IBM DataPower Network Device Management Security Technical Implementation Guide

V1R2 2017-10-05       U_IBM_DataPower_NDM_STIG_V1R2_Manual-xccdf.xml
V1R1 2016-01-21       U_IBM_DataPower_NDM_STIG_V1R1_Manual-xccdf.xml
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Comparison
All 64
No Change 62
Updated 2
Added 0
Removed 0
V-64981 No Change
Findings ID: WSDP-NM-000013 Rule ID: SV-79471r1_rule Severity: medium CCI: CCI-000213

Discussion

To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Network devices use access control policies and enforcement mechanisms to implement this requirement.

Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the network device to control access between administrators (or processes acting on behalf of administrators) and objects (e.g., device commands, files, records, processes) in the network device.

Checks

Administration >> Access >> User Group >> Click the group to be confirmed >> Confirm that the access profiles are configured appropriately for the desired security policy. If the group profile(s) is/are not present, this is a finding

Privileged account user log on to default domain >> Administration >> Access >> RBM Settings >> Click "Credential Mapping" >> If Credential-mapping method is not "Local user group" or "Search LDAP for group name" is off, this is a finding.

Fix

Create the appropriate User Group(s) using the "RBM Builder": Privileged account user log on to default domain >> Administration >> Access >> User Group >> Click the "Add" button >> Define the policy >> Click "Add" >> Click “Apply”.

Add users' accounts to LDAP groups with the same names as those defined with the RBM Builder, in the remote Authentication/Authorization server (LDAP). Note: This takes place outside the context of the IBM DataPower Gateway. Specific instructions will depend on the LDAP server being used.

Configure Role-Based Management to make use of LDAP Group information during logon to map users to local group definitions.
V-65063 No Change
Findings ID: WSDP-NM-000014 Rule ID: SV-79553r1_rule Severity: medium CCI: CCI-001368

Discussion

A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data.

Application-specific examples of enforcement occur in systems that employ rule sets or establish configuration settings that restrict information system services or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics).

Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of management information within the system in accordance with applicable policy.

Checks

Administration >> Access >> User Group >> Click the group to be confirmed >> Confirm that the access profiles are configured appropriately for the desired security policy. If the group profile(s) is/are not present, this is a finding

Privileged account user log on to default domain >> Administration >> Access >> RBM Settings >> Click "Credential Mapping" >> If Credential-mapping method is not "Local user group" or "Search LDAP for group name" is off, this is a finding.

Fix

Create the appropriate User Group(s) using the "RBM Builder": Privileged account user log on to default domain >> Administration >> Access >> User Group >> Click the "Add" button >> Define the policy >> Click "Add" >> Click “Apply”.

Add users’ accounts to LDAP groups with the same names as those defined with the RBM Builder, in the remote Authentication/Authorization server (LDAP). Note: This takes place outside the context of the IBM DataPower Gateway. Specific instructions will depend on the LDAP server being used.

Configure Role-Based Management to use LDAP Group information during logon to map users to local group definitions.
V-65065 No Change
Findings ID: WSDP-NM-000016 Rule ID: SV-79555r1_rule Severity: low CCI: CCI-000048

Discussion

Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via logon interfaces with human users.

Checks

Privileged user opens browser and navigates to the DataPower logon page.

Confirm that the logon page displays the Standard Mandatory DoD Notice and Consent Banner:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

If the standard banner is not displayed, this is a finding.

Fix

Get the User Interface (UI) Configuration Template File from the IBM DataPower Gateway website >> Copy the template to a new text file on the local operating system named "ui-customization.xml".

Upload the User Interface Customization Template: Privileged account user log on to default domain >> Control Panel >> File Management >> Click "local:" >> Click "Actions..." Link corresponding to "local:" >> Click "Upload Files" >> Click "Browse" button >> Select the previously saved "ui-customization.xml" file from the local operating system >> Click "Open" >> Click the "Upload" button" >> Click the "Continue" button.

Edit the "ui-customization.xml" file: Click "refresh page" >> Click "local:" >> Click the "Edit" link corresponding to "ui-customization.xml" >> Click the "Edit" button >> Locate the XML Stanza named "MarkupBanner" and 'type="pre-logon"' >> Replace the text "WebGUI pre-logon message" with the text of the Standard Mandatory DoD Notice and Consent Banner:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

>> Locate the XML Stanza named "TextBanner" and 'type="pre-logon"' >> replace the text "Command line pre-logon message" with the text of the Standard Mandatory DoD Notice and Consent Banner: "I've read & consent to terms in IS user agreem't." >> Click the "Submit" button.

Configure the IBM DataPower Gateway to use the customized User Interface Customization file: Administration >> Device >> System Settings >> Scroll to "Custom user interface file" section at the bottom of the page and select "ui-customization.xml" from the drop-down list >> Scroll to top of the page >> Click "Apply" >> Click "Save Configuration".

Log out of the appliance.
V-65067 No Change
Findings ID: WSDP-NM-000017 Rule ID: SV-79557r1_rule Severity: medium CCI: CCI-000050

Discussion

The banner must be acknowledged by the administrator prior to allowing the administrator access to the network device. This provides assurance that the administrator has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the administrator, DoD will not be in compliance with system use notifications required by law.

To establish acceptance of the network administration policy, a click-through banner at management session logon is required. The device must prevent further activity until the administrator executes a positive action to manifest agreement by clicking on a box indicating "OK".

Checks

WebGUI logon page: If DataPower does not retain the banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access, this is a finding.

CLI logon: If DataPower does not display the banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access, this is a finding.

Fix

Get the User Interface (UI) Configuration Template File from the IBM DataPower Gateway online website >> Copy the template to a new text file on the local operating system named "ui-customization.xml"

Upload the User Interface Customization Template: Privileged account user log on to default domain >> Control Panel >> File Management >> Click "local:" >> Click "Actions..." link corresponding to "local:" >> Click "Upload Files" >> Click "Browse" button >> Select the previously saved "ui-customization.xml" file from the local operating system >> Click "Open" >> Click the "Upload" button" >> Click the "Continue" button.

Edit the "ui-customization.xml" file: Click "refresh page" >> Click "local:" >> Click the "Edit" link corresponding to "ui-customization.xml" >> Click the "Edit" button >> Locate the XML Stanza named "MarkupBanner" and 'type="pre-logon"' >> Replace the text "WebGUI pre-logon message" with the text of the Standard Mandatory DoD Notice and Consent Banner:

"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

>> Locate the XML Stanza named "TextBanner" and 'type="pre-logon"' >> replace the text "Command line pre-logon message" with the text of the Standard Mandatory DoD Notice and Consent Banner: "I've read & consent to terms in IS user agreem't." >> Click the "Submit" button.

Configure the IBM DataPower Gateway to use the customized User Interface Customization file: Administration >> Device >> System Settings >> Scroll to "Custom user interface file" section at the bottom of the page and select "ui-customization.xml" from the drop-down list >> Scroll to top of the page >> Click "Apply" >> Click "Save Configuration".

Log out of the appliance.
V-65069 No Change
Findings ID: WSDP-NM-000022 Rule ID: SV-79559r1_rule Severity: medium CCI: CCI-000169

Discussion

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the network device (e.g., process, module). Certain specific device functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.

DoD has defined the list of events for which the device will provide an audit record generation capability as the following:

(i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);
(ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and
(iii) All account creation, modification, disabling, and termination actions.

Checks

Control Panel >> View Logs

Select “DOD-EventsLog” from the drop-down list at the top of the page. If the log is empty, this is a finding.

Fix

Privileged account user logon to default domain

In the search field, enter “Log Target”.

From the search results, click “Log Target”.

Click “Add”.

Name: enter the name of the log target (e.g., targetDodEvents)
Target Type: File
Log Format: XML
Timestamp format: Syslog
Destination Configuration: File Name: logstore:///dodEvents.log
Log Size: 1024
Archive Mode: Rotate
Number of Rotations: 6

Click on the “Event Filters” Tab.

