Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
View the organization's documentation to determine which databases are required to be protected. If the documentation does not exist, this is a finding. Navigate to Learning >> Time Regions and view the table of detected databases. For each database requiring protection, view the "State". Unprotected databases show a red shield. Protected databases show a green shield. If databases that are required to be protected are not being protected, this is a finding.
Configure a database for SQL injection protection. Enable the SQL injection detection capabilities on the applicable interface for the database to be protected. Navigate to Admin >> Capture >> Capture Sources. Select the interface connected the network that contains the database traffic. Click on the "Enable" button and ensure the "Link up" indicator turns green. Map the database. Navigate to Database >> Database Mapping and find the database to be protected. Click on the check box on the left. Click on the first button at the top of the table which, when hovering over the button, is labeled “Map selected service to new db using their default names". The Mapping Status of the database will change to "Pending Mapping". On the left side of the screen above the label that says "showing", click the button with the arrow. The Mapping Status for the database will change to "Mapped". Note: The learning process requires enough database traffic to properly characterize normal application behavior. Navigate to Learning >> Time Regions and click on the left arrow to expand the window. Click on the plus sign to view the captured traffic. Organizations must capture a significant amount of traffic to enable the device to learn the traffic patterns. The vendor recommends at least three or more days of database traffic learning depending on the organization's traffic volume. Click the "Commit Learning" button on the lower right. View the "State" column of the database to verify the shield symbol is green.
Audit records are automatically backed up on a real-time basis via syslog when enabled. Verify the DBN-6300 is connected to the syslog server. Navigate to Settings >> Advanced >> Syslog. Verify that the syslog services are set to "on", the syslog server information is valid, and the syslog server has connected. Navigate to Settings >> Advanced >> Audit Log and verify that the Audit Syslog, "Use System Syslog" button is set to "Yes" and the Audit Configuration Categories are all checked for Audit Log, Syslog, and Audit Console. Following this verification, process a successful account action (of any kind). Confirm the presence of a syslog message on the syslog server containing the information for whatever successful account action was taken. If the DBN-6300 is not connected to the syslog server, or if the syslog server is connected but the message containing the information that a successful account action that was taken and had just occurred is not there, this is a finding.
Audit records are automatically backed up on a real-time basis via syslog when enabled. Verify the DBN-6300 is connected to the syslog server. Navigate to Settings >> Advanced >> Syslog. Verify that the syslog server information is valid and that the syslog server has connected. Navigate to Settings >> Advanced >> Audit Log and verify that the Audit Syslog, "Use System Syslog" button is set to "Yes" and the Audit Configuration Categories are all checked for Audit Log, Syslog, and Audit Console. When a network failure occurs, the audit records can be retrieved manually by downloading the records via the System State Report. This is done by navigating to Support - System State Report, "New Report" (file name is optional). A report will be generated. Using the download arrow on the right of the screen, download and examine the System State Report for the audit record showing the latest audit log.
Audit records are automatically backed up on a real-time basis via syslog when enabled. Verify the DBN-6300 is connected to the syslog server. Navigate to Settings >> Advanced >> Syslog. Verify that the syslog services are set to "on", the syslog server information is valid, and the syslog server has connected. Navigate to Settings >> Advanced >> Audit Log and verify that the Audit Syslog, "Use System Syslog" button is set to "Yes" and the Audit Configuration Categories are all checked for Audit Log, Syslog, and Audit Console. Following this verification, process a successful account action (of any kind). Confirm the presence of a syslog message on the syslog server containing the information for whatever successful account action was taken. If the DBN-6300 is not connected to the syslog server, or if the syslog server is connected but the message containing the information that a successful account action that was taken and had just occurred is not there, this is a finding.
Audit records are automatically backed up on a real-time basis via syslog when enabled. Verify the DBN-6300 is connected to the syslog server. Navigate to Settings >> Advanced >> Syslog. Verify that the syslog server information is valid and that the syslog server has connected. Navigate to Settings >> Advanced >> Audit Log and verify that the Audit Syslog, "Use System Syslog" button is set to "Yes" and the Audit Configuration Categories are all checked for Audit Log, Syslog, and Audit Console. When a network failure occurs, the audit records can be retrieved manually by downloading the records via the System State Report. This is done by navigating to Support - System State Report, "New Report" (file name is optional). A report will be generated. Using the download arrow on the right of the screen, download and examine the System State Report for the audit record showing the latest audit log.
