifies a Syslog server to which to send event messages: logging host ipaddr [ipaddr...][port protocol-port] "ipaddr" is the IP address of the Syslog server. IP addresses can be entered for up to 10 remote logging Syslog servers. "protocolport" is the port number to which to send messages. Only one protocol port can be specified with the command. All servers must use the same port to listen for syslog messages. Since the Audit log is separate from the Event log, it must have its own target to write messages to: logging auditlog host [ipaddr | hostname][facility facility-name] "ipaddr | hostname" is the IP address or hostname of the server. "facility-name" is the name of a log facility.

b
The A10 Networks ADC must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
AC-7 - Medium - CCI-002238 - V-255608 - SV-255608r961863_rule
RMF Control
AC-7
Severity
M
CCI
CCI-002238
Version
AADC-NM-000093
Vuln IDs
  • V-255608
  • V-68073
Rule IDs
  • SV-255608r961863_rule
  • SV-82563
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
Checks: C-59281r873613_chk

Attempt to log on to an administrator account three times. On each attempt, deliberately enter an incorrect password. Attempt to log on a fourth time with a correct password. If the attempt succeeds, this is a finding. This can also be verified using the following command to view the lockout status of all administrative accounts: show admin detail If the Lock Status is not Locked, this is a finding.

Fix: F-59224r873614_fix

Use the following command to enable admin lockout: admin lockout enable The following command locks the admin account after three failed logon attempts sets the A10 ADC to remember the last failed logon for 15 minutes. admin lockout threshold 3 admin lockout reset-time 15 Use the following command to enable admin lockout: admin lockout enable The following command keeps a locked admin account locked until it is manually unlocked by an authorized admin: admin lockout duration 0

a
The A10 Networks ADC must send Emergency messages to the Console, Syslog, and Monitor.
AU-5 - Low - CCI-001858 - V-255609 - SV-255609r961401_rule
RMF Control
AU-5
Severity
L
CCI
CCI-001858
Version
AADC-NM-000098
Vuln IDs
  • V-255609
  • V-68075
Rule IDs
  • SV-255609r961401_rule
  • SV-82565
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).
Checks: C-59282r873616_chk

Review the device configuration. The following command shows the logging policy: show log policy If the level of logging for the Console, Syslog, and Monitor is not at least Emergency, this is a finding. Since each severity level includes the levels below it, other levels are permitted. However, the debugging level may generate too many messages when used and must be used carefully.

Fix: F-59225r873617_fix

The following command sets the severity level for a particular destination: log [destination] [severity] Note: Each severity level includes the levels below it. However, the debugging level may generate too many messages when used and must be used carefully.

a
The A10 Networks ADC must compare internal information system clocks at least every 24 hours with an authoritative time server.
AU-8 - Low - CCI-001891 - V-255610 - SV-255610r961863_rule
RMF Control
AU-8
Severity
L
CCI
CCI-001891
Version
AADC-NM-000099
Vuln IDs
  • V-255610
  • V-68077
Rule IDs
  • SV-255610r961863_rule
  • SV-82567
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside of the configured acceptable allowance (drift) may be inaccurate. Additionally, unnecessary synchronization may have an adverse impact on system performance and may indicate malicious activity. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
Checks: C-59283r873619_chk

Review the device configuration. The following command shows clock information: show clock detail If the output does not show NTP as the time source, this is a finding. If a dot appears in front of the time, the device has been configured to use NTP, but NTP is not synchronized. This is also a finding.

Fix: F-59226r873620_fix

Up to four NTP servers can be configured. The following commands set the NTP server and enable the Network Time Protocol: ntp server [hostname | ipaddr] ntp enable

a
The A10 Networks ADC must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
AU-8 - Low - CCI-002046 - V-255611 - SV-255611r961863_rule
RMF Control
AU-8
Severity
L
CCI
CCI-002046
Version
AADC-NM-000100
Vuln IDs
  • V-255611
  • V-68079
Rule IDs
  • SV-255611r961863_rule
  • SV-82569
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems). Organizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in CCI-001891 because a comparison must be done in order to determine the time difference. The organization-defined time period will depend on multiple factors, most notably the granularity of time stamps in audit logs. For example, if time stamps only show to the nearest second, there is no need to have accuracy of a tenth of a second in clocks.
Checks: C-59284r873622_chk

Review the device configuration. The following command shows clock information: show clock detail If the output does not show NTP as the time source, this is a finding. If a dot appears in front of the time, the device has been configured to use NTP, but NTP is not synchronized. This is also a finding.