Event Subscription Filter, click “Select Code”; select an Event Code from the list in the popup window.

Click the “Add” button. Repeat the process until all desired event codes have been added.

Click “Apply” to save the changes to the running configuration.

Click “Save Configuration” to save the changes to the persisted configuration.
V-65071 No Change
Findings ID: WSDP-NM-000023 Rule ID: SV-79561r1_rule Severity: medium CCI: CCI-000171

Discussion

Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Checks

Privileged account user log on to default domain >> Administration >> Access >> User Group >> Click the "groupISSM" group >> Confirm that the following minimal access profiles are created: "*/*/*?Access=r" and "*/default/logging/target?Name=logTargetISSM&Access=r+w+a+d+x". If either profile is not present, this is a finding.

Privileged account user log on to default domain >> Administration >> Access >> RBM Settings >> Click "Credential Mapping" >> If Credential-mapping method is not "Local user group" or "Search LDAP for group name" is off, this is a finding.

Fix

Create an ISSM User Group: Privileged account user log on to default domain >> Administration >> Access >> User Group >> Click the "Add" button >> Name: "groupISSM" >> Enter "*/*/*?Access=r" into the "Access Profile" field >> Click "Add" >> "*/default/logging/target?Name=logTargetISSM&Access=r+w+a+d+x" into the "Access Profile" field >> Click "Add" >> Click "Apply".

Add users’ accounts to the ISSM User Group "groupISSM" in the remote Authentication/Authorization server (LDAP). Note: This takes place outside the context of the IBM DataPower Gateway. Specific instructions will depend on the LDAP server being used.

Configure Role-Based Management to use LDAP Group information during logon to map users to local group definitions.

Administration >> Access >> RBM Settings >> When configuring the Authentication method, select "LDAP" as the authentication method

Configure LDAP Authentication

Define the connection to the LDAP server >> In the Server host field, enter the IP address or host name of the server >> In the Server port field, enter the port number of the server >> From the LDAP version list, select the version >> From the SSL proxy profile list, select a profile to establish a secured connection to the LDAP server >> From the Load balancer group list, select a load balancer group.

If selected, queries are balanced in accordance with the group settings. This setting overrides the settings for the server host and port.

Set the Search LDAP for DN property to use an LDAP search to retrieve the user group >> In the LDAP read timeout field, enter the time to wait for a response from the server before the appliance closes the connection >> From the Local accounts for fallback list, select whether to use local user accounts as fallback users.

With fallback users, local users can log on to the appliance if authentication fails or during a network outage that affects the primary authentication.

When specific users are fallback users, add the local users (from the Fallback user list, select a local user) >> Click Add >> Optional: Repeat this step to add another locally defined fallback user.

Define the credentials-mapping method.

Click Credentials-mapping >> From the Credentials-mapping method list, select the method to evaluate access profiles. Although available, a local user group is not a valid selection (If custom: In the Custom URL field, specify the URL of the custom style sheet; if with an XML file: In the XML file URL field, specify the URL of the RBM file) >> When the mapping method is a local user group or an XML file, set Search LDAP for group name to control whether to search LDAP to retrieve all user groups that match the query.

When LDAP search is enabled, define the LDAP connection >> In the Server host field, enter the IP address or host name of the server >> In the Server port field, enter the port number of the server >> From the SSL proxy profile list, select the profile to establish a secured connection to the server >> From the Load balancer group list, select a load balancer group. If selected, queries are balanced in accordance with the group settings. This setting overrides the settings for the server host and port

In the LDAP bind DN field, enter the distinguished name (DN) for the bind operation >> In the LDAP bind password fields, enter and confirm the password for the specified DN >> From the LDAP search parameters list, select an LDAP search parameter. The LDAP search operation uses these parameters to retrieve all group names (DN or attribute value) based on the DN of the authenticated user >> In the LDAP read timeout field, enter the time to wait for a response from the server before the appliance closes the connection >> Define the account policy >> If you defined fallback users, define the password policy.

Save the configuration: Click "Apply" to save the changes to the running configuration >> Click "Save Configuration" to save the changes to the persisted configuration.
V-65073 No Change
Findings ID: WSDP-NM-000033 Rule ID: SV-79563r1_rule Severity: medium CCI: CCI-000139

Discussion

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.

Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.

Checks

Administration >> Miscellaneous >> "Manage Log Targets" >> Click the appropriate log target (e.g., "SystemResourcesLog") >> Click the "Event Filters" tab >> Confirm subscriptions to the following event codes: 0x00330034, 0x01a40001, 0x01a30002, 0x01a30003, 0x01a40005, 0x01a30006, 0x01a30014, 0x01a30015, 0x01a30017. If any of these codes are not subscribed to, this is a finding.

Fix

A Log Target can be configured to generate notifications (e.g., SNMP, SMTP) in the event that any of these event codes are detected.

Privileged account user log on to default domain >> Administration >> Miscellaneous >> "Manage Log Targets" >> Click the "Add" button >> Name: "SystemResourcesLog” >> Target Type: Select the desired notification mechanism (e.g., SMTP) >> Configure the SMTP server, providing the requested information; Log Format: “text” >> Fixed Format: off >> Rate Limit: “100” >> Feedback Detection: on >> Identical Event Detection: off >> Click the "Event Filters" tab >> Under "Event Subscriptions", add the following event codes: 0x00330034, 0x01a40001, 0x01a30002, 0x01a30003, 0x01a40005, 0x01a30006, 0x01a30014, 0x01a30015, 0x01a30017 >> Click the "Apply" button >> Click "Save Configuration".
V-65075 No Change
Findings ID: WSDP-NM-000036 Rule ID: SV-79565r1_rule Severity: medium CCI: CCI-000162

Discussion

Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.

If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to audit records provides information an attacker could use to his or her advantage.

To ensure the veracity of audit data, the information system and/or the network device must protect audit information from any and all unauthorized read access.

This requirement can be achieved through multiple methods which will depend upon system architecture and design. Commonly employed methods for protecting audit information include least privilege permissions as well as restricting the location and number of log file repositories.

Additionally, network devices with user interfaces to audit records should not allow for the unfettered manipulation of or access to those records via the device interface. If the device provides access to the audit data, the device becomes accountable for ensuring audit information is protected from unauthorized access.

Checks

Login page >> Enter non admin user id and password, select Default for domain >> Click Login. If non admin user can log on, this is a finding.

Fix

Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non privileged user account >> Click “…” button next to User Group field >> Enter */default/*?Access=NONE into field >> click add >> click Apply >> click Apply >> click Save Configuration
V-65077 No Change
Findings ID: WSDP-NM-000039 Rule ID: SV-79567r1_rule Severity: medium CCI: CCI-001493

Discussion

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.

Network devices providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools.

Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Checks

Logon page >> Enter non-admin user ID and password, select Default for domain >> Click "Login". If non-admin user can log on, this is a finding.

Fix

Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non-privileged user account >> Click “…” button next to User Group field >> Enter */default/*?Access=NONE into field >> Click "Add" >> Click "Apply" >> Click "Apply" >> Click "Save Configuration".
V-65079 No Change
Findings ID: WSDP-NM-000040 Rule ID: SV-79569r1_rule Severity: medium CCI: CCI-001494

Discussion

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.

Network devices providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools.

Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Checks

Logon page >> Enter non-admin user ID and password, select Default for domain >> Click "Login". If non-admin user can log on, this is a finding.

Fix

Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non-privileged user account >> Click “…” button next to User Group field >> Enter */default/*?Access=NONE into field >> Click "Add" >> Click "Apply" >> Click "Apply" >> Click "Save Configuration".
V-65081 No Change
Findings ID: WSDP-NM-000041 Rule ID: SV-79571r1_rule Severity: medium CCI: CCI-001495

Discussion

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit data.

Network devices providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools.

Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Checks

Logon page >> Enter non-admin user ID and password, select Default for domain >> Click "Login". If non-admin user can log on, this is a finding.

