Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Privileged account user log on to default domain >> Administration >> Access >> User Group >> Select the group to be confirmed >> Confirm that the access profiles are configured appropriately for the desired security policy. If the group profile(s) is/are not present, this is a finding Privileged account user log on to default domain >> Administration >> Access >> RBM Settings >> Select "Credential Mapping". If Credential-mapping method is not "Local user group" or "Search LDAP for group name" is off, this is a finding.
Create the appropriate User Group(s) using the "RBM Builder". Privileged account user log on to default domain >> Administration >> Access >> User Group >> Select the "Add" button >> Define the policy, per the RBM Builder documentation >> Click "Add" >> Click “Apply”. Add users’ accounts to LDAP groups with the same names as those defined with the RBM Builder, in the remote Authentication/Authorization server (LDAP). Note: This takes place outside of the context of the IBM DataPower Gateway. Specific instructions will depend on the LDAP server being used. Configure Role-Based Management to use LDAP Group information during logon to map users to local group definitions.
Privileged Account User logon to the WebGUI >> Open the service to be modified: From the Control Panel, select the type of service to be edited (e.g., Multi-Protocol Gateway) >> The list of available services will be displayed >> Click the name of the service to be edited. Verify configuration of the processing policy: Click the “…” button adjacent to the configured Processing Policy (in the case of a Web Service Proxy, click the “Policy” processing policy tab) >> The processing policy is displayed >> Select the rule to be edited by clicking the “Rule Name” >> Double-click on the “Conditional” action. Confirm the XPath statement for the positive condition (i.e., the condition that, if met, would allow the message to be processed) would result in a “Set Variable” Action being triggered >> Click on the corresponding Set Variable action and confirm that the target URL is correct and that the variable being set is “service/routing-url” >> Click “Done”. Confirm the XPath statement for the negative condition (i.e., the condition that, if met, would result in the message being blocked) would result in a “Call Processing Rule” Action being triggered >> Click on the corresponding Call Processing Rule action and confirm that the service’s error rule is selected >> Click “Done” >> Click “Done” >> Click “Cancel” >> Click “Cancel”. If any of the configuration conditions are not met, this is a finding.
Privileged Account User logon to the WebGUI >> Open the service to modified: From the Control Panel, select the type of service to be edited (e.g., Multi-Protocol Gateway) >> The list of available services will be displayed >> Click the name of the service to be edited (NOTE: this process is specific to a previously configured service in support of a defined use-case and addressing specific business and technical requirements). Modify the service’s processing policy: Click the “…” button adjacent to the configured Processing Policy (in the case of a Web Service Proxy, click the “Policy” processing policy tab) >> The processing policy is displayed. Select the rule to be edited by clicking the “Rule Name”. Configure the Conditional Action: Drag the “Advanced” action to the desired point in the processing rule and double click it >> Select the “Conditional” action and click “Next” >> The “Configure Conditional Action” window is displayed >> A new rule is displayed, consisting of a “Match Condition” and an “Action”. Paste the XPath statement corresponding to the positive test condition (i.e., the condition that, if met, would allow the message to be processed) into the “Math Condition” field >> In the corresponding “Action”, select “Set Variable” >> Click “Create Action” >> The “Configure Set Variable Action” window is displayed >> In the Variable Name field, paste “service/routing-url” >> In the Viable Assignment field, enter the desired target URL (e.g., (http://somehost.com:port/someURI”) >> Click “Done”. In addition to the rule that was just configured, a new rule is displayed, consisting of a “Match Condition” and an “Action”. Paste the XPath statement corresponding to the negative test condition (i.e., the condition that, if met, would result in the message being blocked) into the “Math Condition” field >> In the corresponding “Action”, select “Call Processing Rule” >> Click “Create Action” >> The “Configure Call Processing Rule Action” window is displayed >> From the “Processing Rule” drop-down list, select the name of the processing policy’s configured error rule >> Click “Done” >> Click “Done” >> Click “Apply Policy” >> Click “Close Window” >> Click the “Apply” button >> Click “Save Configuration”.
Privileged Account User logon to the WebGUI >> Open the service to be modified: From the Control Panel, select the type of service to be edited (e.g., Multi-Protocol Gateway) >> The list of available services will be displayed >> Click the name of the service to be edited. Verify configuration of the processing policy: Click the “…” button adjacent to the configured Processing Policy (in the case of a Web Service Proxy, click the “Policy” processing policy tab) >> The processing policy is displayed >> Select the rule to be edited by clicking the “Rule Name” >> Double-click on the “Conditional” action. Confirm the XPath statement for the positive condition (i.e., the condition that, if met, would allow the message to be processed) would result in a “Set Variable” Action being triggered >> Click on the corresponding Set Variable action and confirm that the target URL is correct and that the variable being set is “service/routing-url” >> Click “Done”. Confirm the XPath statement for the negative condition (i.e., the condition that, if met, would result in the message being blocked) would result in a “Call Processing Rule” Action being triggered >> Click on the corresponding Call Processing Rule action and confirm that the service’s error rule is selected >> Click “Done” >> Click “Done” >> Click “Cancel” >> Click “Cancel”. If any of the configuration conditions are not met, this is a finding.
Privileged Account User logon to the WebGUI >> Open the service to modified: From the Control Panel, select the type of service to be edited (e.g., Multi-Protocol Gateway) >> The list of available services will be displayed >> Click the name of the service to be edited (NOTE: This process is specific to a previously configured service in support of a defined use-case and addressing specific business and technical requirements). Modify the service’s processing policy: Click the “…” button adjacent to the configured Processing Policy (in the case of a Web Service Proxy, click the “Policy” processing policy tab) >> The processing policy is displayed. Select the rule to be edited by clicking the “Rule Name”. Configure the Conditional Action: Drag the “Advanced” action to the desired point in the processing rule and double click it >> Select the “Conditional” action and click “Next” >> The “Configure Conditional Action” window is displayed >> A new rule is displayed, consisting of a “Match Condition” and an “Action”. Paste the XPath statement corresponding to the positive test condition (i.e., the condition that, if met, would allow the message to be processed) into the “Math Condition” field >> In the corresponding “Action”, select “Set Variable” >> Click “Create Action” >> The “Configure Set Variable Action” window is displayed >> In the Variable Name field, past “service/routing-url” >> In the Viable Assignment field, enter the desired target URL (e.g., (http://somehost.com:port/someURI”) >> Click “Done”. In addition to the rule that was just configured, a new rule is displayed, consisting of a “Match Condition” and an “Action”. Paste the XPath statement corresponding to the negative test condition (i.e., the condition that, if met, would result in the message being blocked) into the “Math Condition” field >> In the corresponding “Action”, select “Call Processing Rule” >> Click “Create Action” >> The “Configure Call Processing Rule Action” window is displayed >> From the “Processing Rule” drop-down list, select the name of the processing policy’s configured error rule >> Click “Done” >> Click “Done” >> Click “Apply Policy” >> Click “Close Window” >> Click the “Apply” button >> Click “Save Configuration”.
Privileged user opens browser and navigates to the DataPower logon page. Confirm that the logon page displays the Standard Mandatory DoD Notice and Consent Banner: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the standard banner is not displayed, this is a finding.
Copy the User Interface (UI) Configuration Template to a new text file on the local operating system named "ui-customization.xml". Content: <User-Interface xmlns="http://www.datapower.com/schemas/user-interface/1.0"> <!-- Markup for the prompt extension to command line interface >> <CustomPrompt>%s</CustomPrompt> <!-- Markup for custom messages for the WebGUI interface >> <MarkupBanner type="pre-login" foreground-color="red" background-color="blue"> WebGUI pre-login message </MarkupBanner> <MarkupBanner type="post-login" foreground-color="blue" background-color="yellow"> WebGUI post-login pop up message </MarkupBanner> <MarkupBanner type="system-banner" location="header" foreground-color="green" background-color="red"> WebGUI system message - header </MarkupBanner> <MarkupBanner type="system-banner" location="footer" foreground-color="blue" background-color="yellow"> WebGUI system message - footer </MarkupBanner> <!-- If the following markup was outside of comments, the file would not conform to the schema. Cannot define multiple system messages as the header or footer. >> <MarkupBanner type="system-banner"> WebGUI system message - header and footer </MarkupBanner> <!-- Markup for custom messages for the command line interface >> <TextBanner type="pre-login"> Command line pre-login message </TextBanner> <TextBanner type="post-login"> Command line post-login message </TextBanner> <TextBanner type="system-banner"> Command line system message </TextBanner> </User-Interface> Upload the User Interface Customization Template: Privileged account user log on to default domain >> Control Panel >> File Management >> Click "local:" >> Click "Actions..." link corresponding to "local:" >> Click "Upload Files" >> Click "Browse" button >> Select the previously saved "ui-customization.xml" file from the local operating system >> Click "Open" >> Click the "Upload" button" >> Click the "Continue" button. Edit the "ui-customization.xml" file: Click "refresh page" >> Click "local:" >> Click the "Edit" link corresponding to "ui-customization.xml" >> Click the "Edit" button >> Locate the XML Stanza named "MarkupBanner" and 'type="pre-login"' >> Replace the text "WebGUI pre-login message" with the text of the Standard Mandatory DoD Notice and Consent Banner: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." >> Locate the XML Stanza named "TextBanner" and 'type="pre-login"' >> Replace the text "Command line pre-login message" with the text of the Standard Mandatory DoD Notice and Consent Banner: "I've read & consent to terms in IS user agreem't." >> Click the "Submit" button. Configure the IBM DataPower Gateway to use the customized User Interface Customization file: Administration >> Device >> System Settings >> Scroll to "Custom user interface file" section at the bottom of the page and select "ui-customization.xml" from the drop-down list >> Scroll to top of the page >> Click "Apply" >> Click "Save Configuration". Log out of the appliance.