Fix: F-59227r873623_fix

Up to four NTP servers can be configured. The following commands set the NTP server and enable the Network Time Protocol: ntp server [hostname | ipaddr] ntp enable

b
The A10 Networks ADC must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
CM-6 - Medium - CCI-000366 - V-255612 - SV-255612r987682_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
AADC-NM-000101
Vuln IDs
  • V-255612
  • V-68081
Rule IDs
  • SV-255612r987682_rule
  • SV-82571
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
Checks: C-59285r873625_chk

Review the device configuration. The following command shows the configuration with an output modifier to display only NTP-related configuration: show run | include ntp Alternately, enter the command to display the configured NTP servers and whether or not NTP is enabled: show ntp servers If the output shows fewer than two configured NTP servers, this is a finding. Ask the device administrator where the Primary NTP Server and Secondary NTP Server are located. If they are not in different geographic regions, this is a finding.

Fix: F-59228r873626_fix

Up to four NTP servers can be configured. The following commands set the NTP server and enable the Network Time Protocol: ntp server [hostname | ipaddr] ntp enable Note: The primary and secondary time sources must be located in different geographic regions.

b
The A10 Networks ADC must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
AU-8 - Medium - CCI-001890 - V-255613 - SV-255613r961443_rule
RMF Control
AU-8
Severity
M
CCI
CCI-001890
Version
AADC-NM-000102
Vuln IDs
  • V-255613
  • V-68083
Rule IDs
  • SV-255613r961443_rule
  • SV-82573
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.
Checks: C-59286r873628_chk

Review the device configuration. The following command shows clock information: show clock detail If the output does not show GMT as the time zone, this is a finding.

Fix: F-59229r873629_fix

The device uses GMT as the default time zone. The following command sets the time zone: clock timezone timezone [nodst] "nodst" disables Daylight Savings Time.

b
The A10 Networks ADC must authenticate Network Time Protocol sources.
IA-3 - Medium - CCI-001967 - V-255614 - SV-255614r961506_rule
RMF Control
IA-3
Severity
M
CCI
CCI-001967
Version
AADC-NM-000113
Vuln IDs
  • V-255614
  • V-68085
Rule IDs
  • SV-255614r961506_rule
  • SV-82575
If Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affected scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.
Checks: C-59287r873631_chk

Review the device configuration. The following command includes an output modifier to display only NTP-related configuration: show run | include ntp The output should contain either the "ntp auth-key" command or the "ntp trusted-key" command. If it does not, this is a finding.

Fix: F-59230r873632_fix

The following command configures NTP authentication: ntp [auth-key ID-num M string] This creates an authentication key. For ID-num, enter a value between 1-65535. For string, enter a series of 1-31 alphanumeric characters for the key. This value is stored in the system using the A10 encryption algorithm. The following command also configures NTP authentication: ntp [trusted-key ID-num] This adds an authentication key to the list of trusted keys. For num, enter the identification number of a configured authentication key to add the key to the trusted key list. You can enter more than one number, separated by whitespace, to simultaneously add multiple authentication keys to the trusted key list.

b
Operators of the A10 Networks ADC must not use the Telnet client built into the device.
MA-4 - Medium - CCI-002890 - V-255615 - SV-255615r961554_rule
RMF Control
MA-4
Severity
M
CCI
CCI-002890
Version
AADC-NM-000118
Vuln IDs
  • V-255615
  • V-68087
Rule IDs
  • SV-255615r961554_rule
  • SV-82577
If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to manipulation, potentially allowing alteration and hijacking of maintenance sessions. Telnet is an unsecure protocol; use SSH instead. Note: This requirement does not refer to the device accepting incoming Telnet connections (server), but instead being used as an originator of Telnet requests (client). This is the exec level command "telnet".
Checks: C-59288r873634_chk

Determine if any operators have used Telnet. Evidence of the use of Telnet will be in the audit log. The following command shows any instances of the word "telnet" in the audit log: show audit | inc telnet If the log shows the use of the Telnet command, this is a finding.

