Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
If the BIG-IP appliance does not provide user access control intermediary services, this is not applicable. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the Name of the Access profile. 5. Under "Settings", verify "Max Sessions per User" is set to "1" or to an organization-defined number. If the BIG-IP appliance is not configured to limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding.
From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the Name of the Access profile. 5. Under "Settings", set "Max Sessions per User" to "1" or to an organization-defined number. 6. Update.
If the BIG-IP appliance does not serve as an intermediary for remote access traffic, this is not applicable. From the BIG-IP GUI: 1. Security. 2. Application Security. 3. Security Policies. 4. Policies List. 5. Review the list of policies and confirm they are applied to virtual servers being used for intermediary services for remote access communications traffic. If the BIG-IP appliance is not configured to ensure inbound and outbound traffic is monitored for compliance with remote access security policies, this is a finding.
From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. Virtual Server List. 4. Click on the name of a virtual server. 5. Security tab >> Policies. 6. Set "Application Security Policy" to "Enabled". 7. Select the policy from the drop-down. 8. Update. 9. Repeat for additional virtual servers.
If the BIG-IP appliance does not provide intermediary services for remote access (e.g., web content filter, TLS, and webmail), TLS, or application protocols that use TLS (e.g., DNSSEC or HTTPS), this is not applicable. Client SSL Profile From the BIG-IP GUI: 1. Local Traffic. 2. Profiles. 3. SSL. 4. Client. 5. Click on the name of the SSL Profile. 6. Change "Configuration" to "Advanced". 7. Verify "Ciphers" is configured to use NIST FIPS-validated ciphers. 8. Repeat for other SSL Profiles in use. Virtual Server From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. Virtual Server List. 4. Click the name of the virtual server. 5. Verify that the "SSL Profile (Client)" is using a NIST FIPS-validated SSL Profile. 6. Repeat these steps to review all other virtual servers. If the BIG-IP appliance is not configured to use TLS 1.2 or higher, this is a finding.
Client SSL Profile From the BIG-IP GUI: 1. Local Traffic. 2. Profiles. 3. SSL. 4. Client. 5. Click on the name of the SSL Profile. 6. Change "Configuration" to "Advanced". 7. Configure "Ciphers" to use NIST FIPS-validated ciphers. 8. Click "Update". 9. Repeat for other SSL Profiles in use. Virtual Server From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. Virtual Server List. 4. Click the name of the virtual server. 5. Configure "SSL Profile (Client)" to use a NIST FIPS-validated SSL Profile. 6. Click "Update". 7. Repeat for other virtual servers.
If the ALG does not perform content filtering as part of the traffic management functions, this is not applicable. From the BIG-IP GUI: 1. Security. 2. Application Security. 3. Security Policies. 4. Policies List. 5. Click the name of the policy. 6. Verify "Enforcement Mode" is set to "Blocking". 7. Select "Attack Signatures". 8. Click the filter at the top left of the signatures window. 9. Select "XPath Injection" in the "Attack Type" field and click "Apply". 10. Verify "Block" is checked for all signatures and "Status" is set to "Enforced". 11. Click the filter at the top left of the signatures window. 12. Select "LDAP Injection" in the "Attack Type" field and click "Apply". 13. Verify "Block" is checked for all signatures and "Status" is set to "Enforced". If the BIG-IP appliance is not configured to prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields, this is a finding.
From the BIG-IP GUI: 1. Security. 2. Application Security. 3. Security Policies. 4. Policies List. 5. Click the name of the policy. 6. Set "Enforcement Mode" to "Blocking". 7. Select "Attack Signatures". 8. Click the filter at the top left of the signatures window. 9. Select "XPath Injection" in the "Attack Type" field and click "Apply". 10. Select all signatures in the filtered list and click "Enforce". 11. Click "Enforce" again. 12. Click the filter at the top left of the signatures window. 13. Select "LDAP Injection" in the "Attack Type" field and click "Apply". 14. Select all signatures in the filtered list and click "Enforce". 15. Click "Enforce" again. 16. Click "Apply Policy".