For an HTTPS application hosted on DataPower to display a landing page, the application designer will need to make that landing page available on the DataPower appliance or remotely accessible on a server. This landing page will be the page that the user sees, and the user will have to acknowledge this page before being redirected to the application/logon. If the banner page does not load when first accessing an application, this is a finding.
The application designer will create a service object in DataPower (e.g., Multi Protocol Gateway). As part of the object configuration, the application designer will create a Processing Policy object. The processing policy controls access to the Processing Rules of the application. The application designer will create a Processing Rule that allows the banner page to be displayed when a user accesses the application. The application designer will ensure that the banner page redirects the application user to the appropriate next step (e.g., logon page, application page, etc.) after the end user has accepted the terms of the agreement.
For an HTTP application hosted on DataPower to display a landing page, the application designer will need to make that landing page available on the DataPower appliance or remotely accessible on a server. This landing page will be the page that the user sees, and the user will have to acknowledge this page before being redirected to the application/logon. If the banner page does not load when first accessing an application, this is a finding.
The application designer will create a service object in DataPower (e.g., Multi Protocol Gateway). As part of the object configuration, the application designer will create a Processing Policy object. The processing policy controls access to the Processing Rules of the application. The application designer will create a Processing Rule that allows the banner page to be displayed when a user accesses the application. The application designer will ensure that the banner page redirects the application user to the appropriate next step (e.g., logon page, application page, etc.) after the end user has accepted the terms of the agreement.
For FIPS 140-2 Level 1 Mode: Privileged account user log on to default domain via the WebGUI >> In the search field type "crypto" >> Press "enter". From the search results, click "Cryptographic Mode Status"; the "Cryptographic Mode Status" table is displayed. If the "Target" is not "FIPS 140-2 Level 1", this is a finding. For FIPS 140-2 Level 1 Mode: Privileged account user log on to default domain via the CLI >> Enter "show crypto-engine" >> Confirm "Crypto Accelerator Type" is "hsm2" >> Confirm "Crypto Accelerator Status" is "fully operational" >> Confirm "Crypto Accelerator FIPS 140-2 Level" is "3". If these three settings cannot be confirmed, this is a finding.
Configure FIPS 140-2 Level 1 in Firmware only. Privileged account user log on to default domain >> In the search field type "crypto" >> Press "enter". From the search results, click "Crypto Tools" >> Click the "Set Cryptographic Mode" tab >> From the "Cryptographic Mode" list, select "FIPS 140-2 Level 1" >> Click the "Set Cryptographic Mode" button >> When prompted to confirm cryptographic mode change, click "confirm" >> When notified that the action completed successfully, click "Close" >> click "Save Configuration". Restart the appliance >> Control Panel >> System Control >> Shutdown >> Select "Mode" from dropdown list: "Reboot System" >> Click "Shutdown" button >> Click "Confirm" >> Click "Close". Configure FIPS 140-2 Level 3 Hardware Security module as follows: Log on to the command line of the appliance. Command Prompt >> "configure terminal" Command Prompt >> "crypto" Command Prompt >> "hsm-reinit hsm-domain datapower3" (see online documentation; "datapower3" refers to the name of the configured key-sharing domain) Command Prompt >> Prompt: "Do you want to continue ('yes' or 'no')"; enter "yes" Command Prompt >> "shutdown reboot"
For FIPS 140-2 Level 1 Mode: Privileged account user log on to default domain via the WebGUI >> In the search field type "crypto" >> Press "enter". From the search results, click "Cryptographic Mode Status"; the "Cryptographic Mode Status" table is displayed. If the "Target" is not "FIPS 140-2 Level 1", this is a finding. For FIPS 140-2 Level 1 Mode: Privileged account user log on to default domain via the CLI >> Enter "show crypto-engine" >> Confirm "Crypto Accelerator Type" is "hsm2" >> Confirm "Crypto Accelerator Status" is "fully operational" >> Confirm "Crypto Accelerator FIPS 140-2 Level" is "3". If these three settings cannot be confirmed, this is a finding.
Configure FIPS 140-2 Level 1 in Firmware only. Privileged account user log on to default domain >> In the search field type "crypto" >> Press "enter" >> From the search results, click "Crypto Tools" >> Click the "Set Cryptographic Mode" tab >> From the "Cryptographic Mode" list, select "FIPS 140-2 Level 1" >> Click the "Set Cryptographic Mode" button. When prompted to confirm cryptographic mode change, click "confirm" >> When notified that the action completed successfully, click "Close" >> click "Save Configuration". Restart the appliance >> Control Panel >> System Control >> Shutdown >> Select "Mode" from dropdown list: "Reboot System" >> Click "Shutdown" button >> Click "Confirm" >> Click "Close". Configure FIPS 140-2 Level 3 Hardware Security module as follows: Log on to the command line of the appliance. Command Prompt >> "configure terminal" Command Prompt >> "crypto" Command Prompt >> "hsm-reinit hsm-domain datapower3" (see online documentation; "datapower3" refers to the name of the configured key-sharing domain) Command Prompt >> prompt: "Do you want to continue ('yes' or 'no')"; enter "yes" Command Prompt >> "shutdown reboot"
In the search field, enter "SSL Server Profile" >> Select "SSL Server Profile" from the results >> Click the name of the SSL Server Profile object to be inspected >> Confirm that the TLS 1.1 and TLS 1.2 protocol options are checked. If they are not checked, this is a finding.
The implementer will configure an "SSL Server Profile" to be used for SSL negotiation of a given service. In the search field, enter "SSL Server Profile" >> Select "SSL Server Profile" from the results >> Click "Add" >> Configure the SSL Server Profile, providing a logical object name and appropriate selection of settings (depending on what type of SSL connection is to be implemented - forward, reverse, mutual) >> Protocols to be enabled include TLS 1.1 and 1.2 (both are enabled by default).
For FIPS 140-2 Level 1 Mode: Privileged account user log on to default domain via the WebGUI >> In the search field type "crypto" >> Press "enter". From the search results, click "Cryptographic Mode Status"; the "Cryptographic Mode Status" table is displayed. If the "Target" is not "FIPS 140-2 Level 1", this is a finding. For FIPS 140-2 Level 1 Mode: Privileged account user log on to default domain via the CLI >> Enter "show crypto-engine" >> Confirm "Crypto Accelerator Type" is "hsm2" >> Confirm "Crypto Accelerator Status" is "fully operational" >> Confirm "Crypto Accelerator FIPS 140-2 Level" is "3". If these three settings cannot be confirmed, this is a finding.
Configure FIPS 140-2 Level 1 in Firmware only. Privileged account user log on to default domain >> In the search field type "crypto" >> Press "enter" >> From the search results, click "Crypto Tools" >> Click the "Set Cryptographic Mode" tab >> From the "Cryptographic Mode" list, select "FIPS 140-2 Level 1" >> Click the "Set Cryptographic Mode" button. When prompted to confirm cryptographic mode change, click "confirm" >> When notified that the action completed successfully, click "Close" >> Click "Save Configuration". Restart the appliance >> Control Panel >> System Control >> Shutdown >> Select "Mode" from dropdown list: "Reboot System" >> Click "Shutdown" button >> Click "Confirm" >> Click "Close". Configure FIPS 140-2 Level 3 Hardware Security module as follows: Log on to the command line of the appliance. Command Prompt >> "configure terminal" Command Prompt >> "crypto" Command Prompt >> "hsm-reinit hsm-domain datapower3" (see online documentation; "datapower3" refers to the name of the configured key-sharing domain) Command Prompt >> prompt: "Do you want to continue ('yes' or 'no')"; enter "yes" Command Prompt >> "shutdown reboot"
Administration >> Miscellaneous >> "Manage Log Targets" >> Click the appropriate log target (e.g., "logTargetSystemResources" >> Click the "Event Filters" tab >> Confirm subscriptions to the following event codes: 0x00330034, 0x01a40001, 0x01a30002, 0x01a30003, 0x01a40005, 0x01a30006, 0x01a30014, 0x01a30015, 0x01a30017. If any of these codes are not subscribed to, this is a finding.