Fix: F-59231r873635_fix

The device has a Telnet client that is available at the privileged exec level. Do not use it; use SSH from a management workstation instead.

c
The A10 Networks ADC must not use SNMP Versions 1 or 2.
MA-4 - High - CCI-003123 - V-255616 - SV-255616r961557_rule
RMF Control
MA-4
Severity
H
CCI
CCI-003123
Version
AADC-NM-000119
Vuln IDs
  • V-255616
  • V-68089
Rule IDs
  • SV-255616r961557_rule
  • SV-82579
SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain access to network management information used to launch an attack against the network. SNMP Versions 1 and 2 cannot authenticate the source of a message nor can they provide encryption. Without authentication, it is possible for unauthorized users to exercise SNMP network management functions. It is also possible for unauthorized users to eavesdrop on management information as it passes from managed systems to the management system. The A10 Networks ADC platforms support SNMPv3. The SNMP service is disabled by default and all traps are disabled by default. SNMP and SNMP trap are disabled on all data interfaces. Use the enable-management command to enable SNMP on the management interface. The OID for A10 Networks A10 Thunder Series and AX Series objects is 1.3.6.1.4.1.22610. Note: A10 Networks devices do not support SNMP “write” commands; this reduces the risk of the device configuration being modified by SNMP.
Checks: C-59289r873637_chk

Review the device configuration. The following command shows the running configuration and filters the output on the string "snmp-server": show run | inc snmp-server If the output shows servers using SNMPv1 or SNMPv2, this is a finding.

Fix: F-59232r873638_fix

The following commands enable SNMP and SNMP traps: snmp-server enable snmp-server enable traps Note: This will enable sending all traps. The following command sets Unique engineID: snmp-server engineID [hex-string] The commands below define SNMP OIDs to include when discovering the device via an SNMPv3 manager. The following command defines the group view: snmp-server view [view-name] 1.3.6 included The following command defines SNMPv3 user-based groups: snmp-server user [username] group [groupname] v3 [auth [md5 | sha] password [encrypted]]: Note: Use the SHA option since MD5 is not compliant. The following command defines the SNMPv3 console: snmp host [IP_address] version v3 user [name] udp-port 162 The following command enables SNMP on the management interface: enable-management service snmp management

b
The A10 Networks ADC must off-load audit records onto a different system or media than the system being audited.
AU-4 - Medium - CCI-001851 - V-255617 - SV-255617r961860_rule
RMF Control
AU-4
Severity
M
CCI
CCI-001851
Version
AADC-NM-000130
Vuln IDs
  • V-255617
  • V-68091
Rule IDs
  • SV-255617r961860_rule
  • SV-82581
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Checks: C-59290r873640_chk

Review the device configuration. The following command shows the portion of the device configuration that includes the word "host": show run | inc host If the output does not display the "logging host" and "logging auditlog host" commands, this is a finding. The following command shows the logging policy: show log policy If Syslog logging is disabled, this is a finding.

Fix: F-59233r873641_fix

The following command specifies the severity levels of event messages to send to a Syslog server: logging syslog [severity-level] The following command specifies a Syslog server to which to send event messages: logging host ipaddr [ipaddr...][port protocol-port] "ipaddr" is the IP address of the Syslog server. IP addresses can be entered for up to 10 remote logging Syslog servers. "protocolport" is the port number to which to send messages. Only one protocol port can be specified with the command. All servers must use the same port to listen for syslog messages. Since the Audit log is separate from the Event log, it must have its own target to write messages to: logging auditlog host [ipaddr | hostname][facility facility-name] "ipaddr | hostname" is the IP address or hostname of the server. "facility-name" is the name of a log facility.

b
The A10 Networks ADC must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and IAW CJCSM 6510.01B.
CM-6 - Medium - CCI-000366 - V-255618 - SV-255618r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
AADC-NM-000132
Vuln IDs
  • V-255618
  • V-68101
Rule IDs
  • SV-255618r961863_rule
  • SV-82591
By immediately displaying an alarm message, potential security violations can be identified more quickly even when administrators are not logged into the network device. An example of a mechanism to facilitate this would be through the use of SNMP traps or a Syslog server where messages are sent to an SNMP console or Syslog server that is monitored by the CNDSP.
Checks: C-59291r873643_chk

Verify a log destination is configured for a CNDSP or other mechanism that is monitored by security personnel. Obtain the IP address of a Syslog server monitored by the CNDSP. Review the device configuration. The following command shows the portion of the device configuration that includes the word "host": show run | inc host If the output does not display the "logging host" and "logging auditlog host" commands, or does not include the IP address of the Syslog server used by the CNDSP, this is a finding. The following command shows the logging policy: show log policy If Syslog logging is disabled, this is a finding.

