IBM DataPower Network Device Management Security Technical Implementation Guide

  • Version/Release: V1R2
  • Published: 2017-10-05
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
b
The DataPower Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
AC-3 - Medium - CCI-000213 - V-64981 - SV-79471r1_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
WSDP-NM-000013
Vuln IDs
  • V-64981
Rule IDs
  • SV-79471r1_rule
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Network devices use access control policies and enforcement mechanisms to implement this requirement. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the network device to control access between administrators (or processes acting on behalf of administrators) and objects (e.g., device commands, files, records, processes) in the network device.
Checks: C-65639r1_chk

Administration >> Access >> User Group >> Click the group to be confirmed >> Confirm that the access profiles are configured appropriately for the desired security policy. If the group profile(s) is/are not present, this is a finding Privileged account user log on to default domain >> Administration >> Access >> RBM Settings >> Click "Credential Mapping" >> If Credential-mapping method is not "Local user group" or "Search LDAP for group name" is off, this is a finding.

Fix: F-70921r1_fix

Create the appropriate User Group(s) using the "RBM Builder": Privileged account user log on to default domain >> Administration >> Access >> User Group >> Click the "Add" button >> Define the policy >> Click "Add" >> Click “Apply”. Add users' accounts to LDAP groups with the same names as those defined with the RBM Builder, in the remote Authentication/Authorization server (LDAP). Note: This takes place outside the context of the IBM DataPower Gateway. Specific instructions will depend on the LDAP server being used. Configure Role-Based Management to make use of LDAP Group information during logon to map users to local group definitions.

b
The DataPower Gateway must enforce approved authorizations for controlling the flow of management information within DataPower based on information flow control policies.
AC-4 - Medium - CCI-001368 - V-65063 - SV-79553r1_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001368
Version
WSDP-NM-000014
Vuln IDs
  • V-65063
Rule IDs
  • SV-79553r1_rule
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data. Application-specific examples of enforcement occur in systems that employ rule sets or establish configuration settings that restrict information system services or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of management information within the system in accordance with applicable policy.
Checks: C-65689r1_chk

Administration >> Access >> User Group >> Click the group to be confirmed >> Confirm that the access profiles are configured appropriately for the desired security policy. If the group profile(s) is/are not present, this is a finding Privileged account user log on to default domain >> Administration >> Access >> RBM Settings >> Click "Credential Mapping" >> If Credential-mapping method is not "Local user group" or "Search LDAP for group name" is off, this is a finding.

Fix: F-71003r1_fix

Create the appropriate User Group(s) using the "RBM Builder": Privileged account user log on to default domain >> Administration >> Access >> User Group >> Click the "Add" button >> Define the policy >> Click "Add" >> Click “Apply”. Add users’ accounts to LDAP groups with the same names as those defined with the RBM Builder, in the remote Authentication/Authorization server (LDAP). Note: This takes place outside the context of the IBM DataPower Gateway. Specific instructions will depend on the LDAP server being used. Configure Role-Based Management to use LDAP Group information during logon to map users to local group definitions.

a
The DataPower Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
AC-8 - Low - CCI-000048 - V-65065 - SV-79555r1_rule
RMF Control
AC-8
Severity
Low
CCI
CCI-000048
Version
WSDP-NM-000016
Vuln IDs
  • V-65065
Rule IDs
  • SV-79555r1_rule
Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users.
Checks: C-65691r1_chk

Privileged user opens browser and navigates to the DataPower logon page. Confirm that the logon page displays the Standard Mandatory DoD Notice and Consent Banner: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the standard banner is not displayed, this is a finding.

Fix: F-71005r1_fix

Get the User Interface (UI) Configuration Template File from the IBM DataPower Gateway website >> Copy the template to a new text file on the local operating system named "ui-customization.xml". Upload the User Interface Customization Template: Privileged account user log on to default domain >> Control Panel >> File Management >> Click "local:" >> Click "Actions..." Link corresponding to "local:" >> Click "Upload Files" >> Click "Browse" button >> Select the previously saved "ui-customization.xml" file from the local operating system >> Click "Open" >> Click the "Upload" button" >> Click the "Continue" button. Edit the "ui-customization.xml" file: Click "refresh page" >> Click "local:" >> Click the "Edit" link corresponding to "ui-customization.xml" >> Click the "Edit" button >> Locate the XML Stanza named "MarkupBanner" and 'type="pre-logon"' >> Replace the text "WebGUI pre-logon message" with the text of the Standard Mandatory DoD Notice and Consent Banner: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." >> Locate the XML Stanza named "TextBanner" and 'type="pre-logon"' >> replace the text "Command line pre-logon message" with the text of the Standard Mandatory DoD Notice and Consent Banner: "I've read & consent to terms in IS user agreem't." >> Click the "Submit" button. Configure the IBM DataPower Gateway to use the customized User Interface Customization file: Administration >> Device >> System Settings >> Scroll to "Custom user interface file" section at the bottom of the page and select "ui-customization.xml" from the drop-down list >> Scroll to top of the page >> Click "Apply" >> Click "Save Configuration". Log out of the appliance.

b
The DataPower Gateway must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
AC-8 - Medium - CCI-000050 - V-65067 - SV-79557r1_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000050
Version
WSDP-NM-000017
Vuln IDs
  • V-65067
Rule IDs
  • SV-79557r1_rule
The banner must be acknowledged by the administrator prior to allowing the administrator access to the network device. This provides assurance that the administrator has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the administrator, DoD will not be in compliance with system use notifications required by law. To establish acceptance of the network administration policy, a click-through banner at management session logon is required. The device must prevent further activity until the administrator executes a positive action to manifest agreement by clicking on a box indicating "OK".
Checks: C-65693r1_chk

WebGUI logon page: If DataPower does not retain the banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access, this is a finding. CLI logon: If DataPower does not display the banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access, this is a finding.