Audit logging may be interrupted due to insufficient memory and/or insufficient disk space to write logs. IBM DataPower Gateway appliances will monitor system resources and generate appropriate event codes in such cases. The relevant event codes are: 0x00330034, 0x01a40001, 0x01a30002, 0x01a30003, 0x01a40005, 0x01a30006, 0x01a30014, 0x01a30015, 0x01a30017 (Privileged account user log on to default domain >> Administration >> Debug >> "View List of Event Codes"). A Log Target can be configured to generate notifications (e.g., SNMP, SMTP) in the event that any of these event codes are detected. Privileged account user log on to default domain >> Administration >> Miscellaneous >> "Manage Log Targets" >> Click the "Add" button >> Name: "logTargetSystemResources" >> Target Type: select the desired notification mechanism (e.g., SNMP, SMTP) >> Log Format: Select a desired log format (e.g., text) >> Fixed Format: off >> Rate Limit: Specify an alert rate limit (default is 100/second) >> Feedback Detection: on >> Identical Event Detection: off >> Provide any additional required configuration specific to the Target Type (e.g., SMTP) >> Click the "Event Filters" tab >> Under "Event Subscriptions", add the following event codes: 0x00330034, 0x01a40001, 0x01a30002, 0x01a30003, 0x01a40005, 0x01a30006, 0x01a30014, 0x01a30015, 0x01a30017 >> Click the "Apply" button >> Click "Save Configuration".
Login page >> Enter non-admin user id and password, select Default for domain >> Click Login. If non-admin user can log on, this is a finding.
Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non-privileged user account >> Click “…” button next to User Group field >> Enter */default/*?Access=NONE into field >> Click add >> Click Apply >> Click Apply >> Click Save Configuration.
Review the list of authorized applications, services, and protocols that has been added to the PPSM database. Privileged Account User logon to the WebGUI >> Log on to the Default domain >> Click Status >> Main >> Active Services >> Click Show All Domains. If any of the Active Services allows traffic that is prohibited by the PPSM CAL, this is a finding.
Review the PPSM CAL before configuring services on the DataPower Gateway. This device will either be placed in the enclave DMZ or on a private network; this must be taken into account. Configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port.
Using the appliance's WebGUI, navigate to DataPower Gateway's Configure AAA Policy (authentication, authorization, audit) at Objects >> XML Processing >> AAA Policy. Open the applicable AAA policy. On the Identity extraction tab, confirm that the appropriate methods are checked and appropriate processing option specified. On the Authentication tab, confirm that all parameters associated with the authentication method (e.g., LDAP) are correctly specified. If these items are not configured, this is a finding.
Using the appliance's WebGUI, navigate to DataPower Gateway's Configure AAA Policy (authentication, authorization, audit) at Objects >> XML Processing >> AAA Policy. Open the applicable AAA policy. On the Identity extraction tab, check the appropriate methods and processing option. On the Authentication tab, specify all parameters associated with the desired authentication method (e.g., LDAP).
Using the appliance's WebGUI, navigate to DataPower Gateway's Configure AAA Policy (authentication, authorization, audit) at Objects >> XML Processing >> AAA Policy. On the Resource extraction tab, confirm that the correct resource information categories are checked. If these items are not configured, this is a finding.
Using the appliance's WebGUI, navigate to DataPower Gateway's Configure AAA Policy (authentication, authorization, audit) at Objects >> XML Processing >> AAA Policy. On the Resource extraction tab, specify the correct resource information categories. If there is a requirement for resource mapping, on the Resource mapping tab, specify the appropriate method and associated information. On the Authorization tab, specify the correct methods, associated information and caching parameters.
Verify that a DataPower service processing policy includes an appropriately configured AAA policy action. For example, for a Multi-Protocol Gateway service, this may be accomplished as follows: On the main Control Panel of the DataPower WebGUI, click on Multi-Protocol Gateway >> Open the existing target Multi-Protocol Gateway instance >> Click on the "..." to the right of the Multi-Protocol Gateway Policy dropdown list box to open its processing policy. Confirm that the rule in the processing policy includes an AAA action. Double click on the AAA action (on the rule line) >> Click on the "..." to the right of the selected AAA Policy to open it >> Confirm that the values configured on the Main, Identity extraction, Authentication (specific authentication server specified), and Resource extraction tabs are correct. If any of the configuration conditions are not met, this is a finding.
Through the configuration of the Authentication tab an authentication, authorization, and audit policy (AAA), the DataPower Gateway restricts user authentication traffic to specific authentication server(s). An AAA (authentication, authorization, audit) policy identifies a set of resources and procedures that determine whether a requesting client is granted access to a specific service, file, or document. AAA policies are similar to filters that accept or deny a specific client request. AAA policies support a wide range of authentication and authorization mechanisms. You can "mix and match" multiple authentication and authorization mechanisms in a single policy. For example, one AAA policy can use a single RADIUS server to provide authentication and authorization services. Another policy can authenticate with RADIUS, map RADIUS credentials to an LDAP group with an XML file, and authorize with LDAP. POLICY CONFIGURATION The AAA policy must be configured as follows: In the DataPower WebGUI, navigate to Objects >> XML Processing >> AAA Policy >> Press “Add” to add a new policy >> On the Main tab, configure general policy parameters >> On the Identity extraction tab, define how to extract the claimed identity of the service requestor >> On the Authentication tab, define the specific external control server that will accomplish authentication (e.g., LDAP) >> On the Resource extraction tab, configure how DataPower should extract the requested resource from the request message. POLICY IMPLEMENTATION This defined AAA policy must then be associated with a DataPower service. For a Multi-Protocol Gateway service this may be accomplished as follows: On the main Control Panel of the DataPower WebGUI, click on Multi-Protocol Gateway >> Add and name a Multi-Protocol Gateway instance >> Click on the "+" to the right of the Multi-Protocol Gateway Policy dropdown list box >> Name the policy >> Click "New Rule" to add a processing rule to this gateway (DataPower service) >> Click and drag the AAA icon down to the processing line to the right of the "=" >> Double-click the AAA icon on the line. In the AAA Policy dropdown, select the policy you configured above >> Click Done >> Click Apply Policy >> Close window >> On the Configure Multi-Protocol Gateway screen, click Apply >> Click Save Configuration (in the upper right corner of the screen).
Scenario 1: Prerequisites: 1. The user’s identity/attributes are stored in LDAP, including Distinguished Name (DN) and DataPower group membership (users can only be a member of one group). 2. The user has a device that has access to their digital certificate (e.g., via a CAC/PIV card reader connected to a laptop/desktop computer). The user opens a browser and navigates to the URL for the DataPower WebGUI. The user provides their assigned ID and password, which are authenticated by DataPower. If the user does not gain access to the DataPower appliance Control Panel screen, this is a finding. Scenario 2: Prerequisites: 1. The user’s identity/attributes are stored in LDAP, including Distinguished Name (DN) and DataPower group membership (users can only be a member of one group). 2. The user has a device that has access to a different user’s digital certificate (e.g., via a CAC/PIV card reader connected to a laptop/desktop computer). The user opens a browser and navigates to the URL for the DataPower WebGUI. The user provides their assigned ID and password, which are authenticated by DataPower. If the user gains access to the DataPower appliance Control Panel screen, this is a finding. Scenario 3: Prerequisites: 1. The user’s identity/attributes are stored in LDAP, including Distinguished Name (DN). In this case, the DataPower group membership is either not defined, or a group name is specified for which there is no corresponding group definition on the DataPower appliance. 2. The user has a device that has access to a different user’s digital certificate (e.g., via a CAC/PIV card reader connected to a laptop/desktop computer). The user opens a browser and navigates to the URL for the DataPower WebGUI. The user provides their assigned ID and password, which are authenticated by DataPower. If the user gains access to the DataPower appliance Control Panel screen, this is a finding.