If the ALG does not perform content filtering as part of the traffic management functions, this is not applicable. From the BIG-IP GUI: 1. Security. 2. Application Security. 3. Security Policies. 4. Policies List. 5. Click the name of the policy. 6. Verify "Enforcement Mode" is set to "Blocking". 7. Select "Attack Signatures". 8. Click the filter at the top left of the signatures window. 9. Select "Buffer Overflow" in the "Attack Type" field and click "Apply". 10. Verify "Block" is checked for all signatures and "Status" is set to "Enforced". 11. Click the filter at the top left of the signatures window. 12. Select "Server Side Code Injection" in the "Attack Type" field and click "Apply". 13. Verify "Block" is checked for all signatures and "Status" is set to "Enforced". If the BIG-IP appliance is not configured to prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code, this is a finding.
From the BIG-IP GUI: 1. Security. 2. Application Security. 3. Security Policies. 4. Policies List. 5. Click the name of the policy. 6. Set "Enforcement Mode" to "Blocking". 7. Select "Attack Signatures". 8. Click the filter at the top left of the signatures window. 9. Select "Buffer Overflow" in the "Attack Type" field and click "Apply". 10. Select all signatures in the filtered list and click "Enforce". 11. Click "Enforce" again. 12. Click the filter at the top left of the signatures window. 13. Select "Server Side Code Injection" in the "Attack Type" field and click "Apply". 14. Select all signatures in the filtered list and click "Enforce". 15. Click "Enforce" again. 16. Click "Apply Policy".
If the ALG does not perform content filtering as part of the traffic management functions, this is not applicable. From the BIG-IP GUI: 1. Security. 2. Application Security. 3. Security Policies. 4. Policies List. 5. Click the name of the policy. 6. Verify "Enforcement Mode" is set to "Blocking". 7. Select "Attack Signatures". 8. Click the filter at the top left of the signatures window. 9. Select "SQL-Injection" in the "Attack Type" field and click "Apply". 10. Verify "Block" is checked for all signatures and "Status" is set to "Enforced". If the BIG-IP appliance is not configured to prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields, this is a finding.
From the BIG-IP GUI: 1. Security. 2. Application Security. 3. Security Policies. 4. Policies List. 5. Click the name of the policy. 6. Set "Enforcement Mode" to "Blocking". 7. Select "Attack Signatures". 8. Click the filter at the top left of the signatures window. 9. Select "SQL-Injection" in the "Attack Type" field and click "Apply". 10. Select all signatures in the filtered list and click "Enforce". 11. Click "Enforce" again. 12. Click "Apply Policy".
If the BIG-IP appliance does not provide user access control intermediary services, this is not applicable. If Advanced Resource Assign VPE agent is not used in any policy, this is not a finding. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Review each Resource. - If the Advanced Resource Assign agent is used, verify that each expression listed is explicitly configured to use an authorization list. If the Big IP F5 appliance Access Policy has any assigned resources that are not configured with a specific authorization list, this is a finding.
For each APM Access Policy, ensure that for each resource, all Advanced Resource Assign agents used in the configuration are explicitly configured to use an authorization list. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Click on any items that use the Advanced Resource Assign VPE object. 6. For each entry with an expression that is "Empty", click "change". 7. Add an appropriate expression that validates the user's authorization to access the resource specified in the item. 8. Click "Finished". 9. Click "Save". 10. Click "Apply Access Policy".
From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Active Rules. 4. Verify "Policy Type" is set to "Enforced". 5. Inspect the different "Context" choices and verify rules are configured to enforce approved authorizations for controlling the flow of information within the network. If the BIG-IP appliance is not configured to enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic, this is a finding.
From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. Create and/or edit firewall policies that are applied to the Context needed to enforce approved authorizations for controlling the flow of information within the network.
From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit..." in the "Per-Session Policy" column for an Access Profile used for granting access. 5. Verify the Access Profile is configured to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system. The banner must be exactly formatted in accordance with the policy (see below). "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the BIG-IP APM module is not configured to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system, this is a finding.
From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit..." in the "Per-Session Policy" column for an Access Profile used for granting access. 5. Configure the Access Profile to display the Standard Mandatory DOD Notice and Consent Banner below before granting access to the system. 6. Click "Apply Access Policy". "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
APM Default Log Profile: From the BIG-IP GUI: 1. Access. 2. Overview. 3. Event Logs. 4. Settings. 5. Check the box for the "default-log-setting" and click "Edit". 6. Verify "Enable Access System Logs" is checked. 7. On the "Access System Logs" tab, verify all items are set to "Notice". Access Profile Log Setting: From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles (Per-Session Policies). 4. Click the Name of the Access Profile. 5. Logs tab. 6. Verify "default-log-setting" is in the "Selected" column. If the BIG-IP appliance is not configured to generate log records, this is a finding.