Fix: F-71007r1_fix

Get the User Interface (UI) Configuration Template File from the IBM DataPower Gateway online website >> Copy the template to a new text file on the local operating system named "ui-customization.xml" Upload the User Interface Customization Template: Privileged account user log on to default domain >> Control Panel >> File Management >> Click "local:" >> Click "Actions..." link corresponding to "local:" >> Click "Upload Files" >> Click "Browse" button >> Select the previously saved "ui-customization.xml" file from the local operating system >> Click "Open" >> Click the "Upload" button" >> Click the "Continue" button. Edit the "ui-customization.xml" file: Click "refresh page" >> Click "local:" >> Click the "Edit" link corresponding to "ui-customization.xml" >> Click the "Edit" button >> Locate the XML Stanza named "MarkupBanner" and 'type="pre-logon"' >> Replace the text "WebGUI pre-logon message" with the text of the Standard Mandatory DoD Notice and Consent Banner: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." >> Locate the XML Stanza named "TextBanner" and 'type="pre-logon"' >> replace the text "Command line pre-logon message" with the text of the Standard Mandatory DoD Notice and Consent Banner: "I've read & consent to terms in IS user agreem't." >> Click the "Submit" button. Configure the IBM DataPower Gateway to use the customized User Interface Customization file: Administration >> Device >> System Settings >> Scroll to "Custom user interface file" section at the bottom of the page and select "ui-customization.xml" from the drop-down list >> Scroll to top of the page >> Click "Apply" >> Click "Save Configuration". Log out of the appliance.

b
The DataPower Gateway must provide audit record generation capability for DoD-defined auditable events within DataPower.
AU-12 - Medium - CCI-000169 - V-65069 - SV-79559r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
WSDP-NM-000022
Vuln IDs
  • V-65069
Rule IDs
  • SV-79559r1_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., process, module). Certain specific device functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the device will provide an audit record generation capability as the following: (i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); (ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and (iii) All account creation, modification, disabling, and termination actions.
Checks: C-65695r1_chk

Control Panel >> View Logs Select “DOD-EventsLog” from the drop-down list at the top of the page. If the log is empty, this is a finding.

Fix: F-71009r1_fix

Privileged account user logon to default domain In the search field, enter “Log Target”. From the search results, click “Log Target”. Click “Add”. Name: enter the name of the log target (e.g., targetDodEvents) Target Type: File Log Format: XML Timestamp format: Syslog Destination Configuration: File Name: logstore:///dodEvents.log Log Size: 1024 Archive Mode: Rotate Number of Rotations: 6 Click on the “Event Filters” Tab. Event Subscription Filter, click “Select Code”; select an Event Code from the list in the popup window. Click the “Add” button. Repeat the process until all desired event codes have been added. Click “Apply” to save the changes to the running configuration. Click “Save Configuration” to save the changes to the persisted configuration.

b
The DataPower Gateway must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
AU-12 - Medium - CCI-000171 - V-65071 - SV-79561r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000171
Version
WSDP-NM-000023
Vuln IDs
  • V-65071
Rule IDs
  • SV-79561r1_rule
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Checks: C-65697r1_chk

Privileged account user log on to default domain >> Administration >> Access >> User Group >> Click the "groupISSM" group >> Confirm that the following minimal access profiles are created: "*/*/*?Access=r" and "*/default/logging/target?Name=logTargetISSM&Access=r+w+a+d+x". If either profile is not present, this is a finding. Privileged account user log on to default domain >> Administration >> Access >> RBM Settings >> Click "Credential Mapping" >> If Credential-mapping method is not "Local user group" or "Search LDAP for group name" is off, this is a finding.