This scenarios starts with a user connecting to DataPower over an HTTPS connection in which the user is providing a digital certificate that asserts their identity. This digital certificate could come from a CAC/PIV/Smart Card, or could be a “soft-certificate” embedded into a browser/application on a desktop, laptop, or mobile device. All configuration tasks take place within the default domain. DataPower’s WebGUI interface configuration is configured to require a client-supplied digital certificate: Network >> Management >> Web Management Service >> Advanced Tab >> Custom SSL Server Type: “Server Profile” >> Custom SSL Server Profile >> Click “+” >> Provide a name for the profile >> Configure “Identity Credentials” >> Request Client Authentication: “on” >> Configure “validation credentials” (used to validate the client’s digital certificate using Certificate Authority (CA) signer certificates). When configuring the Validation Credentials, configure Use CRL: “on”; Require CRL: “on”. CRL Retrieval is configured via Objects >> Crypto Configuration >> CRL Retrieval >> Advanced Tab >> Configure CRL retrieval policies. Once an SSL connection is established to the WebGUI, the user is promoted for an ID and password. Authentication for all DataPower users is configured via the Role Based Management (RBM) feature: Administration >> Access >> RBM Settings. Configure “Authentication (Authentication Tab) >> Authentication Method >> Custom >> Custom URL (URL referencing an XSL Stylesheet or GatewayScript file on the appliance). The XSL/GatewayScript will receive an XML node at runtime containing the user’s ID and password, as submitted via the WebGUI logon page. The script will need to authenticate the ID/Password credentials using an LDAP/AD server. Once the user has been authenticated via ID/Password, the LDAP record for the user is retrieved including the Distinguished Name (DN) and DataPower group membership. A given user can only be assigned to single DataPower group. The user’s DN from LDAP is compared to the DN that the XSLT/script extracts from the SSL Client Certificate. If the two DN values match, then the user is considered to have authenticated with two factors.
To verify that DataPower requires mutual authentication when establishing TLS connections to remote hosts, click on the Multi-Protocol Gateway or Web Service Proxy icons on the Control Panel (the initial screen). Click on the configured available service(s) to view its configuration. For Multi-Protocol Gateway, scroll down to view User Agent Settings >> Verify that the SSL Configuration is set to Client Profile or Proxy Profile >> Click the ellipses (...) button to view the configuration of the Client Profile or Proxy Profile. For SSL Client Profile, verify that only TLS v1.1 and v1.2 are enabled. For SSL Client Profile, verify that a validation credential is configured. For SSL Proxy Profile, click the ellipses (…) button to view the configuration of the Crypto Profile >> Verify that all Options are disabled except TLS version 1.1 and 1.2 >> Verify that a Validation Credential is configured. To verify that DataPower requires mutual authentication when accepting TLS connections from remote hosts, click on the Multi-Protocol Gateway or Web Service Proxy icons on the Control Panel (the initial screen) >> Click on the configured available service(s) to view its configuration. For Multi-Protocol Gateway, scroll down to view the Front Side Protocol settings >> Select the current HTTPS Front Side Handler from the dropdown list >> Click “…” to view configuration of the Handler >> Click “...” to view the configuration of the SSL Server Profile or SSL Proxy Profile. For SSL Server Profile, verify that only TLS v1.1 and v1.2 are enabled. For SSL Server Profile, verify that a validation credential is configured. For SSL Proxy Profile, click “…” to view the configuration of the Crypto Profile >> Verify that the Ciphers are only HIGH >> Verify that all Options are disabled except TLS version 1.1 and 1.2 >> Verify that Always Request Client Authentication is set to On >> Verify that a Validation Credential is configured. If they are not, this is a finding. Use the WebGUI Control panel to select and open a specific service, then open its processing policy. Confirm that a rule with a filter action exists and that the method is "Replay Filter". If they are not, this is a finding. To confirm interface isolation has been correctly maintained, use the WebGUI at Network >> Interface >> Network Settings. Confirm that Relax interface Isolation is Off. Confirm Disable interface isolation is Off. If they are not, this is a finding.
To define mutual TLS connections when the DataPower device is the requesting client, use the DataPower WebGUI at Objects >> Crypto Configuration. Click SSL Client Profile >> Click Add to create a new one if one does not already exist. Provide a name >> Deselect all Protocols except TLS version 1.1 and 1.2 >> Deselect Use SNI >> Choose an active Identification Credential from the list. This determines the local keys. If no ID Creds exist, click “+” to create one. You will need access to the key files you want to use. Choose an active Validation credentials object from the list. If no Val Creds exist, click “+” to create one. You will need access to the server certs you want to validate. Click Apply >> Click Save Configuration. Use this new SSL Client Profile when configuring a service, such as a Multi-Protocol Gateway or Web Service Proxy, to connect to other servers. If the remote server will not agree to TLS v1.2 or v1.1 and does not provide a certificate that is validated, the connection will not be established. To define mutual TLS connections when the DataPower device is the server, use the DataPower WebGUI at Objects >> Crypto Configuration. Click SSL Server Profile >> Click Add to create a new one if one does not already exist. Provide a name >> Deselect all Protocols except TLS version 1.1 and 1.2 >> Choose an active Identification Credential from the list. This determines the local keys. If no ID Creds exist, click “+” to create one. You will need access to the key files you want to use. Set Request client authentication to On >> Choose an active Validation credentials object from the list. If no Val Creds exist, click “+” to create one. You will need access to the server certs you want to validate. Click Apply >> Click Save Configuration. Use this new SSL Server Profile when configuring an HTTPS Front Side Handler, which is in turn used by a service, such as a Multi-Protocol Gateway or Web Service Proxy to accept incoming requests. If the remote client will not agree to TLS v1.2 or v1.1 and does not provide a certificate that is validated, the connection will not be established. Replay filter(s). Use the WebGUI to define a replay filter processing action. From the DataPower WebGUI, click on then add a service type (e.g., Web Service Proxy). Add a policy (in this case, a Multi-Protocol gateway Policy). Create a processing rule. Add a Filter action. Specify "Replay Filter" as the method. Network interface isolation: By default, the DataPower Gateway provides interface isolation: the appliance refuses to accept a packet on an interface other than the one bound to the destination address of the packet. Use the WebGUI at Network >> Interface >> Network Settings to configure a network interface.
Using the WebGUI, go to Objects >> Crypto Configuration >> SSL Client Profile and SSL Server Profile. Confirm that each Profile's parameters are set correctly (as defined in the Fix column) and that each profile is using a correctly defined Crypto Validation Credentials (as defined in the Fix column). If they are not correctly defined, this is a finding.
Objects >> Crypto Configuration >> Crypto Validation Credentials >> Press add to create a credential. Supply the following parameters: Name: Assign a name to these Crypto Validation Credentials Certificates: Define the certificate aliases for the Crypto Validation Credentials object. Each certificate in the Validation Credentials object is the certificate that a TLS peer might send or is the certificate of the Certification Authority (CA) that signed the certificate sent by a peer or is the root certificate. Certificate Validation Mode: Select "Full certificate chain checking (PKIX)". Use CRL: On Require CRL: On CRL Distribution Points Handling: Require. Specifying this option will result in checks against, but does not fetch, the CRLs in the X.509 CRL Distribution Point extensions. If any CRL in a CRL Distribution Point extension no longer exists in the CRL cache, the certificate validation fails. USE THE ABOVE-DEFINED CRYPTO-VALIDATION CREDENTIALS FOR TLS PATH VALIDATION. SSL CLIENT PROFILE Using the WebGUI, go to Objects >> Crypto Configuration >> SSL Client Profile. Supply the following parameters: Protocols: Check only TLS versions 1.1 and 1.2 Validate server certificate: On Validation credentials: Select from the dropdown the above-defined Crypto Validation Credentials SSL SERVER PROFILE Using the WebGUI, go to Objects >> Crypto Configuration >> SSL Server Profile. Supply the following parameters: Protocols: Check only TLS versions 1.1 and 1.2 Request client authentication: On Require client authentication: On Validate client certificate: On Send client authentication CA list: On Validation credentials: Select from the dropdown the above-defined Crypto Validation Credentials.
Verify that a DataPower service processing policy includes an appropriately configured AAA policy action. For example, for a Multi-Protocol Gateway service, this may be accomplished as follows: On the main Control Panel of the DataPower WebGUI, click on Multi-Protocol Gateway >> Open the existing target Multi-Protocol Gateway instance >> Click on the "..." to the right of the Multi-Protocol Gateway Policy dropdown list box to open its processing policy >> Confirm that the rule in the processing policy includes an AAA action >> Double click on the AAA action (on the rule line) >> Click on the "..." to the right of the selected AAA Policy to open it >> Review the values configured on the Main, Identity extraction, Authentication, Resource extraction, and Credential mapping tabs If any of the configuration conditions are not met, this is a finding.