Fix

Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non privileged user account >> Click “…” button next to User Group field >> Enter */default/*?Access=NONE into field >> Click "Add >> Click "Apply" >> Click "Apply" >> Click "Save Configuration".
V-65083 No Change
Findings ID: WSDP-NM-000042 Rule ID: SV-79573r1_rule Severity: low CCI: CCI-001348

Discussion

Protection of log data includes assuring log data is not accidentally lost or deleted. Regularly backing up audit records to a different system or onto separate media than the system being audited helps to assure, in the event of a catastrophic system failure, the audit records will be retained.

This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records.

Checks

Type “Log Target” in the Search field >> Log target >> Event Subscription tab.

If “audit” in not listed under Event Category, this is a finding.

If “Rule Action” does not contain a “Filter” action, this is a finding.

Fix

Type “Log Target” in the Search field >> Log target >> Event Subscription tab >> Add >> Event Category “audit” >> Minimum Event Priority event priority level >> Apply >> Apply >> Save Configuration.

If the only log target is “default-log”: Type “Log Target” in the Search field >> Log target >> Main tab >> Target Type “syslog” >> syslog Facility facility >> Local Identifier identifier >> Remote Host hostname.
V-65085 No Change
Findings ID: WSDP-NM-000044 Rule ID: SV-79575r1_rule Severity: medium CCI: CCI-001749

Discussion

Changes to any software components can have significant effects on the overall security of the network device. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the software has not been tampered with and has been provided by a trusted vendor.

Accordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization.

Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The device should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.

Checks

Login page >> Enter non-admin user ID and password, select Default for domain >> Click "Login". If non-admin user can log on, this is a finding.

Fix

Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non privileged user account >> Click “…” button next to User Group field >> Enter */default/*?Access=NONE into field >> Click "Add" >> Click "Apply" >> Click "Apply" >> Click "Save Configuration".
V-65087 No Change
Findings ID: WSDP-NM-000045 Rule ID: SV-79577r1_rule Severity: medium CCI: CCI-001499

Discussion

Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. If the network device were to enable non-authorized users to make changes to software libraries, those changes could be implemented without undergoing testing, validation, and approval.

Checks

Logon page >> Enter non-admin user ID and password, select Default for domain >> Click "Login". If non-admin user can log on, this is a finding.

Fix

Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non privileged user account >> Click “…” button next to User Group field >> Enter */default/*?Access=NONE into field >> Click "Add" >> Click "Apply" >> Click "Apply" >> Click "Save Configuration".
V-65089 No Change
Findings ID: WSDP-NM-000046 Rule ID: SV-79579r1_rule Severity: medium CCI: CCI-000382

Discussion

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.

This requirement applies to applications, services, protocols, and ports used for network device management. NTP, SSH, HTTPS and SNMP are associated with device management, but, when used to manage the device, must be restricted to the management network.

Checks

Logon to the Default Domain.

Navigate to Network >> Management>> Web Management Service. If the Administrative State is not enabled, this is a finding.

Navigate to Network >> Management>> SSH Service. If the Administrative State is not enabled, this is a finding.

Navigate to Network >> Management>> Telnet Service. If the Administrative State is enabled, this is a finding.

Fix

Log on to the Default Domain.

Navigate to Network >> Management>> Web Management Service. Set the Administrative State to enabled.

Navigate to Network >> Management>> SSH Service. Set the Administrative State to enabled.

In the Local IP Address field, enter the local IP address of the device monitors for incoming SSH requests.

Click "Apply" to save the changes to the running configuration.

Click "Save Config" to save the changes to the startup configuration.
V-65091 No Change
Findings ID: WSDP-NM-000053 Rule ID: SV-79581r1_rule Severity: medium CCI: CCI-000205

Discussion

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Checks

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. If Minimum length is Off, this is a finding

Fix

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. Set Minimum length to at least 15
V-65093 No Change
Findings ID: WSDP-NM-000054 Rule ID: SV-79583r1_rule Severity: medium CCI: CCI-000200

Discussion

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

To meet password policy requirements, passwords need to be changed at specific policy-based intervals.

If the network device allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.

Checks

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. If Control reuse is Off, this is a finding.

Fix

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. Set Control reuse to On, set Reuse history to at least 5.
V-65095 No Change
Findings ID: WSDP-NM-000055 Rule ID: SV-79585r1_rule Severity: medium CCI: CCI-000192

Discussion

Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.

Checks

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. If Require mixed case is Off, this is a finding.

Fix

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. Set Require mixed case to On.
V-65097 No Change
Findings ID: WSDP-NM-000056 Rule ID: SV-79587r1_rule Severity: medium CCI: CCI-000193

Discussion

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Checks

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. If Require mixed case is Off, this is a finding.

Fix

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. Set Require mixed case to On.
V-65099 No Change
Findings ID: WSDP-NM-000057 Rule ID: SV-79589r1_rule Severity: medium CCI: CCI-000194

Discussion

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Checks

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. If Require number is Off, this is a finding.

Fix

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. Set Require number to On.
V-65101 No Change
Findings ID: WSDP-NM-000058 Rule ID: SV-79591r1_rule Severity: medium CCI: CCI-001619

Discussion

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Checks

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. If Require non-alphanumeric is Off, this is a finding.

Fix

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. Set Require non- alphanumeric to On.
V-65103 No Change
Findings ID: WSDP-NM-000065 Rule ID: SV-79593r1_rule Severity: medium CCI: CCI-000187

Discussion

Authorization for access to any network device requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account must be bound to a user certificate when PKI-based authentication is implemented.

Checks

Search Bar “RBM” >> RBM Settings. Check that the Authentication method list has the User certificate selected. If not, this is a finding.

Fix

Search Bar “RBM” >> RBM Settings. Click User certificate in the Authentication method list.
V-65105 No Change
Findings ID: WSDP-NM-000067 Rule ID: SV-79595r1_rule Severity: medium CCI: CCI-000803

Discussion

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.

Network devices utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.

Checks

Default domain >> Status >> Cryptographic Mode Status: If Target=Permissive AND Current=Permissive AND Pending Target=Permissive, this is a finding.

Fix

Administration >> Access >> RBM Settings >> Password Policy. Change Password hash algorithm to sha256crypt.

Administration >> Miscellaneous >> Crypto Tools. Set Cryptographic Mode to FIPS 140-2 Level 1 and click Set Cryptographic Mode button.

Control Panel >> System Control >> Shutdown. Set Mode to Reload Firmware >> Click "Shutdown" button.
V-65107 No Change
Findings ID: WSDP-NM-000069 Rule ID: SV-79597r1_rule Severity: high CCI: CCI-001133

Discussion

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.

Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Checks

Using the DataPower WebGUI:
In the search field, enter Web Management,
From the search results, click Web Management Service,
In the Idle timeout field, check to ensure that the value entered in no greater than 600 (the number of seconds after which the appliance closes the connection).
If the number is greater than 600, this is a finding.

Fix

Using the DataPower WebGUI:
In the search field, enter Web Management,
From the search results, click Web Management Service,
In the Idle timeout field, enter 600 (the number of seconds after which the appliance closes the connection).
V-65109 No Change
Findings ID: WSDP-NM-000072 Rule ID: SV-79599r1_rule Severity: medium CCI: CCI-001188

Discussion

Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers.

Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.

This requirement is applicable to devices that use a web interface for device management.

Checks

From the web interface for DataPower device management, verify that the DataPower Gateway Cryptographic Mode is Set to FIPS 140-2 Level 1; Status >> Crypto >> Cryptographic Mode Status.

If it is not set to FIPS 140-2, this is a finding.

Then, verify that the session identifiers (TIDs) in the System Log are random: Status >> View Logs >> Systems Logs.

If they are not random, this is a finding.

Fix

From the DataPower command line, enter "use-fips on" to configure DataPower to generate unique session identifiers using a FIPS 140-2 approved random number generator. From the web interface, use "Set Cryptographic Mode" (Administration >> Miscellaneous >> Crypto Tools, Set Cryptographic Mode tab) to set the appliance to "FIPS 140-2 Level 1" mode.