Fix: F-71011r1_fix

Create an ISSM User Group: Privileged account user log on to default domain >> Administration >> Access >> User Group >> Click the "Add" button >> Name: "groupISSM" >> Enter "*/*/*?Access=r" into the "Access Profile" field >> Click "Add" >> "*/default/logging/target?Name=logTargetISSM&Access=r+w+a+d+x" into the "Access Profile" field >> Click "Add" >> Click "Apply". Add users’ accounts to the ISSM User Group "groupISSM" in the remote Authentication/Authorization server (LDAP). Note: This takes place outside the context of the IBM DataPower Gateway. Specific instructions will depend on the LDAP server being used. Configure Role-Based Management to use LDAP Group information during logon to map users to local group definitions. Administration >> Access >> RBM Settings >> When configuring the Authentication method, select "LDAP" as the authentication method Configure LDAP Authentication Define the connection to the LDAP server >> In the Server host field, enter the IP address or host name of the server >> In the Server port field, enter the port number of the server >> From the LDAP version list, select the version >> From the SSL proxy profile list, select a profile to establish a secured connection to the LDAP server >> From the Load balancer group list, select a load balancer group. If selected, queries are balanced in accordance with the group settings. This setting overrides the settings for the server host and port. Set the Search LDAP for DN property to use an LDAP search to retrieve the user group >> In the LDAP read timeout field, enter the time to wait for a response from the server before the appliance closes the connection >> From the Local accounts for fallback list, select whether to use local user accounts as fallback users. With fallback users, local users can log on to the appliance if authentication fails or during a network outage that affects the primary authentication. When specific users are fallback users, add the local users (from the Fallback user list, select a local user) >> Click Add >> Optional: Repeat this step to add another locally defined fallback user. Define the credentials-mapping method. Click Credentials-mapping >> From the Credentials-mapping method list, select the method to evaluate access profiles. Although available, a local user group is not a valid selection (If custom: In the Custom URL field, specify the URL of the custom style sheet; if with an XML file: In the XML file URL field, specify the URL of the RBM file) >> When the mapping method is a local user group or an XML file, set Search LDAP for group name to control whether to search LDAP to retrieve all user groups that match the query. When LDAP search is enabled, define the LDAP connection >> In the Server host field, enter the IP address or host name of the server >> In the Server port field, enter the port number of the server >> From the SSL proxy profile list, select the profile to establish a secured connection to the server >> From the Load balancer group list, select a load balancer group. If selected, queries are balanced in accordance with the group settings. This setting overrides the settings for the server host and port In the LDAP bind DN field, enter the distinguished name (DN) for the bind operation >> In the LDAP bind password fields, enter and confirm the password for the specified DN >> From the LDAP search parameters list, select an LDAP search parameter. The LDAP search operation uses these parameters to retrieve all group names (DN or attribute value) based on the DN of the authenticated user >> In the LDAP read timeout field, enter the time to wait for a response from the server before the appliance closes the connection >> Define the account policy >> If you defined fallback users, define the password policy. Save the configuration: Click "Apply" to save the changes to the running configuration >> Click "Save Configuration" to save the changes to the persisted configuration.

b
The DataPower Gateway must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
AU-5 - Medium - CCI-000139 - V-65073 - SV-79563r1_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
WSDP-NM-000033
Vuln IDs
  • V-65073
Rule IDs
  • SV-79563r1_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
Checks: C-65699r1_chk

Administration >> Miscellaneous >> "Manage Log Targets" >> Click the appropriate log target (e.g., "SystemResourcesLog") >> Click the "Event Filters" tab >> Confirm subscriptions to the following event codes: 0x00330034, 0x01a40001, 0x01a30002, 0x01a30003, 0x01a40005, 0x01a30006, 0x01a30014, 0x01a30015, 0x01a30017. If any of these codes are not subscribed to, this is a finding.

Fix: F-71013r1_fix

A Log Target can be configured to generate notifications (e.g., SNMP, SMTP) in the event that any of these event codes are detected. Privileged account user log on to default domain >> Administration >> Miscellaneous >> "Manage Log Targets" >> Click the "Add" button >> Name: "SystemResourcesLog” >> Target Type: Select the desired notification mechanism (e.g., SMTP) >> Configure the SMTP server, providing the requested information; Log Format: “text” >> Fixed Format: off >> Rate Limit: “100” >> Feedback Detection: on >> Identical Event Detection: off >> Click the "Event Filters" tab >> Under "Event Subscriptions", add the following event codes: 0x00330034, 0x01a40001, 0x01a30002, 0x01a30003, 0x01a40005, 0x01a30006, 0x01a30014, 0x01a30015, 0x01a30017 >> Click the "Apply" button >> Click "Save Configuration".

b
The DataPower Gateway must protect audit information from any type of unauthorized read access.
AU-9 - Medium - CCI-000162 - V-65075 - SV-79565r1_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
WSDP-NM-000036
Vuln IDs
  • V-65075
Rule IDs
  • SV-79565r1_rule
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to audit records provides information an attacker could use to his or her advantage. To ensure the veracity of audit data, the information system and/or the network device must protect audit information from any and all unauthorized read access. This requirement can be achieved through multiple methods which will depend upon system architecture and design. Commonly employed methods for protecting audit information include least privilege permissions as well as restricting the location and number of log file repositories. Additionally, network devices with user interfaces to audit records should not allow for the unfettered manipulation of or access to those records via the device interface. If the device provides access to the audit data, the device becomes accountable for ensuring audit information is protected from unauthorized access.
Checks: C-65701r1_chk

Login page >> Enter non admin user id and password, select Default for domain >> Click Login. If non admin user can log on, this is a finding.

Fix: F-71015r1_fix

Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non privileged user account >> Click “…” button next to User Group field >> Enter */default/*?Access=NONE into field >> click add >> click Apply >> click Apply >> click Save Configuration

b
The DataPower Gateway must protect audit tools from unauthorized access.
AU-9 - Medium - CCI-001493 - V-65077 - SV-79567r1_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001493
Version
WSDP-NM-000039
Vuln IDs
  • V-65077
Rule IDs
  • SV-79567r1_rule
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Network devices providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Checks: C-65703r1_chk

Logon page >> Enter non-admin user ID and password, select Default for domain >> Click "Login". If non-admin user can log on, this is a finding.