Note: Performing this Fix modifies the "default-log-setting" log profile, but users can use a different log profile for the Access Profile. However, this requires using the APM Module. APM Default Log Profile: From the BIG-IP GUI: 1. Access. 2. Overview. 3. Event Logs. 4. Settings. 5. Check the box for the "default-log-setting" and click "Edit". 6. Check "Enable Access System Logs". 7. On the "Access System Logs" tab, set all items are to "Notice". 8. Click "OK". Access Profile Log Setting: From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles (Per-Session Policies). 4. Click the Name of the Access Profile. 5. Logs tab. 6. Move "default-log-setting" to the "Selected" column. 7. Click "Update".
If the BIG-IP appliance does not provide intermediary/proxy services for SMTP communications traffic, this is not applicable. SMTP Profile: From the BIG-IP GUI: 1. Local Traffic. 2. Profiles. 3. Services. 4. SMTP. 5. Click the name of the SMTP profile. 6. Verify "Protocol Security" is checked. SMTP Virtual Server: 1. Local Traffic. 2. Virtual Servers. 3. Virtual Server List. 4. Click the name of the SMTP virtual server. 5. Verify the SMTP profile is selected in the "SMTP Profile" drop-down list. If the BIG-IP appliance is not configured to inspect inbound and outbound SMTP and Extended SMTP communications traffic for protocol compliance and protocol anomalies, this is a finding.
SMTP Profile: From the BIG-IP GUI: 1. Local Traffic. 2. Profiles. 3. Services. 4. SMTP. 5. Click the name of the SMTP profile. 6. Check "Protocol Security". 7. Click "Update". SMTP Virtual Server: 1. Local Traffic. 2. Virtual Servers. 3. Virtual Server List. 4. Click the name of the SMTP virtual server. 5. Select the SMTP profile from the "SMTP Profile" drop-down list. 6. Click "Update". Refer to vendor documentation for more information.
If the BIG-IP appliance does not provide intermediary/proxy services for FTP communications traffic, this is not applicable. FTP Profile: From the BIG-IP GUI: 1. Local Traffic. 2. Profiles. 3. Services. 4. FTP. 5. Click the name of the FTP profile. 6. Verify "Protocol Security" is checked. FTP Virtual Server: 1. Local Traffic. 2. Virtual Servers. 3. Virtual Server List. 4. Click the name of the FTP virtual server. 5. Verify the FTP profile is selected in the "FTP Profile" drop-down list. If the BIG-IP appliance is not configured to inspect inbound and outbound FTP communications traffic for protocol compliance and protocol anomalies, this is a finding.
FTP Profile: From the BIG-IP GUI: 1. Local Traffic. 2. Profiles. 3. Services. 4. FTP. 5. Click the name of the FTP profile. 6. Check "Protocol Security". 7. Click "Update". FTP Virtual Server: 1. Local Traffic. 2. Virtual Servers. 3. Virtual Server List. 4. Click the name of the FTP virtual server. 5. Select the FTP profile from the "FTP Profile" drop-down list. 6. Click "Update". Refer to vendor documentation for more information.
If the BIG-IP appliance does not provide intermediary/proxy services for HTTP communications traffic, this is not applicable. Application Security Policy: From the BIG-IP GUI: 1. Security. 2. Application Security. 3. Policy Building. 4. Learning and Blocking Settings. 5. Verify the correct policy is selected from the drop-down in the upper left. 6. Expand "HTTP protocol compliance failed". 7. Verify the proper inspection criteria are selected. HTTP Virtual Server: From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. Virtual Server List. 4. Click the name of the HTTP Virtual Server. 5. Security >> Policies tab. 6. Verify the correct policy is selected for "Application Security Policy". If the BIG-IP appliance is not configured to inspect inbound and outbound HTTP communications traffic for protocol compliance and protocol anomalies, this is a finding.
Application Security Policy: From the BIG-IP GUI: 1. Security. 2. Application Security. 3. Policy Building. 4. Learning and Blocking Settings. 5. Select the correct policy from the drop-down in the upper left. 6. Expand "HTTP protocol compliance failed". 7. Select the proper inspection criteria. 8. Click "Save". 9. Click "Apply Policy". HTTP Virtual Server: From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. Virtual Server List. 4. Click the name of the HTTP virtual server. 5. Security >> Policies tab. 6. Set "Application Security Policy" to "Enabled". 7. Select the correct policy from the drop-down. 8. Click "Update". Refer to vendor documentation for more information.