This will achieve NIST SP800-131a compliance.
V-65111 No Change
Findings ID: WSDP-NM-000076 Rule ID: SV-79601r1_rule Severity: medium CCI: CCI-000366

Discussion

Predictable failure prevention requires organizational planning to address device failure issues. If components key to maintaining the device's security fail to function, the device could continue operating in an insecure state. If appropriate actions are not taken when a network device failure occurs, a denial of service condition may occur which could result in mission failure since the network would be operating without a critical security monitoring and prevention function. Upon detecting a failure of network device security components, the network device must activate a system alert message, send an alarm, or shut down.

Checks

From the DataPower command line, enter "failure-notification", then enter "show failure-notification". If it is "disabled", this is a finding. This capability is enabled by default.

Fix

From the DataPower command line, enter "failure-notification" to configure DataPower to generate failure notifications.

With failure notification enabled, you can send an error report to a designated recipient or upload to a specific location after the appliance returns to service from an unscheduled outage.

This error report can contain diagnostic details. Intrusion detection will provide a warning and restart in Fail-Safe mode.
V-65113 No Change
Findings ID: WSDP-NM-000077 Rule ID: SV-79603r1_rule Severity: medium CCI: CCI-001683

Discussion

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of accounts and notifies administrators and Information System Security Officers (ISSOs). Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.

Checks

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that "Trap Event Subscriptions" include the Event Subscription code that indicates account creation: 0x8240001c.

On the "Trap and Notification Targets" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account creation events occur.

On the Main tab, confirm that the "Administrative state" is set to "enabled". Additionally, confirm that that the run time state (shown at the top of the page after the text "SNMP Settings") indicates in brackets that the SNMP object is in an "up" state.

Confirm that when an account is created, an appropriate 0x8240001c "Configuration added" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the "Trap and Notification Targets" tab of the DataPower SNMP Settings.

If this event message does not appear in the audit log, this is a finding.

Fix

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings.

On the Trap Event Subscriptions tab, set to "on" the "Enable Default Event Subscriptions" option >> set to "warning" the "Minimum Priority" option >> configure "Trap Event Subscriptions" to include an Event Subscription that indicates account creation by adding a 0x8240001c Event Subscription.

Example log result: "[conf][success][0x8240001c] (SYSTEM:default:*:*): user 'admin' Configuration added"

On the "Trap and Notification Targets" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are created.

On the Main tab, set the "Administrative state" to "enabled" >> Click "Save Configuration".
V-65115 No Change
Findings ID: WSDP-NM-000078 Rule ID: SV-79605r1_rule Severity: medium CCI: CCI-001684

Discussion

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Notification of account modification is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the modification of device administrator accounts and notifies administrators and Information System Security Officers (ISSOs). Such a process greatly reduces the risk that accounts will be surreptitiously modified and provides logging that can be used for forensic purposes.

The network device must generate the alert. Notification may be done by a management server.

Checks

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that "Trap Event Subscriptions" include the Event Subscription codes that indicate account modification: 0x8240001c and 0x8240001f.

On the "Trap and Notification Targets" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account modification events occur.

On the Main tab, confirm that the "Administrative state" is set to "enabled". Additionally, confirm that that the run time state (shown at the top of the page after the text "SNMP Settings") indicates in brackets that the SNMP object is in an "up" state.

Confirm that when an account is modified, an appropriate 0x8240001c or 0x8240001f "Configuration settings applied" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the "Trap and Notification Targets" tab of the DataPower SNMP Settings.

If this event message does not appear in the audit log, this is a finding.

Fix

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings.

On the Trap Event Subscriptions tab, set to "on" the "Enable Default Event Subscriptions" option >> set to "warning" the "Minimum Priority" option >> configure "Trap Event Subscriptions" to include an Event Subscription that indicates account creation by adding 0x8240001c and 0x8240001f Event Subscriptions.

Example log result: "[conf][success][0x8240001c] (admin:default:web-gui:192.168.65.1): user 'TestUser' Configuration settings applied"

On the "Trap and Notification Targets" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are modified.

On the Main tab, set the "Administrative state" to "enabled" >> Click "Save Configuration".
V-65117 No Change
Findings ID: WSDP-NM-000079 Rule ID: SV-79607r1_rule Severity: medium CCI: CCI-001685

Discussion

When application accounts are disabled, administrator accessibility is affected. Accounts are utilized for identifying individual device administrators or for identifying the device processes themselves.

In order to detect and respond to events that affect administrator accessibility and device processing, devices must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that device accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.

Checks

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that "Trap Event Subscriptions" include the Event Subscription codes that indicate an account is disabled: 0x8240001c and 0x8240001f.

On the "Trap and Notification Targets" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account disabled events occur.

On the Main tab, confirm that the "Administrative state" is set to "enabled". Additionally, confirm that that the run time state (shown at the top of the page after the text "SNMP Settings") indicates in brackets that the SNMP object is in an "up" state.

Confirm that when an account is disabled, an appropriate 0x8240001c or 0x8240001f "disabled" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the "Trap and Notification Targets" tab of the DataPower SNMP Settings.

If this event message does not appear in the audit log, this is a finding.

Fix

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings.

On the Trap Event Subscriptions tab, set to "on" the "Enable Default Event Subscriptions" option >> set to "warning" the "Minimum Priority" option >> configure "Trap Event Subscriptions" to include an Event Subscription that indicates account is disabled by adding 0x8240001c and 0x8240001f Event Subscriptions.

Example log result: "[conf][success][0x8240001c] (dp-technician:default:system:*): web-mgmt 'WebGUI-Settings' - admin-state disabled."

On the "Trap and Notification Targets" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are disabled.

On the Main tab, set the "Administrative state" to "enabled" >> Click "Save Configuration".
V-65119 No Change
Findings ID: WSDP-NM-000080 Rule ID: SV-79609r1_rule Severity: medium CCI: CCI-001686

Discussion

When application accounts are removed, administrator accessibility is affected. Accounts are utilized for identifying individual device administrators or for identifying the device processes themselves.

In order to detect and respond to events that affect administrator accessibility and device processing, devices must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that device accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.

Checks

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that "Trap Event Subscriptions" include the Event Subscription code that indicates account removal: 0x8240001c.

On the "Trap and Notification Targets" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account disabled events occur.

On the Main tab, confirm that the "Administrative state" is set to "enabled". Additionally, confirm that that the run time state (shown at the top of the page after the text "SNMP Settings") indicates in brackets that the SNMP object is in an "up" state.

Confirm that when an account is removed, an appropriate 0x8240001c "Configuration deleted" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the "Trap and Notification Targets" tab of the DataPower SNMP Settings.

If this event message does not appear in the audit log, this is a finding.

Fix

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings.

On the Trap Event Subscriptions tab, set to "on" the "Enable Default Event Subscriptions" option >> set to "warning" the "Minimum Priority" option >> configure "Trap Event Subscriptions" to include an Event Subscription that indicates account removal by adding a 0x8240001c Event Subscription.

Example log result: "[conf][success][0x8240001c] (admin:default:web-gui:192.168.65.1): user 'TestUser' Configuration deleted"

On the "Trap and Notification Targets" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are removed.

On the Main tab, set the "Administrative state" to "enabled" >> Click "Save Configuration".
V-65121 Updated
Findings ID: WSDP-NM-000081 Rule ID: SV-79611r12_rule Severity: medium CCI: CCI-002361

Discussion

Automatic session termination addresses the termination of administrator-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever an administrator (or process acting on behalf of a user) accesses a network device. Such administrator sessions can be terminated (and thus terminate network administrator access) without terminating network sessions.

Session termination terminates all processes associated with an administrator's logical session except those processes that are specifically created by the administrator (i.e., session owner) to continue after the session is terminated.

Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. These conditions will vary across environments and network device types.

Checks

Objects >> Device Management >> Web Management Service >> Idle timeout is set to 900 or less.