Fix: F-59234r873644_fix

Obtain the IP address of a Syslog server monitored by the CNDSP. The following command specifies a Syslog server to which to send event messages: logging host ipaddr [ipaddr...][port protocol-port] "ipaddr" is the IP address of the Syslog server. IP addresses can be entered for up to 10 remote logging Syslog servers. "protocolport" is the port number to which to send messages. Only one protocol port can be specified with the command. All servers must use the same port to listen for syslog messages. Since the Audit log is separate from the Event log, it must have its own target to write messages to: logging auditlog host [ipaddr | hostname][facility facility-name] "ipaddr | hostname" is the IP address or hostname of the server. "facility-name" is the name of a log facility.

b
The A10 Networks ADC must employ centrally managed authentication server(s).
CM-6 - Medium - CCI-000366 - V-255619 - SV-255619r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
AADC-NM-000137
Vuln IDs
  • V-255619
  • V-68103
Rule IDs
  • SV-255619r961863_rule
  • SV-82593
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion. You can configure the device to use remote servers for Authentication, Authorization, and Accounting (AAA) for administrative sessions. The device supports RADIUS, TACACS+, and LDAP servers.
Checks: C-59292r873646_chk

Review the device configuration. Since the device supports RADIUS, TACACS+, and LDAP, one of these must be configured. The following is a sample verification for TACACS+. The following command shows the parts of the configuration with the word "tacplus": show run | inc tacplus If the output is blank, this is a finding. The following command shows information for all configured TACACS servers: show tacacs-server If no servers are configured, this is a finding.

Fix: F-59235r873647_fix

Since the device supports RADIUS, TACACS+, and LDAP, one of these must be configured. The following is a sample configuration for TACACS+. The following command sets the authentication method to TACACS+ for administrative access to the device: authentication type tacplus The local database (local option) must be included as one of the authentication sources, regardless of the order in which the sources are used. Authentication using only a remote server is not supported. The following command configures the device to use a TACACS+ server: tacacs-server host [hostname | ipaddr] secret [secret-string] "hostname | ipaddr" is the hostname or IP address of the TACACS+ server. "secret-string" is the secret key to authenticate the switch to the TACACS+ server. Up to two TACACS+ servers can be configured. The secondary server is used only if the primary server does not respond. The servers are used in the order in which you add them to the configuration. Use a separate command for each of the servers.

b
The A10 Networks ADC must use DoD-approved PKI rather than proprietary or self-signed device certificates.
CM-6 - Medium - CCI-000366 - V-255620 - SV-255620r961863_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
AADC-NM-000142
Vuln IDs
  • V-255620
  • V-68099
Rule IDs
  • SV-255620r961863_rule
  • SV-82589
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice.
Checks: C-59293r873649_chk

Review the device configuration. This can be checked using the GUI: Log on to the device and navigate to Config >> System >> Settings >> Web Certificate. In the certificate pane, view the issuer information. If each certificate is not issued by an approved service provider, this is a finding.

Fix: F-59236r873650_fix

Only import public key certificates from an appropriate certificate policy through an approved service provider. Use the commands "import ssl-cert" and "import ssl-key" or "slb ssl-load" to import SSL certificates and keys.

b
The A10 Networks ADC must restrict management connections to the management network.
AC-4 - Medium - CCI-001368 - V-255621 - SV-255621r960801_rule
RMF Control
AC-4
Severity
M
CCI
CCI-001368
Version
AADC-NM-000143
Vuln IDs
  • V-255621
  • V-68097
Rule IDs
  • SV-255621r960801_rule
  • SV-82587
Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment could acquire the device account and password information. With this intercepted information they could gain access to the infrastructure and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.
Checks: C-59294r873652_chk

Ask the device administrator what the subnet assigned to the management network is and which access-list is used to restrict management traffic. Review the device configuration. The following command displays a configured access-list: show access-list [ipv4 | ipv6] [acl-id] If no access list for the management network is configured, this is a finding. If the access list for the management network does not restrict traffic solely to the management network, this is a finding. The following command displays information about the management interface: show interface management If the access list is not applied to the management interface, this is a finding.