From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. Verify the list of virtual servers are not configured to listen on unnecessary and/or nonsecure functions, ports, protocols, and/or services. If any services are running that must not be, this is a finding.
Check the PPSM CAL and the site's System Security Plan/documentation for a list of prohibited ports, protocols, and services. From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. For any virtual server(s) listening on all unnecessary and/or nonsecure functions, ports, protocols, and/or services, check the box next to the virtual server and click "Delete". 4. Click "Delete" again.
If the BIG-IP appliance does not provide user authentication intermediary services, this is not applicable. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles (Per-Session Policies). 4. Click "Edit" for the Access Profile being used. 5. Verify the Access Profile is configured to require users to reauthenticate when organization-defined circumstances or situations require reauthentication. If the BIG-IP appliance is not configured to require users to reauthenticate when organization-defined circumstances or situations require reauthentication, this is a finding.
From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles (Per-Session Policies). 4. Click "Edit" for the Access Profile being used. 5. Configure the Access Profile to require users to reauthenticate when organization-defined circumstances or situations require reauthentication. This will also require the administrator to force reauthentication when changes occur that the system cannot automatically detect. Update administrator training and the site's System Security Plan to document this process.
From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles (Per-Session Policies). 4. Click "Edit" for the Access Profile being used. 5. Verify the Access Profile uses an authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication. If the BIG-IP appliance is not configured to use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication, this is a finding.
From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles (Per-Session Policies). 4. Click "Edit" for the Access Profile being used. 5. Configure the Access Profile to use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication. Note: To create an authentication object in the VPE, it must first be created in APM under Access >> Authentication. Once it has been created, add it to the Access Policy VPE by clicking the "+", selecting the "Authentication" tab, and select the appropriate type of authentication.
If the BIG-IP appliance does not provide intermediary services for TLS, or application protocols that use TLS (e.g., DNSSEC or HTTPS), this is not applicable. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Verify an "OCSP Auth" object is configured in the Access Profile for "Machine" type or a CRLDP object is configured. If the BIG-IP appliance is not configured to use OCSP or CRLDP to ensure revoked machine credentials are prohibited from establishing an allowed session, this is a finding.
If the Access Profile is configured to pull a machine cert using the "Machine Cert Auth" object in the policy, then perform the following actions. Note that pulling a Machine Cert requires the use of the APM Edge Client installed on the client. To add OCSP machine certificate verification to an access policy: From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Click the "+" icon on the Successful branch of the Machine Cert Auth object. 6. Authentication tab. 7. Select "OCSP Auth". 8. Click "Add Item". 9. From the OCSP Responder list, select an OCSP responder. Note: To create an OCSP Responder, go to Access >> Authentication >> OCSP Responder. 10. From the Certificate Type list, select "Machine". 11. Click "Save". 12. Click "Apply Access Policy". To add CRLDP certificate verification to an access policy: From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Click the "+" icon on the Successful branch of the Machine Cert Auth object. 6. Authentication tab. 7. Select "CRLDP Auth". 8. Click "Add Item". 9. Select an item from the CRLDP Server list. Note: To create a CRLDP Server, go to Access >> Authentication >> CRLDP. 10. Click "Save". 11. Click "Apply Access Policy".
If the BIG-IP appliance does not provide PKI-based user authentication intermediary services, this is not applicable. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Verify an "OSCP Auth" and/or "CRLDP" object is configured in the Access Profile VPE AND that the fallback branch of these objects leads to a "Deny" ending. If the BIG-IP appliance is not configured to deny access when revocation data is unavailable, this is a finding.
From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Add "OCSP Auth" and/or "CRLDP" object in the Access Profile. Note: To create an OCSP Responder, go to Access >> Authentication >> OCSP Responder. Note: To create a CRLDP object, go to Access >> Authentication >> CRLDP. 6. Ensure the fallback branch of these objects goes to a "Deny" ending. 7. Click "Apply Access Policy".
From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the name of the Access Profile. 5. Verify "Inactivity Timeout" is configured for 900 seconds. If the BIG-IP appliance is not configured to terminate all network connections associated with a user (nonprivileged) communications session after 15 minutes of inactivity, this is a finding.