Verify the DBN-6300 is connected to the syslog server. Navigate to Settings >> Advanced >> Syslog. Verify that the syslog services are set to "on", the syslog server information is valid, and the syslog server has connected. If the DBN-6300 is not connected to the syslog server, or if the syslog server is connected when an event/alert occurs and this event does not appear in the syslog server, this is a finding.
Configure the DBN-6300 to be connected to the syslog server. Navigate to Settings >> Advanced >> Syslog. Enter the syslog connection information (port and IP address) and push the "enabled" button for both "TCP" and "enable". Click on "Commit".
To verify the current version is installed, navigate to the main screen of the DBN-6300. View the current running code that is visible in the upper-right corner of the screen. Log on to the organization's DB Networks SFTP site and view the version number of the current release. If the current code version does not match the version of the latest available release, this is a finding.
Configure the DBN-6300 for system updates. Log on to the DB Networks SFTP site reserved specifically for the organization using the site's unique logon and password issued by DB Networks administrators. Using the SFTP protocol, navigate to the latest system image. Download this image to a local file repository. The file cannot be downloaded directly to the DBN-6300. If the machine with access to the DB Networks SFTP site does not have access, the upgrade image, once tested, may be moved to a system that does have direct connectivity to the DBN-6300 to be upgraded. Click on Tools >> File Management and click the "Upload File" button. A file navigation window will open. Navigate to the upgrade file and start the file upload. When file upload is complete, select "Tools" and click on the "Updates" button. Select the upgrade file and click on "Upgrade". After the upgrade is complete, click on Admin >> System Control >> Restart Production Mode to restart the system.
View the organization's documentation to determine which databases are required to be protected. If the documentation does not exist, this is a finding. Navigate to Learning >> Time Regions and view the table of detected databases. For each database requiring protection, view the "State". Unprotected databases show a red shield. Protected databases show a green shield. If databases that are required to be protected are not being protected, this is a finding.
Configure a database for SQL injection protection. Enable the SQL injection detection capabilities on the applicable interface for the database to be protected. Navigate to Admin >> Capture >> Capture Sources. Select the interface connected to the network that contains the database traffic. Click on the Enable button and ensure the Link up indicator turns green. Map the database. Navigate to Database >> Database Mapping and find the database to be protected. Click on the check box on the left. Click on the first button at the top of the table which, when hovering over the button, is labeled "Map selected service to new db using their default names". The "Mapping Status" of the database will change to "Pending Mapping". On the left side of the screen above the label that says "showing", click the button with the arrow. The "Mapping Status" for the database will change to "Mapped". Note: The learning process requires enough database traffic to properly characterize normal application behavior. Navigate to Learning >> Time Regions and click on the left arrow to expand the window. Click on the plus sign to view the captured traffic. Organizations must capture a significant amount of traffic to enable the device to learn the traffic patterns. The vendor recommends at least three or more days of database traffic learning depending on the organization's traffic volume. Click the "Commit Learning" button on the lower right. View the "State" column of the database to verify the shield symbol is green.
Verify that the DBN-6300 is configured to detect code injection attacks. Navigate to Application >> Time Learning. Validate that the database or databases of interest has/have the "state" shield set to green (in detection mode). If the "state" shield is not set to green, this is a finding (as the database or databases are not in detection mode).
Configure the DBN-6300 to detect code injection attacks. Navigate to Application >> Time Learning. Validate that the database or databases of interest has the "state" shield set to green (in detection mode). If the "state" shield is not set to green: 1) Create a learned set (or new learned set) by clicking on the caret to the left of the database name; 2) Click on the "+" to the left of the "Time Periods" label; 3) Accept the default time period or enter the desired time period for the Learned Set; and 4) Click on "Commit Learning". This may take a small amount of time and will finish when the "Learned State" shows "Passed" and the "state" shield turns to green. Now the database is in protection mode for SQL injection attack.
View the organization's documentation to determine which databases are required to be protected. If the documentation does not exist, this is a finding. Navigate to Learning >> Time Regions and view the table of detected databases. For each database requiring protection, view the "State". Unprotected databases show a red shield. Protected databases show a green shield. If databases that are required to be protected are not being protected, this is a finding.