Fix: F-71017r1_fix

Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non-privileged user account >> Click “…” button next to User Group field >> Enter */default/*?Access=NONE into field >> Click "Add" >> Click "Apply" >> Click "Apply" >> Click "Save Configuration".

b
The DataPower Gateway must protect audit tools from unauthorized modification.
AU-9 - Medium - CCI-001494 - V-65079 - SV-79569r1_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001494
Version
WSDP-NM-000040
Vuln IDs
  • V-65079
Rule IDs
  • SV-79569r1_rule
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Network devices providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Checks: C-65705r1_chk

Logon page >> Enter non-admin user ID and password, select Default for domain >> Click "Login". If non-admin user can log on, this is a finding.

Fix: F-71019r1_fix

Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non-privileged user account >> Click “…” button next to User Group field >> Enter */default/*?Access=NONE into field >> Click "Add" >> Click "Apply" >> Click "Apply" >> Click "Save Configuration".

b
The DataPower Gateway must protect audit tools from unauthorized deletion.
AU-9 - Medium - CCI-001495 - V-65081 - SV-79571r1_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001495
Version
WSDP-NM-000041
Vuln IDs
  • V-65081
Rule IDs
  • SV-79571r1_rule
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit data. Network devices providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Checks: C-65707r1_chk

Logon page >> Enter non-admin user ID and password, select Default for domain >> Click "Login". If non-admin user can log on, this is a finding.

Fix: F-71021r1_fix

Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non privileged user account >> Click “…” button next to User Group field >> Enter */default/*?Access=NONE into field >> Click "Add >> Click "Apply" >> Click "Apply" >> Click "Save Configuration".

a
The DataPower Gateway must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
AU-9 - Low - CCI-001348 - V-65083 - SV-79573r1_rule
RMF Control
AU-9
Severity
Low
CCI
CCI-001348
Version
WSDP-NM-000042
Vuln IDs
  • V-65083
Rule IDs
  • SV-79573r1_rule
Protection of log data includes assuring log data is not accidentally lost or deleted. Regularly backing up audit records to a different system or onto separate media than the system being audited helps to assure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records.
Checks: C-65709r1_chk

Type “Log Target” in the Search field >> Log target >> Event Subscription tab. If “audit” in not listed under Event Category, this is a finding. If “Rule Action” does not contain a “Filter” action, this is a finding.

Fix: F-71023r1_fix

Type “Log Target” in the Search field >> Log target >> Event Subscription tab >> Add >> Event Category “audit” >> Minimum Event Priority event priority level >> Apply >> Apply >> Save Configuration. If the only log target is “default-log”: Type “Log Target” in the Search field >> Log target >> Main tab >> Target Type “syslog” >> syslog Facility facility >> Local Identifier identifier >> Remote Host hostname.

b
The DataPower Gateway must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
CM-5 - Medium - CCI-001749 - V-65085 - SV-79575r1_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001749
Version
WSDP-NM-000044
Vuln IDs
  • V-65085
Rule IDs
  • SV-79575r1_rule
Changes to any software components can have significant effects on the overall security of the network device. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the software has not been tampered with and has been provided by a trusted vendor. Accordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The device should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.
Checks: C-65711r1_chk

Login page >> Enter non-admin user ID and password, select Default for domain >> Click "Login". If non-admin user can log on, this is a finding.

Fix: F-71025r1_fix

Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non privileged user account >> Click “…” button next to User Group field >> Enter */default/*?Access=NONE into field >> Click "Add" >> Click "Apply" >> Click "Apply" >> Click "Save Configuration".

b
The DataPower Gateway must limit privileges to change the software resident within software libraries.
CM-5 - Medium - CCI-001499 - V-65087 - SV-79577r1_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
WSDP-NM-000045
Vuln IDs
  • V-65087
Rule IDs
  • SV-79577r1_rule
Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. If the network device were to enable non-authorized users to make changes to software libraries, those changes could be implemented without undergoing testing, validation, and approval.
Checks: C-65713r1_chk

Logon page >> Enter non-admin user ID and password, select Default for domain >> Click "Login". If non-admin user can log on, this is a finding.

Fix: F-71027r1_fix

Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non privileged user account >> Click “…” button next to User Group field >> Enter */default/*?Access=NONE into field >> Click "Add" >> Click "Apply" >> Click "Apply" >> Click "Save Configuration".

b
The DataPower Gateway must have SSH and web management bound to the management interface and Telnet disabled.
CM-7 - Medium - CCI-000382 - V-65089 - SV-79579r1_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
WSDP-NM-000046
Vuln IDs
  • V-65089
Rule IDs
  • SV-79579r1_rule
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. This requirement applies to applications, services, protocols, and ports used for network device management. NTP, SSH, HTTPS and SNMP are associated with device management, but, when used to manage the device, must be restricted to the management network.
Checks: C-65715r1_chk

Logon to the Default Domain. Navigate to Network >> Management>> Web Management Service. If the Administrative State is not enabled, this is a finding. Navigate to Network >> Management>> SSH Service. If the Administrative State is not enabled, this is a finding. Navigate to Network >> Management>> Telnet Service. If the Administrative State is enabled, this is a finding.