From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the name of the Access Profile. 5. Set "Inactivity Timeout" to 900 seconds. Note: If the setting is grayed out, check the box to the right of the setting. 6. Click "Update".
If the BIG-IP appliance does not perform content filtering as part of the traffic management functions, this is not applicable. From the BIG-IP GUI: 1. Security. 2. DoS Protection. 3. Device Protection. 4. Expand each of the applicable families (Network, DNS, SIP) depending on the traffic being handled by the BIG-IP and verify the "State" is set to "Mitigate" for all signatures in that family. If the BIG-IP appliance is not configured to protect against known and unknown types of DoS attacks by employing rate-based attack prevention behavior analysis, this is a finding.
From the BIG-IP GUI: 1. Security. 2. DoS Protection. 3. Device Protection. 4. Expand each of the applicable families (Network, DNS, SIP) one at a time depending on the traffic being handled by the BIG-IP and do the following for each: a. Check the box at the top of the list of signatures to select all. b. Set "Set State" to "Mitigate". 5. Click "Commit Changes to System". Note: Sites must operationally test or initially use learning mode prior to turning on all of the options in all families to prevent operational impacts, particularly in implementations with large traffic volumes.
If the BIG-IP appliance does not perform content filtering as part of the traffic management functions, this is not applicable. From the BIG-IP GUI: 1. Security. 2. DoS Protection. 3. Device Protection. 4. Expand "Network" and verify "Dynamic Signatures" are enabled. 5. If applicable, expand "DNS" and verify "Dynamic Signatures" are enabled. If the BIG-IP appliance is not configured to protect against or limit the effects of known and unknown types of DoS attacks by employing pattern recognition pre-processors, this is a finding.
From the BIG-IP GUI: 1. Security. 2. DoS Protection. 3. Device Protection. 4. Expand "Network". 5. Click "Configure settings". 6. Set "Dynamic Signature Detection" to "Enabled". 7. If applicable, expand "DNS". 8. Click "Configure settings". 9. Set "Dynamic Signature Detection" to "Enabled". 10. Click "Commit Changes to System".
From the BIG-IP GUI: 1. Security. 2. Application Security. 3. Parameters. 4. Parameters List. 5. Select the appropriate policy from the drop-down menu in the top left. 6. Verify the appropriate parameters are configured for the application (e.g., character set, length, numerical range, and acceptable values). If the BIG-IP appliance is not configured to check the validity of all data inputs except those specifically identified by the organization, this is a finding.
From the BIG-IP GUI: 1. Security. 2. Application Security. 3. Parameters. 4. Parameters List. 5. Select the appropriate policy from the drop-down menu in the top left. 6. Configure the appropriate parameters for the application (e.g., character set, length, numerical range, and acceptable values). Refer to vendor documentation for more information.
If the BIG-IP does not perform content filtering as part of its traffic management functionality, this is not applicable. Note: Automatic signature updates can be configured, but depending on site connectivity this may not be possible. In this case manual upload of updates is possible. The below covers automatic update configuration. Automatic Update Check: From the BIG-IP GUI: 1. System. 2. Software Management. 3. Update Check. 4. Verify that "Automatic Update Check" is set to "Enabled". Real-Time Installation of Updates: 1. System. 2. Software Management. 3. Live Update. 4. Under "Updates Configuration" click on each item and check that "Real-Time" is selected for the setting "Installation of Automatically Downloaded Updates". If the BIG-IP appliance is not configured to automatically update malicious code protection mechanisms, this is a finding.
Note: Automatic signature updates can be configured, but depending on site connectivity this may not be possible. In this case, manual upload of updates is possible. The below covers automatic update configuration. Automatic Update Check: From the BIG-IP GUI: 1. System. 2. Software Management. 3. Update Check. 4. Set "Automatic Update Check" to "Enabled". 5. Click "Apply Settings". Real-Time Installation of Updates: 1. System. 2. Software Management. 3. Live Update. 4. Under "Updates Configuration" click on each item and click "Real-Time" for the setting "Installation of Automatically Downloaded Updates". 5. Click "Save" for each item.