Review the administrator's SSH
ProxyClient Profile: Objects >> Crypto Configuration >> SSH ProxyClient Profile >> "Persistent Idle Timeout" is set to 900 or less. If it is not, this is a finding.

Fix

For the Web Management service used by an administrator, configure an idle timeout (Objects >> Device Management >> Web Management Service): The time after which to invalidate idle administrator sessions. When invalidated, the web interface requires reauthentication.

For the SSH command-line interface used by an administrator, use the web interface (Objects >> Crypto Configuration >> SSH
ProxyClient Profile) to configure an SSH Client Profile for the administrator user ID. Configure the "Persistent Idle Timeout" to 900 or less.
V-65123 Updated
Findings ID: WSDP-NM-000082 Rule ID: SV-79613r12_rule Severity: medium CCI: CCI-002363

Discussion

If an administrator cannot explicitly end a device management session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.

Checks

Objects >> Device Management >> Web Management Service >> Idle timeout is set to 900 or less.

Review the administrator's SSH
ProxyClient Profile: Objects >> Crypto Configuration >> SSH ProxyClient Profile >> "Persistent Idle Timeout" is set to 900 or less. If it is not, this is a finding.

Fix

Configure the DataPower Gateway Web Management service used by an administrator, to include an idle timeout (Objects >> Device Management >> Web Management Service): The time after which to invalidate idle administrator sessions. When invalidated, the web interface requires reauthentication.

For the SSH command-line interface used by an administrator, use the web interface (Objects >> Crypto Configuration >> SSH
ProxyClient Profile) to configure an SSH Client Profile for the administrator user ID. Configure the "Persistent Idle Timeout" to 900 or less.
V-65125 No Change
Findings ID: WSDP-NM-000083 Rule ID: SV-79615r1_rule Severity: medium CCI: CCI-002364

Discussion

If an explicit logout message is not displayed and the administrator does not expect to see one, the administrator may inadvertently leave a management session un-terminated. The session may remain open and be exploited by an attacker; this is referred to as a zombie session. Administrators need to be aware of whether or not the session has been terminated.

Checks

To verify, log out of a web session and an SSH command line session.

Upon logout from the web interface, the DataPower Gateway displays the IBM DataPower Login panel. This is a clear indication that the administrator has logged out.

Upon logout from an administrative SSH command line session, the following message is displayed: "Unauthorized access prohibited. logon:" A clear indication that logout has occurred.

If this message is not present, this is a finding.

Fix

Configure the DataPower Gateway to use a custom user interface XML file that can be configured to provide the desired logout message to administrators.

From the WebGUI, go to Administration >> Device >> System Settings and associate the custom interface file with the "Customer User Interface" field.

A template of the custom user interface file may be found on the DataPower file system at store:///schemas/dp-user-interface.xsd.
V-65127 No Change
Findings ID: WSDP-NM-000085 Rule ID: SV-79617r1_rule Severity: medium CCI: CCI-002130

Discussion

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSOs). Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.

Checks

View the logging settings: Objects >> Logging Configuration >> Audit Log Settings. Then examine the audit log after enabling or disabling an account (the most recent entry will be at the bottom of the log).

If this message is not present, this is a finding.

Fix

Configure a comprehensive audit trail by turning on the audit log using the web interface (Objects >> Logging Configuration >> Audit Log Settings) then setting the desired level of logging detail for audit-events.
V-65129 No Change
Findings ID: WSDP-NM-000086 Rule ID: SV-79619r1_rule Severity: medium CCI: CCI-002132

Discussion

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and ISSOs. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes.

In order to detect and respond to events that affect network administrator accessibility and device processing, network devices must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event.

Checks

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that "Trap Event Subscriptions" include the Event Subscription codes that indicate account modification: 0x8240001c and 0x8240001f.

On the "Trap and Notification Targets" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account modification events occur.

On the Main tab, confirm that the "Administrative state" is set to "enabled". Additionally, confirm that that the run time state (shown at the top of the page after the text "SNMP Settings") indicates in brackets that the SNMP object is in an "up" state.

Confirm that when an account is modified, an appropriate 0x8240001c or 0x8240001f "Configuration settings applied" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the "Trap and Notification Targets" tab of the DataPower SNMP Settings.

If this event message does not appear in the audit log, this is a finding.

Fix

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings.

On the Trap Event Subscriptions tab, set to "on" the "Enable Default Event Subscriptions" option >> set to "warning" the "Minimum Priority" option >> configure "Trap Event Subscriptions" to include an Event Subscription that indicates account creation by adding 0x8240001c and 0x8240001f Event Subscriptions.

Example log result: "[conf][success][0x8240001c] (admin:default:web-gui:192.168.65.1): user 'TestUser' Configuration settings applied"

On the "Trap and Notification Targets" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are modified.

On the Main tab, set the "Administrative state" to "enabled" >> Click "Save Configuration".
V-65131 No Change
Findings ID: WSDP-NM-000087 Rule ID: SV-79621r1_rule Severity: medium CCI: CCI-000366

Discussion

Protecting access authorization information (i.e., access control decisions) ensures that authorization information cannot be altered, spoofed, or otherwise compromised during transmission.

In distributed information systems, authorization processes and access control decisions may occur in separate parts of the systems. In such instances, authorization information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit, as part of the access authorization information, supporting security attributes. This is because, in distributed information systems, there are various access control decisions that need to be made, and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions.

Checks

To verify that the secure transmission of authentication information has been configured, use the WebGUI to go to Objects >> XML Processing >> AAA Policy, select and existing AAA Policy.

Validate the authorization parameters on the Resource extraction, Resource mapping, and Authorization tabs.

On the Authorization tab, confirm that all necessary parameters are properly configured for secure access to the authorization server. If they are not, this is a finding.

Fix

The DataPower Gateway provides support for the secure transmission of authorization information to any supported authorization server. The following methods are supported: binarytokenx509, cleartrust, client-ssl, custom, kerberos, ldap, ltpa, netegrity, radius, saml-artifact, saml-authen-query, saml-signature, tivoli, token, validate-signer, ws-secureconversation, ws-trust, xmlfile, zosnss.

To configure secure authorization, use the WebGUI to go to Objects >> XML Processing >> AAA Policy >> Press the "Add" button.

After completing the parameters for authentication (Main, Identity extraction, Authentication, and Credential Mapping tabs), complete the parameters for authorization (Resource extraction, Resource mapping, and Authorization tabs).

DataPower provides secure access to all of the above-listed supported authorization methods. For example, on the AAA Policy Authorization tab described above, select "Check membership in LDAP group" as the authentication method. Parameters will then appear that allow the configuration of a secure SSL/TLS connection to that authorization server.
V-65135 No Change
Findings ID: WSDP-NM-000088 Rule ID: SV-79625r1_rule Severity: medium CCI: CCI-002165

Discussion

Discretionary Access Control (DAC) is based on the notion that individual network administrators are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.

When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.

The discretionary access control policies and the subjects and objects are defined uniquely for each network device, so they cannot be specified in the requirement.

Checks

Navigate to the DataPower Gateway RBM settings at Administration >> Access >> RBM, Authentication tab using the web interface. Verify that each role is authenticated according to appropriate control policy. If they are not, this is a finding.

Fix

As the DataPower administrator, configure the DataPower Gateway to enforce role-based access control policy over defined subjects and objects. In the WebGUI, go to Administration >> Access >> RBM Settings. On the Authentication tab, select the approved authentication server. Enter the information required for an authenticated user to access defined subjects and objects.
V-65137 No Change
Findings ID: WSDP-NM-000089 Rule ID: SV-79627r1_rule Severity: medium CCI: CCI-000366

Discussion

Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When administrators are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every administrator (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control.

The RBAC policies and the subjects and objects are defined uniquely for each network device, so they cannot be specified in the requirement.

Checks

Navigate to the DataPower Gateway RBM settings at Administration >> Access >> RBM, Authentication tab using the web interface. Verify that each role is authenticated according to appropriate control policy. If they are not, this is a finding.