Fix: F-71029r1_fix

Log on to the Default Domain. Navigate to Network >> Management>> Web Management Service. Set the Administrative State to enabled. Navigate to Network >> Management>> SSH Service. Set the Administrative State to enabled. In the Local IP Address field, enter the local IP address of the device monitors for incoming SSH requests. Click "Apply" to save the changes to the running configuration. Click "Save Config" to save the changes to the startup configuration.

b
The DataPower Gateway must enforce a minimum 15-character password length.
IA-5 - Medium - CCI-000205 - V-65091 - SV-79581r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
WSDP-NM-000053
Vuln IDs
  • V-65091
Rule IDs
  • SV-79581r1_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Checks: C-65717r1_chk

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. If Minimum length is Off, this is a finding

Fix: F-71031r1_fix

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. Set Minimum length to at least 15

b
The DataPower Gateway must prohibit password reuse for a minimum of five generations.
IA-5 - Medium - CCI-000200 - V-65093 - SV-79583r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000200
Version
WSDP-NM-000054
Vuln IDs
  • V-65093
Rule IDs
  • SV-79583r1_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the network device allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.
Checks: C-65719r1_chk

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. If Control reuse is Off, this is a finding.

Fix: F-71033r1_fix

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. Set Control reuse to On, set Reuse history to at least 5.

b
If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one upper-case character be used.
IA-5 - Medium - CCI-000192 - V-65095 - SV-79585r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
WSDP-NM-000055
Vuln IDs
  • V-65095
Rule IDs
  • SV-79585r1_rule
Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-65721r1_chk

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. If Require mixed case is Off, this is a finding.

Fix: F-71035r1_fix

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. Set Require mixed case to On.

b
If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one lower-case character be used.
IA-5 - Medium - CCI-000193 - V-65097 - SV-79587r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000193
Version
WSDP-NM-000056
Vuln IDs
  • V-65097
Rule IDs
  • SV-79587r1_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-65723r1_chk

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. If Require mixed case is Off, this is a finding.

Fix: F-71037r1_fix

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. Set Require mixed case to On.

b
If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one numeric character be used.
IA-5 - Medium - CCI-000194 - V-65099 - SV-79589r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000194
Version
WSDP-NM-000057
Vuln IDs
  • V-65099
Rule IDs
  • SV-79589r1_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-65725r1_chk

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. If Require number is Off, this is a finding.

Fix: F-71039r1_fix

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. Set Require number to On.

b
If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one special character be used.
IA-5 - Medium - CCI-001619 - V-65101 - SV-79591r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-001619
Version
WSDP-NM-000058
Vuln IDs
  • V-65101
Rule IDs
  • SV-79591r1_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-65729r1_chk

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. If Require non-alphanumeric is Off, this is a finding.

Fix: F-71041r1_fix

Search Bar “Administration” >> Access >> RBM Settings >> Password Policy. Set Require non- alphanumeric to On.

b
The DataPower Gateway must map the authenticated identity to the user account for PKI-based authentication.
IA-5 - Medium - CCI-000187 - V-65103 - SV-79593r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000187
Version
WSDP-NM-000065
Vuln IDs
  • V-65103
Rule IDs
  • SV-79593r1_rule
Authorization for access to any network device requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account must be bound to a user certificate when PKI-based authentication is implemented.
Checks: C-65731r1_chk

Search Bar “RBM” >> RBM Settings. Check that the Authentication method list has the User certificate selected. If not, this is a finding.

Fix: F-71043r1_fix

Search Bar “RBM” >> RBM Settings. Click User certificate in the Authentication method list.

b
The DataPower Gateway must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
IA-7 - Medium - CCI-000803 - V-65105 - SV-79595r1_rule
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
WSDP-NM-000067
Vuln IDs
  • V-65105
Rule IDs
  • SV-79595r1_rule
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Network devices utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.
Checks: C-65733r1_chk

Default domain >> Status >> Cryptographic Mode Status: If Target=Permissive AND Current=Permissive AND Pending Target=Permissive, this is a finding.

Fix: F-71045r1_fix

Administration >> Access >> RBM Settings >> Password Policy. Change Password hash algorithm to sha256crypt. Administration >> Miscellaneous >> Crypto Tools. Set Cryptographic Mode to FIPS 140-2 Level 1 and click Set Cryptographic Mode button. Control Panel >> System Control >> Shutdown. Set Mode to Reload Firmware >> Click "Shutdown" button.

c
The DataPower Gateway must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SC-10 - High - CCI-001133 - V-65107 - SV-79597r1_rule
RMF Control
SC-10
Severity
High
CCI
CCI-001133
Version
WSDP-NM-000069
Vuln IDs
  • V-65107
Rule IDs
  • SV-79597r1_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Checks: C-65735r1_chk

Using the DataPower WebGUI: In the search field, enter Web Management, From the search results, click Web Management Service, In the Idle timeout field, check to ensure that the value entered in no greater than 600 (the number of seconds after which the appliance closes the connection). If the number is greater than 600, this is a finding.

Fix: F-71047r1_fix

Using the DataPower WebGUI: In the search field, enter Web Management, From the search results, click Web Management Service, In the Idle timeout field, enter 600 (the number of seconds after which the appliance closes the connection).

b
The DataPower Gateway must generate unique session identifiers using a FIPS 140-2 approved random number generator.
SC-23 - Medium - CCI-001188 - V-65109 - SV-79599r1_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001188
Version
WSDP-NM-000072
Vuln IDs
  • V-65109
Rule IDs
  • SV-79599r1_rule
Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. This requirement is applicable to devices that use a web interface for device management.
Checks: C-65737r1_chk

From the web interface for DataPower device management, verify that the DataPower Gateway Cryptographic Mode is Set to FIPS 140-2 Level 1; Status >> Crypto >> Cryptographic Mode Status. If it is not set to FIPS 140-2, this is a finding. Then, verify that the session identifiers (TIDs) in the System Log are random: Status >> View Logs >> Systems Logs. If they are not random, this is a finding.