If the BIG-IP appliance does not perform content filtering as part of the traffic management functions, this is not applicable. If using the BIG-IP AFM module to perform content filtering: AFM ACL: From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name>. 5. Verify a rule is configured that uses a "Classification Policy". Log Profile: From the BIG-IP GUI: 1. Security. 2. Event Logs. 3. Logging Profiles. 4. Edit the global-network profile. 5. Classification tab. 6. Verify the Log Publisher is set to the desired setting. (For production environments, F5 recommends using remote logging.) If configured rules in the policy do not detect use of network services that have not been authorized or approved by the ISSM and ISSO, at a minimum, this is a finding.
AFM ACL: From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name>. 5. Configure a rule that uses a "Classification Policy". Note: To create a Classification Policy, go to Traffic Intelligence >> Policies. 6. Click "Commit Changes to System". Log Profile: From the BIG-IP GUI: 1. Security. 2. Event Logs. 3. Logging Profiles. 4. Edit the global-network profile. 5. Check "Enabled" for "Classification". 6. Classification tab. 7. Configure the Log Publisher. (For production environments, F5 recommends using remote logging.) 8. Click "Update".
If the BIG-IP appliance does not perform content filtering as part of the traffic management functions, this is not applicable. If using the BIG-IP AFM module to perform content filtering: AFM ACL: From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name>. 5. Verify a rule is configured that uses a "Classification Policy". Log Profile: From the BIG-IP GUI: 1. Security. 2. Event Logs. 3. Logging Profiles. 4. Edit the global-network profile. 5. Classification tab. 6. Verify the Log Publisher is set to the desired setting. (For production environments, F5 recommends using remote logging.) If configured rules in the policy do not detect use of network services that have not been authorized or approved by the ISSM and ISSO, at a minimum, this is a finding.
AFM ACL: From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name>. 5. Configure a rule that uses a "Classification Policy". Note: To create a Classification Policy, go to Traffic Intelligence >> Policies. 6. Click "Commit Changes to System". Log Profile: From the BIG-IP GUI: 1. Security. 2. Event Logs. 3. Logging Profiles. 4. Edit the global-network profile. 5. Check "Enabled" for "Classification". 6. Classification tab. 7. Configure the Log Publisher. (For production environments, F5 recommends using remote logging.) 8. Click "Update".
If the Access Profile Type is not LTM+APM and it uses connectivity resources (such as Network Access, Portal Access, etc.) in the VPE, then this is not a finding. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the access profile name. 5. SSO/Auth Domains. 6. Under Cookie Options, verify HTTP Only is enabled. If the F5 BIG-IP appliance does not enable the HTTP Only flag, this is a finding.
When the Access Profile Type is LTM+APM and it is not using any connectivity resources (such as Network Access, Portal Access, etc.) in the VPE, set the HTTP Only flag. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the access profile name. 5. SSO/Auth Domains. 6. Under Cookie Options, Check the box next to HTTP Only. 7. Click "Update". 8. Click "Apply Access Policy".
From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the access profile name. 5. SSO/Auth Domains tab. 6. Under Cookie Options, verify "Secure" is enabled. If the F5 BIG-IP appliance APM Policy does not enable the Secure cookies flag, this is a finding.
Configure each Access Profile to enable the Secure Cookies flag. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the access profile name. 5. SSO/Auth Domains tab. 6. Under Cookie Options, check "Secure". 7. Click "Update". 8. Click "Apply Access Policy".
If the Access Profile is used for applications that require cookie persistence, then this is not a finding. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the access profile name. 5. SSO/Auth Domains tab. 6. Under Cookie Options, verify "Persistent" is disabled. If the F5 Big IP appliance APM Policy has the Persistent cookies flag enabled, this is a finding.
Note: Testing must be performed prior to implementation to prevent operational impact. This setting may break access to certain applications that require cookie persistence. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the access profile name. 5. SSO/Auth Domains tab. 6. Under Cookie Options, uncheck "Persistent". 7. Click "Update". 8. Click "Apply Access Policy".
If the BIG-IP appliance does not provide intermediary services for TLS, or application protocols that use TLS (e.g., DNSSEC or HTTPS), this is not applicable. Access Policy: From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Verify an "OCSP Auth" object is configured in the Access Profile for "User" type or a CRLDP object is configured. If the BIG-IP appliance is not configured to use OCSP or CRLDP to ensure revoked user credentials are prohibited from establishing an allowed session, this is a finding.
Access Policy: From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Add an "OCSP Auth" with certificate type of "User" and/or a "CRLDP Auth" object in the Access Profile. Note: To create an OCSP Responder, go to Access >> Authentication >> OCSP Responder. Note: To create a CRLDP Server object, go to Access >> Authentication >> CRLDP. 6. Add an "OCSP Auth" object in the Access Profile and select an OCSP Responder. 7. Click "Update".