Fix

As the DataPower administrator, configure the DataPower Gateway to enforce role-based access control policy over defined subjects and objects. In the WebGUI, go to Administration >> Access >> RBM Settings. On the Authentication tab, select the approved authentication server. Enter the information required for an authenticated user to access defined subjects and objects.
V-65139 No Change
Findings ID: WSDP-NM-000091 Rule ID: SV-79629r1_rule Severity: medium CCI: CCI-002234

Discussion

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.

Checks

Using the WebGUI, go to Objects >> Logging Configuration >> Audit Log Settings. Confirm that the Administrative state is "enabled" and that the status displayed alongside the "Audit Log Settings" heading is "[up]".

As a final test, execute a privileged function and confirm that an entry appears in the audit log. Using the WebGUI, go to Administration >> Access >> New User Account. Click "No". Select "Developer". Click Next. Enter "TestDeveloper" as the name and enter a password. Click Next. Click Commit. Click Done.

Now view the Audit log by using the WebGUI to got to Status >> View Logs >> Audit Log. Scroll to the bottom of the log and confirm that you see the following entry: "user 'TestDeveloper' - Configuration added".

If this event message does not appear in the audit log, this is a finding.

Fix

The DataPower device logs the execution of all privileged functions.

The DataPower Audit log is enabled by default. To configure this log, go to the WebGUI at Objects >> Logging Configuration >> Audit Log Settings. Set the Administrative state to "enable". Specify the desired Log Size, Number of Rotations. Set the Audit Level to "full" (the default setting). The result of this configuration must be that the status displayed alongside the "Audit Log Settings" heading is "[up]".
V-65141 No Change
Findings ID: WSDP-NM-000094 Rule ID: SV-79631r1_rule Severity: medium CCI: CCI-001914

Discussion

If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important forensic information may be lost.

This requirement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near-real-time, within minutes, or within hours.

The individuals or roles to change the auditing are dependent on the security configuration of the network device--for example, it may be configured to allow only some administrators to change the auditing, while other administrators can review audit logs but not reconfigure auditing. Because this capability is so powerful, organizations should be extremely cautious about only granting this capability to fully authorized security personnel.

Checks

View the following three auditing configuration capabilities:

Verify existing log targets and Event Subscriptions. Using the web interface, go to Objects >> Logging Configuration >> Log Target. View the Event Subscriptions tab to audit log subscription Event Priority levels.

SNMP Settings. Using the web interface, go to Administration >> Access >> SNMP Settings, Trap Event Subscriptions tab. View the Event Subscriptions tab to verify audit log subscription Event Priority levels.

Audit log settings. Using the web interface, go to Object >> Logging Configuration >> Audit Log Settings. Verify that the Audit Level is set at the full. If it is not, this is a finding.

Fix

Configure the following near real-time auditing capabilities:

1. Subscriptions to the DataPower audit logs and associated event categories and Minimum Event Priority.

Set log targets and Event Subscription. Using the web interface, go to Objects >> Logging Configuration >> Log Target. Add an audit log target. View the Event Subscriptions tab to set audit log subscription Event Priority level.

2. SNMP trap event subscriptions to audit log events

SNMP Settings. Using the web interface, go to Administration >> Access >> SNMP Settings, Trap Event Subscriptions tab. Add audit log event codes to the SNMP notification configuration.

3. Audit levels.

Using the web interface, go to Object >> Logging Configuration >> Audit Log Settings. Set the Audit Levels at the desired level (standard or full).
V-65143 No Change
Findings ID: WSDP-NM-000095 Rule ID: SV-79633r1_rule Severity: medium CCI: CCI-001849

Discussion

In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable.

The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.

Checks

Development configuration (on-box logging): Using the DataPower web interface, navigate to Objects >> Logging Configuration >> Audit Log Settings. Verify that the desired Log Size, Number of Rotations has resulted in "[up]" status displayed after the "Audit Log Settings" heading at the top of page. In the WebGUI, navigate to Status >> View Logs >> System Logs. Ensure the following event message is not displayed: 0x82400067 Audit log space low - using audit reserve space.

If this message appears, it is a finding.

Production configuration (off-box logging)
Using the DataPower WebGUI, navigate to Objects >> Logging Configuration >> Log Target. On the main tab, verify that the correct Target Type and Log Format are selected. Confirm that the remote host and port of an organizationally approved logging server are designated. Confirm that all additional parameters are chosen according to your requirements. Confirm that the status of the log target is displayed as [up] alongside the Log Target heading at the top of the page.

If the status is not up, this is a finding.

Fix

Development configuration (on-box logging):
Using the DataPower WebGUI, navigate to Objects >> Logging Configuration >> Audit Log Settings. Specify the desired Log Size, Number of Rotations, and audit level. Press Apply then Save Configuration. (Maximum available log space is approximately 50GB - less space consumed by other data on the device.)

Production configuration (off-box logging):
Using the DataPower WebGUI, navigate to Objects >> Logging Configuration >> Log Target. On the main tab, choose a Target Type, e.g., syslog-tcp, and a Log Format. Specify the remote host and port of the logging server. Enter other parameters according to your requirements, e.g., SSL security.

On the Event Subscriptions tab, add an Event Subscription. Select "audit" as the Event Category. Select a minimum Event Priority, e.g., "error. Click "Apply" >> Click "Apply" >> Click "Save Configuration". Confirm that the status of the log target is displayed as [up] alongside the Log Target heading at the top of the page.
V-65145 No Change
Findings ID: WSDP-NM-000096 Rule ID: SV-79635r1_rule Severity: low CCI: CCI-001855

Discussion

If security personnel are not notified immediately upon storage volume utilization reaching 75%, they are unable to plan for storage capacity expansion. This could lead to the loss of audit information. Note that while the network device must generate the alert, notification may be done by a management server.

Checks

Production configuration (off-box logging):
Using the DataPower WebGUI, navigate to Objects >> Logging Configuration >> Log Target. On the main tab, verify that the correct Target Type and Log Format are selected. Confirm that the remote host and port of an organizationally approved logging server are designated. Confirm that all additional parameters are chosen according to your requirements. Confirm that the status of the log target is displayed as [up] alongside the Log Target heading at the top of the page.

To test 75 percent notification: Set the allowed maximum file size to a minimum value, e.g., 250k. Restart the DataPower Gateway several times to generate sufficient audit log messages to fill up the off-box audit log file. Confirm that notification is received at 75 percent of capacity. If it is not, this is a finding.

Fix

Production configuration (off-box logging):
Off-box logging provides optimal storage size flexibility and log size notification capability.
Using the DataPower WebGUI, navigate to Objects >> Logging Configuration >> Log Target. On the main tab, choose a Target Type, e.g., syslog-tcp, and a Log Format. Specify the remote host and port of the logging server. Enter other parameters according to your requirements, e.g., SSL security.

On the Event Subscriptions tab, add an Event Subscription. Select "audit" as the Event Category. Select a minimum Event Priority, e.g., "error”. Click "Apply" >>Click "Apply” >> Click "Save Configuration." Confirm that the status of the log target is displayed as [up] alongside the Log Target heading at the top of the page.

It is the responsibility of the target log server to provide an alert when the audit log has reached 75 percent of capacity.
V-65147 No Change
Findings ID: WSDP-NM-000097 Rule ID: SV-79637r1_rule Severity: low CCI: CCI-001858

Discussion

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.

Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).

Checks

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that "Trap Event Subscriptions" include Event Subscription codes that indicate audit failure: 0x80c0006a, 0x82400067, 0x00330034, and 0x80400080.

On the "Trap and Notification Targets" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when audit failure events occur.

On the Main tab, confirm that the "Administrative state" is set to "enabled". Additionally, confirm that that the run time state (shown at the top of the page after the text "SNMP Settings") indicates in brackets that the SNMP object is in an "up" state.

If the SNMP object state is down, this is a finding.