The AAA policy must be configured as follows: In the DataPower WebGUI, navigate to Objects >> XML Processing >> AAA Policy >> Press Add to add a new policy. On the Main tab, configure general policy parameters. On the Identity extraction tab, select either of the following methods to extract the claimed identity of the service requestor: Subject DN of SSL certificate from connection peer or Subject DN from certificate in message signature. On the Authentication tab, define the external control server that will accomplish authentication. On the Resource extraction tab, configure how DataPower should extract the requested resource from the request message. On the Credential mapping tab, select from the following options the desired method for credential mapping: Custom (Identifies a custom mapping resource such as a stylesheet or GatewayScript file), AAA information file (Identifies a DataPower information file, which is an XML file, as the mapping resource), Apply XPath expression (Identifies an XPath expression as the mapping resource), Credentials from WS-SecureConversation token (Identifies that credentials are taken from the WS-SecureConversation context token), Credentials from Tivoli Federated Identity Manager (Identifies that credentials are from a Tivoli Federated Identity Manager endpoint). POLICY IMPLEMENTATION This defined AAA policy must then be associated with a DataPower service. For example, using the Multi-Protocol Gateway service this may be accomplished as follows: On the main Control Panel of the DataPower WebGUI, click on Multi-Protocol Gateway >> Add and name a Multi-Protocol Gateway instance >> Click on the "+" to the right of the Multi-Protocol Gateway Policy dropdown list box >> Name the policy >> Click "New Rule" to add a processing rule to this gateway (DataPower service) >> Click and drag the AAA icon down to the processing line to the right of the "=" >> Double click the AAA icon on the line >> In the AAA Policy dropdown, select the policy you configured above then click Done >> Click Apply Policy >> Close window. On the Configure Multi-Protocol Gateway screen, click Apply, then Save Configuration (in the upper right corner of the screen.
Verify that a DataPower service processing policy includes an appropriately configured AAA policy action. For example, for a Multi-Protocol Gateway service, this may be accomplished as follows: On the main Control Panel of the DataPower WebGUI, click on Multi-Protocol Gateway >> Open the existing target Multi-Protocol Gateway instance >> Click on the "..." to the right of the Multi-Protocol Gateway Policy dropdown list box to open its processing policy >> Confirm that the rule in the processing policy includes an AAA action >> Double-click on the AAA action (on the rule line) >> Click on the "..." to the right of the selected AAA Policy to open it >> Confirm that the values configured on the Main, Identity extraction, Authentication, and Resource extraction tabs are correct >> If any of the configuration conditions are not met, this is a finding.
Through the configuration of an authentication, authorization, and audit policy (AAA), the DataPower Gateway provides user authentication intermediary services that uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). POLICY CONFIGURATION The AAA policy must be configured as follows: In the DataPower WebGUI, navigate to Objects >> XML Processing >> AAA Policy. Press Add to add a new policy. On the Main tab, configure general policy parameters. On the Identity extraction tab, define how to extract the claimed identity of the service requestor. On the Authentication tab, define the specific external control server that will accomplish authentication (e.g., LDAP). On the Resource extraction tab, configure how DataPower should extract the requested resource from the request message. POLICY IMPLEMENTATION This defined AAA policy must then be associated with a DataPower service. For a Multi-Protocol Gateway service, this may be accomplished as follows: On the main Control Panel of the DataPower WebGUI, click on Multi-Protocol Gateway >> Add and name a Multi-Protocol Gateway instance >> Click on the "+" to the right of the Multi-Protocol Gateway Policy dropdown list box >> Name the policy >> Click "New Rule" to add a processing rule to this gateway (DataPower service) >> Click and drag the AAA icon down to the processing line to the right of the "=" >> Double-click the AAA icon on the line >> In the AAA Policy dropdown, select the policy you configured above, then click Done >> Click Apply Policy >> Close window. On the Configure Multi-Protocol Gateway screen, click Apply, then Save Configuration (in the upper right corner of the screen.
From the initial Web interface screen (the Control Panel), select Objects >> Protocol Handlers >>HTTPS Front Side Handler. Click on each of the Handlers in the list that appears >> Click the Advanced tab of the Handler configuration >> Verify that there is an Access Control List selected >> Click the ellipses (…) button beside the list. On the Access Control List page, click the Entry tab >> Verify that the network segments representing internal networks are denied. If these items are not configured, this is a finding.
From the initial Web interface screen (the Control Panel), select Objects >> Protocol Handlers >> HTTPS Front Side Handler. Click on each of the Handlers in the list that appears >> Click the Advanced tab of the Handler configuration. For the Access Control List field, click “+” to create a new ACL >> Enter a name for the List >> Click the Entry tab >> Click Add >> Select Deny and set the Address Range to network segments representing internal networks >> Click Apply.
Using the WebGUI at Objects >> Crypto Configuration >> SSL Client Profile and SSL Server Profile. Select the profiles that are configured for the application session requiring mutual authentication. Confirm that the correct protocol and cipher parameters are set and that the correct identification and validation credentials are specified. If these items are not configured, this is a finding.
Using the WebGUI at Objects >> Crypto Configuration >> SSL Client Profile and SSL Server Profile. Create a client and server profile for the application session requiring mutual authentication. Specify the correct protocol and cipher parameters and the correct identification and validation credentials.
From the web interface for DataPower device management, verify that the DataPower Gateway Cryptographic Mode is Set to FIPS 140-2 Level 1; Status >> Crypto >> Cryptographic Mode Status. Then, verify that the session identifiers (TIDs) in the System Log are random; Status >> View Logs >> Systems Logs. If the device is not set to FIPS 140-2 Level 1, this is a finding.
From the DataPower command line, enter "use-fips on" to configure DataPower to generate unique session identifiers using a FIPS 140-2 approved random number generator. From the web interface, use "Set Cryptographic Mode" (Administration >> Miscellaneous >> Crypto Tools, Set Cryptographic Mode tab) to set the appliance to "FIPS 140-2 Level 1" mode. This will achieve NIST SP800-131a compliance.
From the web interface for DataPower device management, verify that the DataPower Gateway Cryptographic Mode is Set to FIPS 140-2 Level 1; Status >> Crypto >> Cryptographic Mode Status Then, verify that the session identifiers (TIDs) in the System Log are random; Status >> View Logs >> Systems Logs. If these items are not configured, this is a finding.
From the DataPower command line, enter "use-fips on" to configure DataPower to generate unique session identifiers using a FIPS 140-2 approved random number generator. From the web interface, use "Set Cryptographic Mode" (Administration >> Miscellaneous >> Crypto Tools, Set Cryptographic Mode tab) to set the appliance to "FIPS 140-2 Level 1" mode. This will achieve NIST SP800-131a compliance.
Verify that all desired optional failure notification functions are configured by going to the WebGUI at Administration >> Device >> Failure Notification. If this is not configured, this is a finding.
By default, the DataPower Gateway, in the event of a system failure, saves diagnostic information, logs system messages, and loads the most current security policies, rules, and signatures when restarted and reverts to Failsafe Mode In addition, the DataPower Gateway supports the configuration of optional failure notification functions. These include the following: upload error report, include internal state, background packet capture, background log capture, and background memory trace. To configure these additional functions, use the WebGUI at Administration >> Device >> Failure Notification. Select the capabilities desired.
View each interface that is connected to a network that is less trusted or untrusted. In the DataPower web interface, navigate to Ethernet interface >> Network settings >> Internet Control Message Protocol (ICMP) Disable. If the Administrative State is not "Disable", this is a finding.
In the DataPower web interface, navigate to Ethernet interface >> Network settings >> Internet Control Message Protocol (ICMP) Disable. Set the Administrative State to "Disable".
Search Bar “Processing Rule” >> Processing rule. If “Rule Action” does not contain a “Filter” action, this is a finding.
Search Bar “Processing Rule” >> Processing rule >> Rule Action “+” >> Action Type “Filter”. In the filter action, specify that the provided XSL stylesheet, store:///SQL-Injection-Filter.xsl, be used for the transform. For the injection pattern file, specify store:///SQL-Injection-Patterns.xml, or specify the following name-value pair for the stylesheet parameters: Name: {http://www.datapower.com/param/config}SQLPatternFile Value: store:///SQL-Injection-Patterns.xml
Search Bar “Processing Rule” >> Processing rule. If “Rule Action” does not contain a “Filter” action, this is a finding.
Search Bar “Processing Rule” >> processing rule >> Rule Action “+” >> Action Type “Filter”. In the filter action, specify that the provided XSL stylesheet, store:///SQL-Injection-Filter.xsl, be used for the transform. For the injection pattern file, specify store:///SQL-Injection-Patterns.xml, or specify the following name-value pair for the stylesheet parameters: Name: {http://www.datapower.com/param/config}SQLPatternFile Value: store:///SQL-Injection-Patterns.xml
Search Bar “Processing Rule” >> Processing rule. If “Rule Action” does not contain a “Filter” action, this is a finding.
Search Bar “Processing Rule” >> processing rule >> Rule Action “+” >> Action Type “Filter”. In the filter action, specify that the provided XSL stylesheet, store:///SQL-Injection-Filter.xsl, be used for the transform. For the injection pattern file, specify store:///SQL-Injection-Patterns.xml, or specify the following name-value pair for the stylesheet parameters: Name: {http://www.datapower.com/param/config}SQLPatternFile Value: store:///SQL-Injection-Patterns.xml
Search Bar “Processing Rule” >> Processing rule. If “Rule Action” does not contain a “Filter” action, this is a finding.