From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Verify the On-Demand Cert Auth agent is not configured in any part of the profile. If the On-Demand Cert Auth agent is used in any Access Policy Profile, this is a finding.
From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Remove any "On-Demand Cert Auth" agents in the profile. 6. Add a "Client Cert Inspection" object in place of the previous "On Demand Cert Auth" agent. 7. Click "Apply Access Policy".
From the BIG-IP GUI: 1. System. 2. Preferences. 3. Under Security Settings, verify "Require A Consistent Inbound IP For The Entire Web Session" box is checked. From the BIG-IP Console: tmsh list sys httpd auth-pam-validate-ip Note: This returns a value of "on". If the BIG-IP appliance is not configured to require a consistent inbound IP for the entire session for management sessions, this is a finding.
From the BIG-IP GUI: 1. System. 2. Preferences. 3. Under Security Settings, check "Require A Consistent Inbound IP For The Entire Web Session". 4. Click "Update". From the BIG-IP Console: tmsh modify sys httpd auth-pam-validate-ip on tmsh save sys config
If the site has documented an adverse operational impact and has AO approval, this is not a finding. From the BIG-IP GUI: 1. System. 2. Access. 3. Profiles/Policies. 4. Access Profiles. 5. Click the access profile name. 6. Under Settings, verify "Restrict to Single Client IP" is checked. If the BIG-IP appliance is not configured to limit authenticated client sessions to initial session source IP, this is a finding.
Note: Setting must be tested. If there are operational impacts that prevent the use of this setting, document the impacts, and obtain approval from the AO if this requirement will not be implemented. From the BIG-IP GUI: 1. System. 2. Access. 3. Profiles/Policies. 4. Access Profiles. 5. Click the access profile name. 6. Under Settings, check "Restrict to Single Client IP". Note: If the box is grayed out, check the box all the way to the right of the setting first and then check the box. 7. Click "Update". 8. Click "Apply Access Policy".
If the BIG-IP APM module does not provide user authentication intermediary services, this is not applicable. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the access profile name. 5. In the "Settings" section, verify the value for "Maximum Session Timeout" is set to 28800 seconds (eight hours) or less. If the F5 BIG-IP APM access policy is not configured for a "Maximum Session Timeout" value of 28,800 seconds (eight hours) or less, this is a finding.
From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the access profile name. 5. In the "Settings" section, set the value for "Maximum Session Timeout" to 28800 seconds (eight hours) or less. Note: If the setting is grayed out, check the box to the right of the setting and then update it. 6. Click "Update". 7. Click "Apply Access Policy".
From the BIG-IP GUI: 1. Local Traffic. 2. Profiles. 3. SSL. 4. Client. 5. Click the name of the SSL Profile. 6. For "Ciphers", ensure only AES-256 or other cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network are configured in compliance with CSNA/CNSSP-15. If the BIG-IP appliance is not configured to use cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network, this is a finding.
From the BIG-IP GUI: 1. Local Traffic. 2. Profiles. 3. SSL. 4. Client. 5. Click the name of the SSL Profile. 6. For "Ciphers", configure only AES-256 or other cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network in compliance with CSNA/CNSSP-15. 7. Click "Update".
If the BIG-IP appliance does not provide remote access intermediary services, this is not applicable. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit..." in the "Per-Session Policy" column for the Access Profile. 5. Verify the Access Profile is configured to uniquely identify network devices. If the BIG-IP appliance is not configured to identify and authenticate all endpoint devices or peers before establishing a connection, this is a finding.
From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit..." in the "Per-Session Policy" column for the Access Profile. 5. Configure the Access Profile to uniquely identify and authenticate network devices. 6. Click "Apply Access Policy".
If the BIG-IP appliance does not provide remote access intermediary services, this is not applicable. Access Profile: From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the name of the Access Profile. 5. Click the Access Policy tab and note the name(s) of the Network Access listed. Network Access List: From the BIG-IP GUI: 1. Access. 2. Connectivity/VPN. 3. Network Access (VPN). 4. Network Access Lists. 5. Click on the Name of the Network Access List. 6. Network Settings tab. 7. Verify "Force all traffic through tunnel" is selected under Client Settings >> Traffic Options. If the BIG-IP appliance is not configured to disable split-tunneling for remote client VPNs, this is a finding.