Fix: F-59237r873653_fix

Configure an ACL or filter to restrict management access to the device from only the management network. The following commands configure an access control list that only allows traffic from the management network and logs denied traffic: access-list [acl-num] permit access-list [acl-num] permit source-ipaddr {filter-mask | /mask-length} access-list [acl-num] deny any log Note: The source-ipadd and mask must be the subnet used for the management network. The following commands apply the ACL to the management interface: interface management access-list [acl-num] in Note that acl-num is the number assigned to the ACL configured above.

b
The A10 Networks ADC must only allow the use of secure protocols that implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications for nonlocal maintenance sessions.
MA-4 - Medium - CCI-002890 - V-255622 - SV-255622r961554_rule
RMF Control
MA-4
Severity
M
CCI
CCI-002890
Version
AADC-NM-000144
Vuln IDs
  • V-255622
  • V-68095
Rule IDs
  • SV-255622r961554_rule
  • SV-82585
This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to manipulation, potentially allowing alteration and hijacking of maintenance sessions.
Checks: C-59295r873655_chk

Review the device configuration. The following command shows the types of management access allowed on each of the interfaces: show management [ipv4 | ipv6] The following command shows IPv4 management access information: show management ipv4 If either Telnet or HTTP is listed as "on" for any interface, this is a finding. The following command shows IPv6 management access information: show management ipv6 If either Telnet or HTTP is listed as "on" for any interface, this is a finding. Verify that HTTP for management is disabled. show web-service If HTTP is enabled, this is a finding. HTTPS is allowed for management and is enabled by default.

Fix: F-59238r873656_fix

The following commands enable management access to the device and the use of SSH, HTTPS, Syslog, and SNMP: enable-management service ssh https syslog snmp snmp-trap Disable HTTP on the management interface: no enable-management service http management Note: Do not configure any management protocols on any of the other interfaces. Disable the web server (HTTP for management): no web-service server

c
The A10 Networks ADC must not use the default enable password.
IA-2 - High - CCI-000764 - V-255623 - SV-255623r961863_rule
RMF Control
IA-2
Severity
H
CCI
CCI-000764
Version
AADC-NM-000145
Vuln IDs
  • V-255623
  • V-68093
Rule IDs
  • SV-255623r961863_rule
  • SV-82583
To assure accountability and prevent unauthenticated access, organizational administrators must be uniquely identified and authenticated for all network management accesses to prevent potential misuse and compromise of the system. The use of a default password for any account, especially one for administrative access, can quickly lead to a compromise of the device and subsequently, the entire enclave or system. The "admin" account is intended solely for the initial setup of the device and must be disabled when the device is initially configured. The default password for this account must immediately be changed at the first logon of an authorized administrator. The default enable password on the A10 is blank password, which can immediately be guessed and lead to a compromise. This password must be immediately set.
Checks: C-59296r873658_chk

After successfully logging on to the device, attempt to enter enable mode using the default (blank) password. If that is successful, this is a finding.

Fix: F-59239r873659_fix

The following command changes the enable password to the character string entered: enable-password [newpassword]

c
The A10 Networks NDM must be using a version supported by the vendor.
CM-6 - High - CCI-000366 - V-264426 - SV-264426r992075_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
AADC-NM-000160
Vuln IDs
  • V-264426
Rule IDs
  • SV-264426r992075_rule
Systems running an unsupported software/firmware version lack current security fixes required to mitigate the risks associated with recent vulnerabilities.
Checks: C-68340r992073_chk

This STIG is sunset and no longer updated. Compare the version running to the supported version by the vendor. If the system is using an unsupported version from the vendor, this is a finding.

Fix: F-68248r992074_fix

Upgrade to a version supported by the vendor.