Search Bar “Processing Rule” >> processing rule >> Rule Action “+” >> Action Type “Filter”. In the filter action, specify that the provided XSL stylesheet, store:///SQL-Injection-Filter.xsl, be used for the transform. For the injection pattern file, specify store:///SQL-Injection-Patterns.xml, or specify the following name-value pair for the stylesheet parameters: Name: {http://www.datapower.com/param/config}SQLPatternFile Value: store:///SQL-Injection-Patterns.xml
Search Bar “Processing Rule” >> Processing rule. If “Rule Action” does not contain a “Filter” action, this is a finding.
Search Bar “Processing Rule” >> processing rule >> Rule Action “+” >> Action Type “Filter”. In the filter action, specify that the provided XSL stylesheet, store:///SQL-Injection-Filter.xsl, be used for the transform. For the injection pattern file, specify store:///SQL-Injection-Patterns.xml, or specify the following name-value pair for the stylesheet parameters: Name: {http://www.datapower.com/param/config}SQLPatternFile Value: store:///SQL-Injection-Patterns.xml
Search Bar “Processing Rule” >> Processing rule. If “Rule Action” does not contain a “Filter” action, this is a finding.
Search Bar “Processing Rule” >> processing rule >> Rule Action “+” >> Action Type “Filter”. In the filter action, specify that the provided XSL stylesheet, store:///SQL-Injection-Filter.xsl, be used for the transform. For the injection pattern file, specify store:///SQL-Injection-Patterns.xml, or specify the following name-value pair for the stylesheet parameters: Name: {http://www.datapower.com/param/config}SQLPatternFile Value: store:///SQL-Injection-Patterns.xml
Search Bar “Log Target” >> Log target >> Event Subscription tab. If “audit” is not listed under Event Category, this is a finding. (Note: If the only Log Target available is “default-log”, this is a finding.)
Search Bar “Log Target” >> Log target >> Event Subscription tab >> Add >> Event Category “audit” >> Minimum Event Priority event priority level >> Apply >> Apply >> Save Configuration. If the only log target is “default-log”: Type “Log Target” in the Search field >> Log target >> Main tab >> Target Type “syslog” >> syslog Facility facility >> Local Identifier identifier >> Remote Host hostname.
In default domain >> Search Bar “SNMP Settings”. If SNMP object is disabled, this is a finding.
In default domain >> Search Bar “SNMP Settings” >> Enterprise MIBs tab >> Download and store all DataPower MIBs >> Trap and Notification Targets tab >> Add >> Remote Hosts Address host address >> Remote Port port >> Versions snmp version >> Apply >> Apply >> Save Configuration. If the only log target is “default-log”: Type “Log Target” in the Search field >> Log target >> Main tab>>Target Type “syslog” >> syslog Facility facility >> Local Identifier identifier >> Remote Host hostname.
Search Bar “Log Target” >> Log target >> Event Subscription tab. If “audit” is not listed under Event Category, this is a finding. If “Rule Action” does not contain a “Filter” action, this is a finding.
Search Bar “Log Target” in the Search field >> Log target >> Event Subscription tab >> Add >> Event Category “audit” >> Minimum Event Priority event priority level >> Apply >> Apply >> Save Configuration. If the only log target is “default-log”: Type “Log Target” in the Search field >> Log target >> Main tab >> Target Type “syslog” >> syslog Facility facility >> Local Identifier identifier >> Remote Host hostname.
Examine configuration of Log targets (type “Log Target” in navigation search box) to verify a target that delivers Critical messages. If no log targets are configured, this is a finding.
Log Target to send all Critical log messages to the desired destination. Search Bar “Log Target” >> Add >> Name log target name >> Target Type “SOAP” >> URL dest url Event Subscriptions tab >> Add >> Event Category “all” >> Minimum Event Priority “critical”
Search Bar “AAA Policy” >> Select AAA Policy. If no AAA Policy is present, this is a finding. Search Bar “AAA Policy” >> Select AAA Policy >> AAA policy >> Authentication. If cache authentication results “Disabled”, this is a finding. Search Bar “Processing Policy” >> processing policy >> Policy Maps tab processing rule >> Rule Action. If no AAA action exists, this is a finding.
Search Bar “AAA Policy” >> Select AAA Policy >> AAA policy >> Authentication >> Cache authentication results “Absolute” or “Maximum” or “Minimum” >> Cache Lifetime cache value. Search Bar “Processing Policy” >> processing policy >> Policy Maps tab processing rule >> Processing Rule processing rule >> Rule Action AAA policy
Search Bar “AAA Policy” >> Select AAA Policy. If no AAA Policy is present, this is a finding. Search Bar “AAA Policy” >> Select AAA Policy >> AAA policy >> Authentication. If cache authentication results “Disabled”, this is a finding. Search Bar “Processing Policy” >> processing policy >> Policy Maps tab processing rule >> Rule Action. If no AAA action exists, this is a finding.
Search Bar “AAA Policy” >> Select AAA Policy >> AAA policy >> Authentication >> Cache authentication results “Absolute” or “Maximum” or “Minimum” >> Cache Lifetime cache value. Search Bar “Processing Policy” >> processing policy >> Policy Maps tab processing rule >> Processing Rule processing rule >> Rule Action AAA policy
Search Bar "AAA Policy" >> Select AAA Policy >> Identity Extraction "Name from SAML Authentication assertion" >> Authentication >> Method "Accept SAML assertion with valid signature". If no AAA Policy is present, this is a finding.
Search Bar “AAA Policy” >> Select AAA Policy >> Identity Extraction “Name from SAML Authentication assertion” >> Authentication >> Method “Accept SAML assertion with valid signature”
Type “Validation Credential” in the nav search. Verify that ValCred has only DoD certs. If ValCred does not contain DoD certs, this is a finding. Check config of active SSL Proxy Profiles to ensure use of ValCred. If SSL Proxy does not contain a ValCred, this is a finding.
Type “Validation Credential” in search bar. Create ValCred with only DoD certs. When creating SSL Proxy Profiles, require mutual authentication; then use ValCred with only DoD certs.
Type “Message Count Monitor” in nav search. Verify that Count Monitor exists. Check configuration of any active service to see that count monitor is in effect. If no monitor is configured for each active service, this is a finding.
Type “Message Count Monitor” in nav search. Create a new monitor with the desired limits. When configuring any service, activate the count monitor.
Type “Load Balancer Group” in nav search. Check the configuration of all active services and verify that the XML Manager used by the service has an active Load Balancer Group. If no Load Balancer group is present, this is a finding.
Type “Load Balancer Group” in nav search >> Add >> Algorithm select algorithm. Type “XML Manager” in nav search >> Add >> Load Balance Groups load balance group. Associate this XML Manager with all active services.
XML DoS Single message attacks: Jumbo Payload, Recursion, Mega Tags, Coercive parsing, Public key; Multiple message: XML flood, Resource hijack. WebGUI Services >> XML Firewall >> Edit XML Firewall XML, Threat Protection tab. AAA DoS Protection against DoS flooding attacks. WebGUI Objects >> XML Processing >> AAA Policy, Main tab. PKCS #7 Document DoS signature-limit protection. WebGUI Objects >> XML Processing >> Processing Action, select Crypto Binary action type. Service level monitor (SLM) policy. WebGUI Objects >> Monitoring >> SLM Policy. If these items are not configured, this is a finding.
XML DoS Single message attacks: Jumbo Payload, Recursion, Mega Tags, Coercive parsing, Public key; Multiple message: XML flood, Resource hijack. WebGUI Services >> XML Firewall >> Edit XML Firewall XML, Threat Protection tab. AAA DoS Protection against DoS flooding attacks. WebGUI Objects >> XML Processing >> AAA Policy, Main tab. PKCS #7 Document DoS signature-limit protection. WebGUI Objects >> XML Processing >> Processing Action, select Crypto Binary action type. Service level monitor (SLM) policy. WebGUI Objects >> Monitoring >> SLM Policy.
XML DoS Single message attacks: Jumbo Payload, Recursion, Mega Tags, Coercive parsing, Public key; Multiple message: XML flood, Resource hijack. WebGUI Services >> XML Firewall >> Edit XML Firewall XML, Threat Protection tab. AAA DoS Protection against DoS flooding attacks. WebGUI Objects >> XML Processing >> AAA Policy, Main tab. PKCS #7 Document DoS signature-limit protection. WebGUI Objects >> XML Processing >> Processing Action, select Crypto Binary action type. Service level monitor (SLM) policy. WebGUI Objects >> Monitoring >> SLM Policy. If these items are not configured, this is a finding.
XML DoS Single message attacks: Jumbo Payload, Recursion, Mega Tags, Coercive parsing, Public key; Multiple message: XML flood, Resource hijack. WebGUI Services >> XML Firewall >> Edit XML Firewall XML, Threat Protection tab. AAA DoS Protection against DoS flooding attacks. WebGUI Objects >> XML Processing >> AAA Policy, Main tab. PKCS #7 Document DoS signature-limit protection. WebGUI Objects >> XML Processing >> Processing Action, select Crypto Binary action type. Service level monitor (SLM) policy. WebGUI Objects >> Monitoring >> SLM Policy.