Obtain the Network Access name in the Access Profile: From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the name of the Access Profile. 5. Click the Access Policy tab and note the name(s) of the Network Access listed. Configure the Network Access List: From the BIG-IP GUI: 1. Access. 2. Connectivity/VPN. 3. Network Access (VPN). 4. Network Access Lists. 5. Click on the Name of the Network Access List. 6. Network Settings tab. 7. Select "Force all traffic through tunnel" under Client Settings >> Traffic Options. 8. Click "Update".
If the BIG-IP appliance does not provide remote access intermediary services, this is not applicable. Verify one of these two options are configured: 1. The network architecture routes traffic inline from the BIG-IP through an IDPS. 2. A Protocol Inspection Profile is configured on the Virtual Server. From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. Virtual Server List. 4. Click on the name of the Virtual Server. 5. Security >> Policies tab. 6. Verify "Protocol Inspection Profile" is set to "Enabled" and the "Profile" drop-down is set to the appropriate value. If the BIG-IP appliance is not configured to route sessions to an IDPS for inspection, this is a finding.
Configure one of these two options: 1. Configure the network architecture to route traffic inline from the BIG-IP through an IDPS. 2. Configure a Protocol Inspection Profile on the Virtual Server. From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. Virtual Server List. 4. Click on the name of the Virtual Server. 5. Security >> Policies tab. 6. Set "Protocol Inspection Profile" to "Enabled". 7. Set the "Profile" drop-down to the appropriate value. Note: To create a Protocol Inspection Profile, go to Security >> Protocol Security >> Inspection Profiles. 8. Click "Update".
Verify at least one of these methods is configured. Always Connected Mode: From the BIG-IP GUI: 1. Access. 2. Connectivity/VPN. 3. Connectivity. 4. Profiles. 5. Click the name of the profile. 6. At the bottom, click Customize Package >> Windows. 7. Click "BIG-IP Edge Client" on the left. 8. Verify "Enable Always connected mode" is enabled. Machine Tunnels: From the BIG-IP GUI: 1. Access. 2. Connectivity/VPN. 3. Connectivity. 4. Profiles. 5. Click the name of the profile. 6. At the bottom, click Customize Package >> Windows. 7. Verify "Machine Tunnel Service" is checked. If the BIG-IP VPN Gateway is not configured to use an Always On VPN connection for remote computing, this is a finding.
Configure at least one of these methods. Always Connected Mode: From the BIG-IP GUI: 1. Access. 2. Connectivity/VPN. 3. Connectivity. 4. Profiles. 5. Click the name of the profile. 6. At the bottom, click Customize Package >> Windows. 7. Click "BIG-IP Edge Client" on the left. 8. Check the box next to "Enable Always connected mode". Note: Always connected mode requires at least one host be listed in the Server list of the Connectivity Profile. Edit the Connectivity Profile to add an entry, if necessary. 9. Click "Download" to save the settings and download the installer. Machine Tunnels: From the BIG-IP GUI: 1. Access. 2. Connectivity/VPN. 3. Connectivity. 4. Profiles. 5. Click the name of the profile. 6. At the bottom, click Customize Package >> Windows. 7. Check "Machine Tunnel Service". 8. Optionally, click "Machine Tunnel Service" on the left and check "Enable NLA for Machine Tunnel". Note: To configure DNS Suffixes for NLA, edit the Connectivity Profile >> Win/Mac Edge Client > Location DNS List. 9. Click "Download" to save the settings and download the installer.
Note: Setting must be tested to determine if a number greater than 10 is operationally necessary. Ten is the minimum but may have operational impacts. Set to the minimum that is possible without adverse impacts, document the setting and the operational testing. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the access profile name. 5. In the "Settings" section, verify "Max In Progress Sessions per Client IP" is set to 10 or an organization-defined number. If the F5 BIG-IP APM access policy is not configured to set a "Max In Progress Sessions per Client IP" value to 10 or an organization-defined number, this is a finding.
From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the access profile name. 5. In the "Settings" section, set "Max In Progress Sessions per Client IP" to 10 or an organization-defined number. Note: If the setting is grayed out, check the box to the right of the setting and then update it. If the setting is not set to 10, verify the operational reason is documented and approved by the AO. 6. Click "Update". 7. Click "Apply Access Policy".