Fix: F-71049r1_fix

From the DataPower command line, enter "use-fips on" to configure DataPower to generate unique session identifiers using a FIPS 140-2 approved random number generator. From the web interface, use "Set Cryptographic Mode" (Administration >> Miscellaneous >> Crypto Tools, Set Cryptographic Mode tab) to set the appliance to "FIPS 140-2 Level 1" mode. This will achieve NIST SP800-131a compliance.

b
The DataPower Gateway must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
CM-6 - Medium - CCI-000366 - V-65111 - SV-79601r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WSDP-NM-000076
Vuln IDs
  • V-65111
Rule IDs
  • SV-79601r1_rule
Predictable failure prevention requires organizational planning to address device failure issues. If components key to maintaining the device's security fail to function, the device could continue operating in an insecure state. If appropriate actions are not taken when a network device failure occurs, a denial of service condition may occur which could result in mission failure since the network would be operating without a critical security monitoring and prevention function. Upon detecting a failure of network device security components, the network device must activate a system alert message, send an alarm, or shut down.
Checks: C-65739r1_chk

From the DataPower command line, enter "failure-notification", then enter "show failure-notification". If it is "disabled", this is a finding. This capability is enabled by default.

Fix: F-71051r1_fix

From the DataPower command line, enter "failure-notification" to configure DataPower to generate failure notifications. With failure notification enabled, you can send an error report to a designated recipient or upload to a specific location after the appliance returns to service from an unscheduled outage. This error report can contain diagnostic details. Intrusion detection will provide a warning and restart in Fail-Safe mode.

b
The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are created.
AC-2 - Medium - CCI-001683 - V-65113 - SV-79603r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001683
Version
WSDP-NM-000077
Vuln IDs
  • V-65113
Rule IDs
  • SV-79603r1_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of accounts and notifies administrators and Information System Security Officers (ISSOs). Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.
Checks: C-65741r1_chk

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that "Trap Event Subscriptions" include the Event Subscription code that indicates account creation: 0x8240001c. On the "Trap and Notification Targets" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account creation events occur. On the Main tab, confirm that the "Administrative state" is set to "enabled". Additionally, confirm that that the run time state (shown at the top of the page after the text "SNMP Settings") indicates in brackets that the SNMP object is in an "up" state. Confirm that when an account is created, an appropriate 0x8240001c "Configuration added" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the "Trap and Notification Targets" tab of the DataPower SNMP Settings. If this event message does not appear in the audit log, this is a finding.

Fix: F-71053r1_fix

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. On the Trap Event Subscriptions tab, set to "on" the "Enable Default Event Subscriptions" option >> set to "warning" the "Minimum Priority" option >> configure "Trap Event Subscriptions" to include an Event Subscription that indicates account creation by adding a 0x8240001c Event Subscription. Example log result: "[conf][success][0x8240001c] (SYSTEM:default:*:*): user 'admin' Configuration added" On the "Trap and Notification Targets" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are created. On the Main tab, set the "Administrative state" to "enabled" >> Click "Save Configuration".

b
The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are modified.
AC-2 - Medium - CCI-001684 - V-65115 - SV-79605r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001684
Version
WSDP-NM-000078
Vuln IDs
  • V-65115
Rule IDs
  • SV-79605r1_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Notification of account modification is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the modification of device administrator accounts and notifies administrators and Information System Security Officers (ISSOs). Such a process greatly reduces the risk that accounts will be surreptitiously modified and provides logging that can be used for forensic purposes. The network device must generate the alert. Notification may be done by a management server.
Checks: C-65743r1_chk

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that "Trap Event Subscriptions" include the Event Subscription codes that indicate account modification: 0x8240001c and 0x8240001f. On the "Trap and Notification Targets" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account modification events occur. On the Main tab, confirm that the "Administrative state" is set to "enabled". Additionally, confirm that that the run time state (shown at the top of the page after the text "SNMP Settings") indicates in brackets that the SNMP object is in an "up" state. Confirm that when an account is modified, an appropriate 0x8240001c or 0x8240001f "Configuration settings applied" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the "Trap and Notification Targets" tab of the DataPower SNMP Settings. If this event message does not appear in the audit log, this is a finding.