Fix

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. On the Trap Event Subscriptions tab, set to "on" the "Enable Default Event Subscriptions" option >> Set to "warning" the "Minimum Priority" option >> Configure "Trap Event Subscriptions" to include Event Subscriptions that indicate audit log failure: add 0x80c0006a, 0x82400067, 0x00330034, and 0x80400080.

On the "Trap and Notification Targets" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when audit failure events occur.

On the Main tab, set the "Administrative state" to "enabled" >> Click "Save Configuration".
V-65149 No Change
Findings ID: WSDP-NM-000098 Rule ID: SV-79639r1_rule Severity: low CCI: CCI-001891

Discussion

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside of the configured acceptable allowance (drift) may be inaccurate. Additionally, unnecessary synchronization may have an adverse impact on system performance and may indicate malicious activity. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.

Checks

Using the DataPower web interface, go to Network >> Interface >> NTP Service. Confirm that the Administrative state is enabled, NTP Servers are configured, and that the Refresh Interval is set to 2040 seconds or less. If it is not, this is a finding.

Fix

Configure the DataPower Gateway to synchronize internal information system clocks to the authoritative time source (NTP servers).

In the DataPower WebGUI, go to Network >> Interface >> NTP Service. Specify the IP addresses of several approved NTP servers. The refresh interval may be defined at any value between 60 and 86400 seconds.
V-65151 No Change
Findings ID: WSDP-NM-000099 Rule ID: SV-79641r1_rule Severity: low CCI: CCI-002046

Discussion

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.

Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems). Organizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in CCI-001891 because a comparison must be done in order to determine the time difference.

The organization-defined time period will depend on multiple factors, most notably the granularity of time stamps in audit logs. For example, if time stamps only show to the nearest second, there is no need to have accuracy of a tenth of a second in clocks.

Checks

Using the DataPower web interface, go to Network >> Interface >> NTP Service. Confirm that the Administrative state is enabled, NTP Servers are configured, and that the Refresh Interval is set to 2040 seconds or less. If it is not, this is a finding.

Fix

Configure the DataPower Gateway to synchronize internal information system clocks to the authoritative time source (NTP servers).

In the DataPower WebGUI, go to Network >> Interface >> NTP Service. Specify the IP addresses of several approved NTP servers. The refresh interval may be defined at any value between 60 and 86400 seconds.
V-65153 No Change
Findings ID: WSDP-NM-000100 Rule ID: SV-79643r1_rule Severity: medium CCI: CCI-000366

Discussion

The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions.

Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891.

DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.

Checks

Using the DataPower web interface, go to Network >> Interface >> NTP Service. Confirm that the Administrative state is enabled, NTP Servers are configured, and that the Refresh Interval is set to 2040 seconds or less. If it is not, this is a finding.

Fix

In the DataPower WebGUI, go to Network >> Interface >> NTP Service. Specify the IP addresses of several approved NTP servers. The refresh interval may be defined at any value between 60 and 86400 seconds.
V-65155 No Change
Findings ID: WSDP-NM-000101 Rule ID: SV-79645r1_rule Severity: medium CCI: CCI-001890

Discussion

If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.

Time stamps generated by the application include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.

Checks

In the web interface, go to Status >> View Logs >> Audit Log to display current time stamped log entries.

If the UTC format is not used, this is a finding.

Fix

By default, the DataPower Gateway records time stamps for audit records in Coordinated Universal Time (UTC). The following is an example: March 30, 2015 followed by the number of milliseconds since January 1, 1970.

20150330T072434.296Z
V-65157 No Change
Findings ID: WSDP-NM-000105 Rule ID: SV-79647r1_rule Severity: medium CCI: CCI-001744

Discussion

Unauthorized changes to the baseline configuration could make the device vulnerable to various attacks or allow unauthorized access to the device. Changes to device configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the device. Examples of security responses include, but are not limited to the following: halting application processing; halting selected functions; or issuing alerts/notifications to organizational personnel when there is an unauthorized modification of a configuration item. The appropriate automated security response may vary depending on the nature of the baseline configuration change, the role of the network device, the availability of organizational personnel to respond to alerts, etc.

Checks

This requirement may be verified by executing each configuration item modification event that requires tracking and then examining the audit log (the most recent entry will be at the bottom of the log).

Using the DataPower Gateway web interface, the audit log event code for each configuration item modification event shown in the audit log must be confirmed to exist in the list of Trap Event Subscriptions in the SNMP notification settings: Administration >> Access >> SNMP Settings, Trap Event Subscriptions tab.

If the code is not present, this is a finding.

Fix

Configure the DataPower Gateway to use an SNMP trap to send the log failure event to a properly configured SNMP server.

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Configure "Trap Event Subscriptions" to include Event Subscriptions that indicate unauthorized configuration changes. Configure "Trap and Notification Targets" to include an approved SNMP server that generates alerts that will be forwarded to organizational personnel when a modification to a configuration item has occurred.
V-65159 No Change
Findings ID: WSDP-NM-000106 Rule ID: SV-79649r1_rule Severity: medium CCI: CCI-001813

Discussion

Failure to provide logical access restrictions associated with changes to device configuration may have significant effects on the overall security of the system.

When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the device can potentially have significant effects on the overall security of the device.

Accordingly, only qualified and authorized individuals should be allowed to obtain access to device components for the purposes of initiating changes, including upgrades and modifications.

Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).

Checks

In the DataPower web interface, navigate to Administration >> Access. Check User Account, User Group, and RBM settings to ensure that appropriate access restrictions are in place

If the User Account, User Group, and RBM settings have not been configured, this is a finding.

Fix

Configure DataPower Gateway to restrict actions associated with device configuration. This is defined and enforced through group and user access privileges as well as DataPower's Role-based management settings.

Configure these settings using the DataPower WebGUI at Administration >> Access.
V-65161 No Change
Findings ID: WSDP-NM-000107 Rule ID: SV-79651r1_rule Severity: medium CCI: CCI-001814

Discussion

Without auditing the enforcement of access restrictions against changes to the device configuration, it will be difficult to identify attempted attacks, and an audit trail will not be available for forensic investigation for after-the-fact actions.

Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.

Checks

Confirm that the Audit log administrative state is "up". Using the web interface, go to Object >> Logging Configuration >> Audit Log Settings. Confirm that the Audit Level is set to Full. If it is not, this is a finding.

Fix

Configure the DataPower Gateway to log all enforcement action audit events to an external log target.

Using the web interface, go to Objects >> Logging Configuration >> Log Target. Add an audit log target. View the Event Subscriptions tab to set audit log subscription Event Priority level.
V-65163 No Change
Findings ID: WSDP-NM-000108 Rule ID: SV-79653r1_rule Severity: medium CCI: CCI-002038

Discussion

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When devices provide the capability to change security roles, it is critical the user re-authenticate.

In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances.

(i) When authenticators change;
(ii) When roles change;
(iii) When security categories of information systems change;
(iv) When the execution of privileged functions occurs;
(v) After a fixed period of time; or
(vi) Periodically.

Within the DoD, the minimum circumstances requiring re-authentication are privilege escalation and role changes.

Checks

Go to Status >> Main >> Active Users and ensure that the user is not currently logged on. If the user is logged in, it is a finding.

Fix

After making any account privilege changes, administrator must go to Status >> Main >> Active Users and disconnect the user's current session if they are currently logged on.
V-65165 No Change
Findings ID: WSDP-NM-000112 Rule ID: SV-79655r1_rule Severity: high CCI: CCI-001967

Discussion

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.

A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet).

Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability. For network device management, this has been determined to be network management device addresses, SNMP authentication, and NTP authentication.

Checks

For SNMP, go to Administration >> Access >> SNMP Settings. Ensure the SNMP v3 Security Level is set to Authenticate. If it is not, this is a finding.

Fix

The browser, SSH, and XML Management network interfaces are set to SSL/TLS and require authentication by default. For SNMP, go to Administration >> Access >> SNMP Settings. Set SNMP v3 Security Level to Authenticate. Create one or more new SNMPv3 users that employ Authentication (may be password or key). Network transport for SNMP uses TLS by default.
V-65167 No Change
Findings ID: WSDP-NM-000115 Rule ID: SV-79657r1_rule Severity: medium CCI: CCI-002007

Discussion

Some authentication implementations can be configured to use cached authenticators.