Configure a database for SQL injection protection. Enable the SQL injection detection capabilities on the applicable interface for the database to be protected. Navigate to Admin >> Capture >> Capture Sources. Select the interface connected to the network that contains the database traffic. Click on the "Enable" button and ensure the "Link up" indicator turns green. Map the database. Navigate to Database >> Database Mapping and find the database to be protected. Click on the check box on the left. Click on the first button at the top of the table which, when hovering over the button, is labeled "Map selected service to new db using their default names". The "Mapping Status" of the database will change to "Pending Mapping". On the left side of the screen above the label that says "showing", click the button with the arrow. The "Mapping Status" for the database will change to "Mapped". Note: The learning process requires enough database traffic to properly characterize normal application behavior. Navigate to Learning >> Time Regions and click on the left arrow to expand the window. Click on the plus sign to view the captured traffic. Organizations must capture a significant amount of traffic to enable the device to learn the traffic patterns. The vendor recommends at least three or more days of database traffic learning depending on the organization's traffic volume. Click the "Commit Learning" button on the lower right. View the "State" column of the database to verify the shield symbol is green.
View the organization's documentation to determine which databases are required to be protected. If the documentation does not exist, this is a finding. Navigate to Learning >> Time Regions and view the table of detected databases. For each database requiring protection, view the "State". Unprotected databases show a red shield. Protected databases show a green shield. If databases that are required to be protected are not being protected, this is a finding.
Configure a database for SQL injection protection. Enable the SQL injection detection capabilities on the applicable interface for the database to be protected. Navigate to Admin >> Capture >> Capture Sources. Select the interface connected to the network that contains the database traffic. Click on the "Enable" button and ensure the "Link up" indicator turns green. Map the database. Navigate to Database >> Database Mapping and find the database to be protected. Click on the check box on the left. Click on the first button at the top of the table which, when hovering over the button, is labeled "Map selected service to new db using their default names". The "Mapping Status" of the database will change to "Pending Mapping". On the left side of the screen above the label that says "showing", click the button with the arrow. The "Mapping Status" for the database will change to "Mapped". Note: The learning process requires enough database traffic to properly characterize normal application behavior. Navigate to Learning >> Time Regions and click on the left arrow to expand the window. Click on the plus sign to view the captured traffic. Organizations must capture a significant amount of traffic to enable the device to learn the traffic patterns. The vendor recommends at least three or more days of database traffic learning depending on the organization's traffic volume. Click the "Commit Learning" button on the lower right. View the "State" column of the database to verify the shield symbol is green.
Verify integration with a network-wide monitoring capability. Obtain the IP address and port number for the centralized event management system (e.g., SIEM) from site personnel. Navigate to the "Admin" tab. Click on the "External Service Settings" button. Verify the IP address and port number for the centralized event management system are implemented. If the DBN-6300 is not configured to send syslog information to a centralized event management system that manages the DBN-6300 network-wide monitoring capability, this is a finding.
Configure the DBN-6300 with syslog output to the SIEM. Navigate to the "Admin" tab. Click on the "External Service Settings" button. Enter the centralized event management system IP address and port number. Click on the "Commit" button to start the process.
Audit records are automatically backed up on a real-time basis via syslog when enabled. Verify the DBN-6300 is connected to the syslog server. Navigate to Settings >> Advanced >> Syslog. Verify that the syslog services are set to "on", the syslog server information is valid, and the syslog server has connected. Navigate to Settings >> Advanced >> Audit Log. Verify that the Audit Syslog, "Use System Syslog" button is set to "Yes" and that the Audit Configuration Categories are all checked for Audit Log, Syslog, and Audit Console. Following this verification, process an account action. Confirm the presence of a syslog message on the syslog server containing the details of this account action. If the DBN-6300 is not connected to the syslog server, or if the syslog server is connected but the message containing the information with the details of this account action is not there, this is a finding.
Configure the DBN-6300 to be connected to the syslog server. Also configure the DBN-6300 to include audit records in the syslog message feed. Navigate to Settings >> Advanced >> Syslog. Enter the syslog connection information (port and IP address) and push the "enabled" button for both "TCP" and "enable". Navigate to Settings >> Advanced >> Audit Log. Verify that the Audit Syslog, "Use System Syslog" button is set to "Yes" and that the Audit Configuration Categories are all checked for Audit Log, Syslog, and Audit Console. If the "Use System Syslog" button is not set to "Yes", press the "Yes" button. Click on "Commit".