Fix: F-71055r1_fix

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. On the Trap Event Subscriptions tab, set to "on" the "Enable Default Event Subscriptions" option >> set to "warning" the "Minimum Priority" option >> configure "Trap Event Subscriptions" to include an Event Subscription that indicates account creation by adding 0x8240001c and 0x8240001f Event Subscriptions. Example log result: "[conf][success][0x8240001c] (admin:default:web-gui:192.168.65.1): user 'TestUser' Configuration settings applied" On the "Trap and Notification Targets" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are modified. On the Main tab, set the "Administrative state" to "enabled" >> Click "Save Configuration".

b
The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are disabled.
AC-2 - Medium - CCI-001685 - V-65117 - SV-79607r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001685
Version
WSDP-NM-000079
Vuln IDs
  • V-65117
Rule IDs
  • SV-79607r1_rule
When application accounts are disabled, administrator accessibility is affected. Accounts are utilized for identifying individual device administrators or for identifying the device processes themselves. In order to detect and respond to events that affect administrator accessibility and device processing, devices must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that device accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.
Checks: C-65745r1_chk

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that "Trap Event Subscriptions" include the Event Subscription codes that indicate an account is disabled: 0x8240001c and 0x8240001f. On the "Trap and Notification Targets" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account disabled events occur. On the Main tab, confirm that the "Administrative state" is set to "enabled". Additionally, confirm that that the run time state (shown at the top of the page after the text "SNMP Settings") indicates in brackets that the SNMP object is in an "up" state. Confirm that when an account is disabled, an appropriate 0x8240001c or 0x8240001f "disabled" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the "Trap and Notification Targets" tab of the DataPower SNMP Settings. If this event message does not appear in the audit log, this is a finding.

Fix: F-71057r1_fix

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. On the Trap Event Subscriptions tab, set to "on" the "Enable Default Event Subscriptions" option >> set to "warning" the "Minimum Priority" option >> configure "Trap Event Subscriptions" to include an Event Subscription that indicates account is disabled by adding 0x8240001c and 0x8240001f Event Subscriptions. Example log result: "[conf][success][0x8240001c] (dp-technician:default:system:*): web-mgmt 'WebGUI-Settings' - admin-state disabled." On the "Trap and Notification Targets" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are disabled. On the Main tab, set the "Administrative state" to "enabled" >> Click "Save Configuration".

b
The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are removed.
AC-2 - Medium - CCI-001686 - V-65119 - SV-79609r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001686
Version
WSDP-NM-000080
Vuln IDs
  • V-65119
Rule IDs
  • SV-79609r1_rule
When application accounts are removed, administrator accessibility is affected. Accounts are utilized for identifying individual device administrators or for identifying the device processes themselves. In order to detect and respond to events that affect administrator accessibility and device processing, devices must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that device accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.
Checks: C-65747r1_chk

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that "Trap Event Subscriptions" include the Event Subscription code that indicates account removal: 0x8240001c. On the "Trap and Notification Targets" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account disabled events occur. On the Main tab, confirm that the "Administrative state" is set to "enabled". Additionally, confirm that that the run time state (shown at the top of the page after the text "SNMP Settings") indicates in brackets that the SNMP object is in an "up" state. Confirm that when an account is removed, an appropriate 0x8240001c "Configuration deleted" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the "Trap and Notification Targets" tab of the DataPower SNMP Settings. If this event message does not appear in the audit log, this is a finding.

Fix: F-71059r1_fix

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. On the Trap Event Subscriptions tab, set to "on" the "Enable Default Event Subscriptions" option >> set to "warning" the "Minimum Priority" option >> configure "Trap Event Subscriptions" to include an Event Subscription that indicates account removal by adding a 0x8240001c Event Subscription. Example log result: "[conf][success][0x8240001c] (admin:default:web-gui:192.168.65.1): user 'TestUser' Configuration deleted" On the "Trap and Notification Targets" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are removed. On the Main tab, set the "Administrative state" to "enabled" >> Click "Save Configuration".

b
The DataPower Gateway must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
AC-12 - Medium - CCI-002361 - V-65121 - SV-79611r2_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002361
Version
WSDP-NM-000081
Vuln IDs
  • V-65121
Rule IDs
  • SV-79611r2_rule
Automatic session termination addresses the termination of administrator-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever an administrator (or process acting on behalf of a user) accesses a network device. Such administrator sessions can be terminated (and thus terminate network administrator access) without terminating network sessions. Session termination terminates all processes associated with an administrator's logical session except those processes that are specifically created by the administrator (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. These conditions will vary across environments and network device types.
Checks: C-65749r3_chk

Objects >> Device Management >> Web Management Service >> Idle timeout is set to 900 or less. Review the administrator's SSH Client Profile: Objects >> Crypto Configuration >> SSH Client Profile >> "Persistent Idle Timeout" is set to 900 or less. If it is not, this is a finding.

Fix: F-71061r3_fix

For the Web Management service used by an administrator, configure an idle timeout (Objects >> Device Management >> Web Management Service): The time after which to invalidate idle administrator sessions. When invalidated, the web interface requires reauthentication. For the SSH command-line interface used by an administrator, use the web interface (Objects >> Crypto Configuration >> SSH Client Profile) to configure an SSH Client Profile for the administrator user ID. Configure the "Persistent Idle Timeout" to 900 or less.

b
The DataPower Gateway must provide a logout capability for administrator-initiated communication sessions.
AC-12 - Medium - CCI-002363 - V-65123 - SV-79613r2_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002363
Version
WSDP-NM-000082
Vuln IDs
  • V-65123
Rule IDs
  • SV-79613r2_rule
If an administrator cannot explicitly end a device management session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.
Checks: C-65751r2_chk

Objects >> Device Management >> Web Management Service >> Idle timeout is set to 900 or less. Review the administrator's SSH Client Profile: Objects >> Crypto Configuration >> SSH Client Profile >> "Persistent Idle Timeout" is set to 900 or less. If it is not, this is a finding.