Type “Access Control List” in nav search. Verify that Access Control Lists are used for all services. If Access Control lists are not used, this is a finding.
Type “Access Control List” in nav search. Create ACL with desired address ranges and gates. Apply this ACL to all Front Side Handlers or Firewalls.
Using the WebGUI, go to Objects >> XML Processing >> Matching Rule to verify there is a rule that defines the expected form of the incoming message. If there is no match, the message will be discarded. Go to Objects >> XML Processing >> Processing Rule to verify there are error rules that provide appropriate system responses to invalid and unexpected inputs. If no error rules discarding invalid messages are configured, this is a finding.
Using the WebGUI, go to Objects >> XML Processing >> Matching Rule to define a rule that defines the expected form of the incoming message. If there is no match, the message will be discarded. Go to Objects >> XML Processing >> Processing Rule to define error rules that provide appropriate system responses to invalid and unexpected inputs. Invalid messages must be discarded.
In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that Trap Event Subscriptions are associated with intrusion detection. Verify that Trap and Notification Targets includes an approved SNMP server that generates alerts that will be forwarded to the system-wide intrusion detection system. If no trap event subscriptions are configured on no SNMP server configured as a target, this is a finding.
In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Configure the "Trap Event Subscriptions" tab to include desired event codes. Set the Notification Targets tab to include an approved SNMP server that generates alerts that will be forwarded to the system-wide intrusion detection system.
Using the WebGUI, go to Network >> Management >> Web Management Service. Verify that the "WS-Management endpoint" checkbox is checked and that an IP and port for the WS-Management endpoint to connect to is configured. If the WS-Management endpoint is not enabled (checked) or not configured, this is a finding.
Using the WebGUI, go to Network >> Management >> Web Management Service. Check the "WS-Management endpoint" checkbox. Configure an IP and port for the WS-Management endpoint to connect to.
Using the WebGUI, go to Network >> Management >> Web Management Service. The "WS-Management endpoint" checkbox should be checked. Verify an IP and port for the WS-Management endpoint to connect to. If the WS-Management endpoint is not enabled (checked) or not configured, this is a finding.
Using the WebGUI, go to Network >> Management >> Web Management Service. Check the "WS-Management endpoint" checkbox. Configure an IP and port for the WS-Management endpoint to connect to. Using the service monitoring data provided by the DataPower Gateway, the WS-Management endpoint would be responsible for detecting the use of unauthorized network services and then generating an alert.
Verify a service, such as a MultiProtocol Gateway, by clicking the icon on the Control Panel. Click the name of the service in the list >> Set the Name and back end destination for the service. Under MultiProtocol Gateway Policy, click “...” to inspect the Policy >> Verify the Rule Direction is set to Client to Server. Double-click the existing Match Action on the rule line and verify it is set to default-accept-service providers. Double-click the Validate action >> Verify that it is set to a schema file. Double-click the AAA action to open it >> Click “...” to inspect the AAA Policy >> Follow the wizard steps to review the desired policy. When done, click cancel >> Click Cancel or Close window to close the Policy. If these items have not been configured, this is a finding.
Create a new service, such as a MultiProtocol Gateway, by clicking the icon on the Control Panel. Click Add to create a new service >> Set the Name and back end destination for the service. Under MultiProtocol Gateway Policy, click “+” to create a new Policy >> Provide a name for the Policy >> Click New Rule >> Set the Rule Direction to Client to Server >> Double-click the existing Match Action on the rule line and select default-accept-service providers >> Drag the Validate action down onto the processing line >> Double-click the action. Upload the necessary schema definition file to the action >> Click Done. Drag the AAA action onto the processing line after the Validate action >> Double-click the action to open it >> Click “+” to create a new AAA Policy >> Follow the wizard steps to create the desired policy. When done, close the action >> Click Apply to complete the Policy. Complete the Gateway configuration by clicking Apply.
Verify a service, such as a MultiProtocol Gateway, by clicking the icon on the Control Panel. Click the name of the service in the list >> Set the Name and back end destination for the service. Under MultiProtocol Gateway Policy, click “...” to inspect the Policy >> Verify one Rule Direction is set to Client to Server. Double-click the existing Match Action on the rule line and verify it is set default-accept-service providers. Double-click the Validate action >> Verify that it is set to a schema file. Upload the necessary schema definition file to the action >> Click Done. Double-click the AAA action to open it >> Click “...” to inspect the AAA Policy >> Follow the wizard steps to review the desired policy. When done, click cancel. Verify one Rule Direction is set to Server to Client. Double-click the existing Match Action on the rule line and verify it is set default-accept-service providers. Double-click the Validate action >> Verify that it is set to a schema file. Double-click the AAA action to open it >> Click “...” to inspect the AAA Policy >> Follow the wizard steps to review the desired policy. When done, click cancel. Click Cancel or Close Window to close the Policy. If these items have not been configured, this is a finding.
Create a new service, such as a MultiProtocol Gateway, by clicking the icon on the Control Panel. Click Add to create a new service >> Set the Name and back end destination for the service. Under MultiProtocol Gateway Policy, click “+” to create a new Policy >> Provide a name for the Policy >> Click New Rule >> Set the Rule Direction to Client to Server >> Double-click the existing Match Action on the rule line and select default-accept-service providers >> Drag the Validate action down onto the processing line >> Double-click the action. Upload the necessary schema definition file to the action >> Click Done. Drag the AAA action onto the processing line after the Validate action >> Double-click the action to open it >> Click “+” to create a new AAA Policy >> Follow the wizard steps to create the desired policy. When done, close the action >> Click Apply to complete the Policy. Click New Rule >> Set the direction to Server to Client >> Double-click the existing Match Action on the rule line and select default-accept-service providers >> Drag the Validate action down onto the processing line >> Double-click the action. Upload the necessary schema definition file to the action >> Click Done. Drag the AAA action onto the processing line after the Validate action >> Double-click the action to open it. Click “+” to create a new AAA Policy >> Follow the wizard steps to create the desired policy. When done, close the action >> Click Apply to complete the Policy. Complete the Gateway configuration by clicking Apply.
In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that the desired event codes are included on the "Trap Event Subscriptions" tab. Type "Log Target" in to the Search bar >> Select "Log Targets" from the results list >> Select the desired Log Target >> Verify that the desired event codes are included in the Event Subscriptions tab. If no Log Target is configured or the assigned event codes are not included, this is a finding.
In the DataPower WebGUI, navigate to Administration >> Access >> SNMP Settings. Configure the "Trap Event Subscriptions" tab to include Event Subscriptions that are judged to be associated with detection incidents. Configure the "Trap and Notification Targets" tab to include an SNMP server. The administrator can also configure a Log Target to send event information to other logging/monitoring solutions, including Syslog. To configure a Syslog Log Target, type "Log Target" in to the Search bar >> Select "Log Targets" from the results list >> Click Add >> Configure a Log Target of type "syslog" >> Configure specific event subscriptions to be sent to the Syslog Server.
In the DataPower WebGUI, navigate to Administration >> Access >> SNMP Settings. On the "Trap Event Subscriptions" tab, verify the inclusion of Event Subscriptions that are judged to be associated with threats identified by authoritative sources. If the Event Subscriptions are not present, this is a finding. On the "Trap and Notification Targets" tab, verify the inclusion of an approved SNMP server. If no SNMP Server is configured as a Trap and Notification Target, this is a finding.
In the DataPower WebGUI, navigate to Administration >> Access >> SNMP Settings. Configure the "Trap Event Subscriptions" tab to include Event Subscriptions that are judged to be associated with threats identified by authoritative sources. Configure the "Trap and Notification Targets" tab to include an approved SNMP server that generates alerts that will be forwarded, at a minimum, to the ISSO and ISSM.
In the DataPower WebGUI, navigate to Administration >> Access >> SNMP Settings. On the "Trap Event Subscriptions" tab, verify the inclusion of Event Subscriptions that are judged to be associated with the detection of root level intrusion events which provide unauthorized privileged access. If the Event Subscriptions are not configured, this is a finding. On the "Trap and Notification Targets" tab, verify the inclusion of an approved SNMP server. If no SNMP Server is configured as a Trap and Notification Target, this is a finding.
In the DataPower WebGUI, navigate to Administration >> Access >> SNMP Settings. Configure the "Trap Event Subscriptions" tab to include Event Subscriptions that are judged to be associated with the detection of root level intrusion events which provide unauthorized privileged access. Configure the "Trap and Notification Targets" tab to include an approved SNMP server that generates alerts that will be forwarded, at a minimum, to the ISSO and ISSM.