Verify integration with a network-wide monitoring capability. Obtain the IP address and port number for the centralized event management system (e.g., SIEM) from site personnel. Navigate to the "Admin" tab. Click on the "External Service Settings" button. Verify the IP address and port number for the centralized event management system are implemented. If the DBN-6300 is not configured to send syslog information to a centralized event management system that manages the DBN-6300 network-wide monitoring capability, this is a finding.
Configure the DBN-6300 with syslog output to the SIEM. Navigate to the "Admin" tab. Click on the "External Service Settings" button. Enter the centralized event management system IP address and port number. Click on the "Commit" button to start the process.
View the organization's documentation to determine which databases are required to be protected. Ask the site representative if the device is used continuously or if periodic monitoring is performed. Navigate to Learning >> Time Regions and view the table of detected databases. For each database requiring protection, view the "State". Unprotected databases show a red shield. Protected databases show a green shield. If continuous monitoring is not performed by the organization, this is a finding.
Configure the DBN-6300 with syslog output to the SIEM. Navigate to the "Admin" tab. Click on "External Service Settings" button. Enter the centralized event management system IP address and port number. Click on the "Commit" button to start the process. Configure a database for SQL injection protection for continuous protection. Enable the SQL injection detection capabilities on the applicable interface for the database to be protected. Navigate to Admin >> Capture >> Capture Sources. Select the interface connected the network that contains the database traffic. Click on the "Enable" button and ensure the Link up indicator turns green.
Audit records are automatically backed up on a real-time basis via syslog when enabled. Verify the DBN-6300 is connected to the syslog server. Navigate to Settings >> Advanced >> Syslog. Verify that the syslog services are set to "on", the syslog server information is valid, and the syslog server has connected. Navigate to Settings >> Advanced >> Audit Log. Verify that the Audit Syslog, "Use System Syslog" button is set to "Yes" and the Audit Configuration Categories are all checked for Audit Log, Syslog, and Audit Console. Following this verification, process an account action. Confirm the presence of a syslog message on the syslog server containing the details of this account action. If the DBN-6300 is not connected to the syslog server, or if the syslog server is connected but the message containing the information with the details of this account action is not there, this is a finding.
Configure the DBN-6300 to be connected to the syslog server. Also configure the DBN-6300 to include audit records in the syslog message feed. Navigate to Settings >> Advanced >> Syslog. Enter the syslog connection information (port and IP address) and push the "enabled" button for both "TCP" and "enable". Navigate to Settings >> Advanced >> Audit Log. Verify that the Audit Syslog, "Use System Syslog" button is set to "Yes" and the Audit Configuration Categories are all checked for Audit Log, Syslog, and Audit Console. If the "Use System Syslog" button is not set to "Yes", press the "Yes" button. Click on "Commit".
Ask the site representative if the DBN-6300 is used to protect the database tier. If the DBN-6300 is not used to protect the database tier, this is not a finding. Ask the site for documentation of which database tier is required to be protected. Verify connectivity of the capture ports to the correct database tier that is required to be protected. If the DBN-6300 is not connected to protect the database tier for maximum database traffic visibility of the organization's databases, this is a finding.
Evaluate the site architecture to determine where the optimum logical connections would provide maximum database visibility. Disconnect the network taps from the incorrectly attached network ports. Reconnect the correctly identified taps. Navigate to the Admin >> Capture >> Port Configuration menu. Click on "Port Enabled", if it is not already enabled, to ensure that the DBN-6300 will see and capture traffic. Navigate to the "Database" tab and choose "Service Discovery". Verify that database services are beginning to appear on the page.
Ask the site representative if the DBN-6300 is used to provide discovery protection against unidentified or rogue databases. If the DBN-6300 is not used for discovery protection against unidentified or rogue databases, this is not a finding. Click on the "Database" tab and select the "Database Services" sub-menu. This will reveal all of the currently discovered database services. If the DBN-6300, which is used to provide protection against unidentified or rogue databases, does not provide a catalog of all visible databases and database services, this is a finding.
Configure the system to view databases and database services. Click on the Database >> Service Discovery tab. This will reveal all of the currently visible database services that have been seen on the mirrored traffic connection.