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

The organization-defined time period should be established for each device depending on the nature of the device; for example, a device with just a few administrators in a facility with spotty network connectivity may merit a longer caching time period than a device with many administrators.

Checks

Go to Administration >> Access >> RBM Settings. Click on the Authentication tab. Verify cache mode is set to absolute and set timeout value is set. If it is not, this is a finding.

Fix

Go to Administration >> Access >> RBM Settings. Click on the Authentication tab. Set cache mode to absolute and set timeout value as needed.
V-65169 No Change
Findings ID: WSDP-NM-000117 Rule ID: SV-79659r1_rule Severity: medium CCI: CCI-002890

Discussion

This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to manipulation, potentially allowing alteration and hijacking of maintenance sessions.

Checks

Go to Network >> Management >> Telnet Service and ensure that no active Telnet configurations exist for device management. Other administrative interfaces (SSH, browser, XML Management) are run over secure protocols by default and cannot be changed. If Telnet configurations exist, this is a finding.

Fix

Go to Network >> Management >> Telnet Service and ensure that no active Telnet configurations exist for device management. Other administrative interfaces (SSH, browser, XML Management) are run over secure protocols by default and cannot be changed.
V-65171 No Change
Findings ID: WSDP-NM-000128 Rule ID: SV-79661r1_rule Severity: medium CCI: CCI-001851

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Off-loading is a common process in information systems with limited audit storage capacity.

Checks

Go to Administration-Miscellaneous >> Manage Log Targets, Event Subscription Tab and check for acceptable configuration in the name and category fields. Go to the Main tab and check for the desired values in the protocol field.

If no Log Targets are configured, this is a finding.

Fix

Use the CLI copy command. Syntax: copy -f sourceURL destinationURL
-f is an optional switch that forces an unconditional copy. Example: xi52(config)# copy audit:audit-log sftp://[email protected]/LOGS/x/Week1.log.

Or, go to Administration-Miscellaneous >> Manage Log Targets, Event Subscription Tab, provide a name, press Add, choose Category “audit”.

Go to Main tab, choose protocol (NFS, SMTP, SNMP, File, etc.) and configure.
V-65173 No Change
Findings ID: WSDP-NM-000131 Rule ID: SV-79663r1_rule Severity: medium CCI: CCI-000366

Discussion

By immediately displaying an alarm message, potential security violations can be identified more quickly even when administrators are not logged into the network device. An example of a mechanism to facilitate this would be through the utilization of SNMP traps.

Checks

Go to Administration >> Access >> SNMP Settings. Verify the IP address, port, and security settings. Go to the Trap and Notification Targets tab. Verify the remote server/receiver information. If these values have not been set, this is a finding.

Fix

Go to Administration >> Access >> SNMP Settings. Configure the IP address, port, and security settings.

Go to the Trap and Notification Targets tab. Enter the remote server/receiver information.
V-65175 No Change
Findings ID: WSDP-NM-000132 Rule ID: SV-79665r1_rule Severity: medium CCI: CCI-000366

Discussion

Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack; to recognize resource utilization or capacity thresholds; or to identify an improperly configured network device. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.

Checks

Go to Administration >> Miscellaneous >> Manage Log Targets. Verify the settings. If they are blank, this is a finding.

Fix

Go to Administration >> Miscellaneous >> Manage Log Targets. Click the log target or add one.

Go to the Event Subscriptions tab and click on the event categories that are required to be audited.
V-65177 No Change
Findings ID: WSDP-NM-000134 Rule ID: SV-79667r1_rule Severity: medium CCI: CCI-000366

Discussion

The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.

Checks

Go to Administration >> Access >> RBM Settings. Verify Authentication Method is LDAP. If it is not, this is a finding.

Fix

Go to Administration >> Access >> RBM Settings.
Set Authentication Method to LDAP.

Configure LDAP connection as needed.
V-65179 No Change
Findings ID: WSDP-NM-000135 Rule ID: SV-79669r1_rule Severity: medium CCI: CCI-000366

Discussion

The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.

Checks

Go to Administration >> Access >> RBM Settings. Verify Authentication Method is LDAP. If it is not, this is a finding.

Fix

Go to Administration >> Access >> RBM Settings. Set Authentication Method to LDAP.

Configure LDAP connection as needed.
V-65181 No Change
Findings ID: WSDP-NM-000136 Rule ID: SV-79671r1_rule Severity: medium CCI: CCI-000366

Discussion

The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.

Checks

Go to Administration >> Access >> RBM Settings. Verify Authentication Method is LDAP. If it is not, this is a finding.

Fix

Go to Administration >> Access >> RBM Settings. Set Authentication Method to LDAP.

Configure LDAP connection as needed. The connection will be verified.
V-65183 No Change
Findings ID: WSDP-NM-000138 Rule ID: SV-79673r1_rule Severity: medium CCI: CCI-000366

Discussion

System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who utilize this critical network component.

This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.

Checks

Go to Administration >> Main >> System Control. Verify Secure Backup. If it is not configured, this is a finding.

Fix

Go to Administration >> Main >> System Control and configure Secure Backup. Go to Administration >> Configuration >> Export Configuration to do the backup. This can be automated via external scripting or Scheduled Rule - XML Manager in default domain.
V-65185 No Change
Findings ID: WSDP-NM-000140 Rule ID: SV-79675r1_rule Severity: medium CCI: CCI-000366

Discussion

Despite the investment in perimeter defense technologies, enclaves are still faced with detecting, analyzing, and remediating network breaches and exploits that have made it past the network device. An automated incident response infrastructure allows network operations to immediately react to incidents by identifying, analyzing, and mitigating any network device compromise. Incident response teams can perform root cause analysis, determine how the exploit proliferated, and identify all affected nodes, as well as contain and eliminate the threat.

The network device assists in the tracking of security incidents by logging detected security events. The audit log and network device application logs capture different types of events. The audit log tracks audit events occurring on the components of the network device. The application log tracks the results of the network device content filtering function. These logs must be aggregated into a centralized server and can be used as part of the organization's security incident tracking and analysis.

Checks

Go to Administration >> Miscellaneous >> Manage Log Targets. Verify the log target. If no log target exists, this is a finding.

Fix

Go to Administration >> Miscellaneous >> Manage Log Targets. Click the log target or add one. Go to the Event Subscriptions tab and click on the event categories that are required to be audited.
V-65187 No Change
Findings ID: WSDP-NM-000141 Rule ID: SV-79677r1_rule Severity: medium CCI: CCI-000366

Discussion

For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice.

Checks

Go to Objects >> Crypto Configuration >> Crypto Certificate (for certs) or Crypto Key (for keys) to verify external keys/certs on the encrypted flash or FIPS 140-2 Level 3 HSM. If none exist, this is a finding.

Fix

Go to Objects >> Crypto Configuration >> Crypto Certificate (for certs) or Crypto Key (for keys) to upload external keys/certs to the encrypted flash or FIPS 140-2 Level 3 HSM.
V-65189 No Change
Findings ID: WSDP-NM-000143 Rule ID: SV-79679r1_rule Severity: medium CCI: CCI-001368

Discussion

If 0.0.0.0 as the management IP address, the DataPower appliance will listen on all configured interfaces for management traffic. This can allow an attacker to gain privileged-level access from an untrusted network.

Checks

Using an administrator account, log on to the default domain of the appliance.

Navigate to Network >> Management >> Web Management Service.

View the Local Address field; if the value is “0.0.0.0”, this is a finding.

Fix

To configure the DataPower appliance for web management:

Using an administrator account, log on to the default domain of the appliance.

On the Configure Web Management Service screen, complete the required information.

Set the Administrative state to “enabled”.

For the Local Address, use the IP address from the management subnet assigned to the unit.