In the DataPower WebGUI, navigate to Administration >> Access >> SNMP Settings. On the "Trap Event Subscriptions" tab, verify the inclusion of Event Subscriptions that are judged to be associated with the detection of root level intrusion events that provide unauthorized privileged access. If the Event Subscriptions are not configured, this is a finding. On the "Trap and Notification Targets" tab, verify the inclusion of an approved SNMP server. If no SNMP Server is configured as a Trap and Notification Target, this is a finding.
In the DataPower WebGUI, navigate to Administration >> Access >> SNMP Settings. Configure the "Trap Event Subscriptions" tab to include Event Subscriptions that are judged to be associated with the detection of user level intrusions which provide non-privileged access. Configure the "Trap and Notification Targets" tab to include an approved SNMP server that generates alerts that will be forwarded, at a minimum, to the ISSO and ISSM.
From the WebGUI, go to Objects >> Logging Configuration>> Log Target. On the Main tab, SNMP should be selected. On the Event Subscriptions tab, confirm that there is an event subscription where Event Category = multistep and Minimum Event Priority = error. In the DataPower WebGUI, navigate to Administration >> Access >> SNMP Settings. Verify that the "Trap and Notification Targets" tab includes an approved SNMP server that generates alerts that will be forwarded, at a minimum, to the ISSO and ISSM. If no SNMP server is configured as a Log Target, this is a finding.
From the WebGUI, go to Objects >> Logging Configuration >> Log Target. On the Main tab, select SNMP. On the Event Subscriptions tab add an event subscription where Event Category = multistep and Minimum Event Priority = error. Configure the DataPower Gateway to, upon receipt of a multistep error message, send a notification to an authorized SNMP server. That server must be configured to, at a minimum, send an alert to the ISSO and ISSM. In the DataPower WebGUI, navigate to Administration >> Access >> SNMP Settings. Configure the "Trap and Notification Targets" tab to include an approved SNMP server that generates alerts that will be forwarded, at a minimum, to the ISSO and ISSM.
From the WebGUI, expand the Services folder, expand the folder of the type of service used (such as MultiProtocol Gateway), and click on the Processing Policy menu item. In the Policy, double-click the AntiVirus action. This antivirus action must be configured to connect to organizationally approved scanning software that will generate an alert to the DataPower Gateway when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security of DoD systems is detected. Verify that the DataPower Gateway is configured to, upon receipt of an alert from the scanning software, generate notification messages to an authorized SNMP server that will, at a minimum, send an alert to the ISSO and ISSM by using the following steps: In the DataPower WebGUI, navigate to Administration >> Access >> SNMP Settings. On the "Trap Event Subscriptions" tab, verify the inclusion of Event Subscriptions that indicate virus detection. On the "Trap and Notification Targets" tab, verify that an approved SNMP server is configured as a Log Target. If no SNMP server is configured as a Log Target, this is a finding.
This antivirus action must be configured to connect to organizationally approved scanning software that will generate an alert to the DataPower Gateway when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security of DoD systems is detected by taking the following steps: From the WebGUI, expand the Services folder, expand the folder of the type of service used (such as MultiProtocol Gateway), and click on the Processing Policy menu item. In the Policy, add an AntiVirus action. This antivirus action must be configured to connect to organizationally approved scanning software that will generate an alert to the DataPower Gateway when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security of DoD systems is detected. In the DataPower WebGUI, navigate to Administration >> Access >> SNMP Settings. Configure the "Trap Event Subscriptions" tab to include Event Subscriptions that are judged to be associated with the detection of root level intrusion events which provide unauthorized privileged access. Configure the "Trap and Notification Targets" tab to include an approved SNMP server that generates alerts that will be forwarded, at a minimum, to the ISSO and ISSM.
From the WebGUI Control Panel, click on Troubleshooting >> Click on the Debug Probe tab. Verify that the desired service type and service instance has an active Probe track transaction information for that service instance. From the WebGUI, go to Objects >> Logging Configuration>> Log Target. Verify the desired filters, triggers, subscriptions, and log destination. If these items have not been configured, this is a finding.
From the WebGUI Control Panel, click on Troubleshooting >> Click on the Debug Probe tab >> Select a desired service type and service instance >> Click on Add Probe to begin tracking transaction information for that service instance. From the WebGUI, go to Objects >> Logging Configuration >> Log Target. Configure the desired filters, triggers, subscriptions, and log destination.
Review the processing policy for all flows to ensure they contain Validate actions for requests and responses. Privileged Account User logon to the WebGUI >> Open the service to modified: From the Control Panel, select the type of service to be edited (e.g., Multi-Protocol Gateway) >> The list of available services will be displayed >> Click the name of the service to be edited. Verify configuration of the processing policy: Click the “…” button adjacent to the configured Processing Policy (in the case of a Web Service Proxy, click the “Policy” processing policy tab) >> The processing policy is displayed >> Select the rule to be edited by clicking the “Rule Name” >> Ensure there is a Validate action on the rule and that the validate action contains the appropriate schema to check the message against. If these items have not been configured, this is a finding.
Configure the processing policy to use a Validate action. The Validate action will validate the XML or JSON message content against a WSDL or JSON schema.
From the web interface for DataPower device management, verify that the DataPower Gateway Cryptographic Mode is Set to FIPS 140-2 Level 1 (Status >> Crypto >> Cryptographic Mode Status). If the Mode is not set to FIPS 140-2, this is a finding.
From the DataPower command line, enter "use-fips on" to configure the network device to generate unique session identifiers using a FIPS 140-2 approved random number generator. From the web interface, use "Set Cryptographic Mode" (Administration >> Miscellaneous >> Crypto Tools, Set Cryptographic Mode tab) to set the appliance to "FIPS 140-2 Level 1" mode. This will achieve NIST SP800-131a compliance.
From the web interface for DataPower device management, verify that the DataPower Gateway Cryptographic Mode is Set to FIPS 140-2 Level 1 (Status >> Crypto >> Cryptographic Mode Status). If this mode is not enabled, this is a finding. This mode bans the algorithms that are not allowed in FIPS 140-2 Level 1. The banned algorithms include Blowfish, CAST, DES, MD2, MD4, MD5, RC2, RC4, and RIPEMD. This mode also bans RSA keys less than 1024 bits and disables the cryptographic hardware that is not FIPS validated.
The privileged user will apply the following tasks: From the DataPower command line, enter "use-fips on" to configure the network device to generate unique session identifiers using a FIPS 140-2 approved random number generator. From the web interface, in the default domain, use "Set Cryptographic Mode" (Administration >> Miscellaneous >> Crypto Tools, Set Cryptographic Mode tab) to set the appliance to "FIPS 140-2 Level 1" mode. The privileged use will add a Verify action to the appropriate processing policy in the application domain (non-default domain). This action will check that only NIST SP800-131a approved digital signatures will be used. This will achieve NIST SP800-131a compliance.
From the web interface for DataPower device management, verify that the DataPower Gateway Cryptographic Mode is Set to FIPS 140-2 Level 1 (Status >> Crypto >> Cryptographic Mode Status). If this mode is not enabled, this is a finding. This mode bans the algorithms that are not allowed in FIPS 140-2 Level 1. The banned algorithms include Blowfish, CAST, DES, MD2, MD4, MD5, RC2, RC4, and RIPEMD. This mode also bans RSA keys less than 1024 bits and disables the cryptographic hardware that is not FIPS validated.
From the DataPower command line, enter "use-fips on" to configure the network device to generate unique session identifiers using a FIPS 140-2 approved random number generator. From the web interface, use "Set Cryptographic Mode" (Administration >> Miscellaneous >> Crypto Tools, Set Cryptographic Mode tab) to set the appliance to "FIPS 140-2 Level 1" mode. The privileged use will add a Decrypt action to the appropriate processing policy in the application domain (non-default domain). This action will check that only NIST SP800-131a approved encryption algorithms will be used. This will achieve NIST SP800-131a compliance.
Search Bar “Log Target” >> Log target >> Event Subscription tab. If “audit” is not listed under Event Category, this is a finding. If “Rule Action” does not contain a “Filter” action, this is a finding.
Search Bar “Log Target” in the Search field >> Log target >> Event Subscription tab >> Add >> Event Category “audit” >> Minimum Event Priority event priority level >> Apply >> Apply >> Save Configuration. If the only log target is “default-log”: Type “Log Target” in the Search field >> Log target >> Main tab >> Target Type “syslog” >> syslog Facility facility >> Local Identifier identifier >> Remote Host hostname.
Go to Default domain. Click Status >> Main >> Active Services >> Click Show All Domains. Review IP addresses assigned to active services. If any list 0.0.0.0, this is a finding.
Log on to each active domain. Click Objects >> Protocol Handlers >> HTTP Front Side Handlers. Click on the name of any Handler listed that uses the IP Address of 0.0.0.0. Change the IP Address >> Click Apply. Click Objects >> Protocol Handlers >> HTTPS Front Side Handlers. Click on the name of any Handler listed that uses the IP Address of 0.0.0.0. Change the IP Address >> Click Apply >> Click Save Configuration.