Fix: F-71063r2_fix

Configure the DataPower Gateway Web Management service used by an administrator, to include an idle timeout (Objects >> Device Management >> Web Management Service): The time after which to invalidate idle administrator sessions. When invalidated, the web interface requires reauthentication. For the SSH command-line interface used by an administrator, use the web interface (Objects >> Crypto Configuration >> SSH Client Profile) to configure an SSH Client Profile for the administrator user ID. Configure the "Persistent Idle Timeout" to 900 or less.

b
The DataPower Gateway must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.
AC-12 - Medium - CCI-002364 - V-65125 - SV-79615r1_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002364
Version
WSDP-NM-000083
Vuln IDs
  • V-65125
Rule IDs
  • SV-79615r1_rule
If an explicit logout message is not displayed and the administrator does not expect to see one, the administrator may inadvertently leave a management session un-terminated. The session may remain open and be exploited by an attacker; this is referred to as a zombie session. Administrators need to be aware of whether or not the session has been terminated.
Checks: C-65753r1_chk

To verify, log out of a web session and an SSH command line session. Upon logout from the web interface, the DataPower Gateway displays the IBM DataPower Login panel. This is a clear indication that the administrator has logged out. Upon logout from an administrative SSH command line session, the following message is displayed: "Unauthorized access prohibited. logon:" A clear indication that logout has occurred. If this message is not present, this is a finding.

Fix: F-71065r1_fix

Configure the DataPower Gateway to use a custom user interface XML file that can be configured to provide the desired logout message to administrators. From the WebGUI, go to Administration >> Device >> System Settings and associate the custom interface file with the "Customer User Interface" field. A template of the custom user interface file may be found on the DataPower file system at store:///schemas/dp-user-interface.xsd.

b
The DataPower Gateway must automatically audit account enabling actions.
AC-2 - Medium - CCI-002130 - V-65127 - SV-79617r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-002130
Version
WSDP-NM-000085
Vuln IDs
  • V-65127
Rule IDs
  • SV-79617r1_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSOs). Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.
Checks: C-65755r1_chk

View the logging settings: Objects >> Logging Configuration >> Audit Log Settings. Then examine the audit log after enabling or disabling an account (the most recent entry will be at the bottom of the log). If this message is not present, this is a finding.

Fix: F-71067r1_fix

Configure a comprehensive audit trail by turning on the audit log using the web interface (Objects >> Logging Configuration >> Audit Log Settings) then setting the desired level of logging detail for audit-events.

b
The DataPower Gateway must generate an immediate alert for account enabling actions.
AC-2 - Medium - CCI-002132 - V-65129 - SV-79619r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-002132
Version
WSDP-NM-000086
Vuln IDs
  • V-65129
Rule IDs
  • SV-79619r1_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and ISSOs. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. In order to detect and respond to events that affect network administrator accessibility and device processing, network devices must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event.
Checks: C-65757r1_chk

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that "Trap Event Subscriptions" include the Event Subscription codes that indicate account modification: 0x8240001c and 0x8240001f. On the "Trap and Notification Targets" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account modification events occur. On the Main tab, confirm that the "Administrative state" is set to "enabled". Additionally, confirm that that the run time state (shown at the top of the page after the text "SNMP Settings") indicates in brackets that the SNMP object is in an "up" state. Confirm that when an account is modified, an appropriate 0x8240001c or 0x8240001f "Configuration settings applied" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the "Trap and Notification Targets" tab of the DataPower SNMP Settings. If this event message does not appear in the audit log, this is a finding.

Fix: F-71069r1_fix

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. On the Trap Event Subscriptions tab, set to "on" the "Enable Default Event Subscriptions" option >> set to "warning" the "Minimum Priority" option >> configure "Trap Event Subscriptions" to include an Event Subscription that indicates account creation by adding 0x8240001c and 0x8240001f Event Subscriptions. Example log result: "[conf][success][0x8240001c] (admin:default:web-gui:192.168.65.1): user 'TestUser' Configuration settings applied" On the "Trap and Notification Targets" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are modified. On the Main tab, set the "Administrative state" to "enabled" >> Click "Save Configuration".

b
The DataPower Gateway must be compliant with at least one IETF standard authentication protocol.
CM-6 - Medium - CCI-000366 - V-65131 - SV-79621r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WSDP-NM-000087
Vuln IDs
  • V-65131
Rule IDs
  • SV-79621r1_rule
Protecting access authorization information (i.e., access control decisions) ensures that authorization information cannot be altered, spoofed, or otherwise compromised during transmission. In distributed information systems, authorization processes and access control decisions may occur in separate parts of the systems. In such instances, authorization information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit, as part of the access authorization information, supporting security attributes. This is because, in distributed information systems, there are various access control decisions that need to be made, and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions.
Checks: C-65759r1_chk

To verify that the secure transmission of authentication information has been configured, use the WebGUI to go to Objects >> XML Processing >> AAA Policy, select and existing AAA Policy. Validate the authorization parameters on the Resource extraction, Resource mapping, and Authorization tabs. On the Authorization tab, confirm that all necessary parameters are properly configured for secure access to the authorization server. If they are not, this is a finding.

Fix: F-71071r1_fix

The DataPower Gateway provides support for the secure transmission of authorization information to any supported authorization server. The following methods are supported: binarytokenx509, cleartrust, client-ssl, custom, kerberos, ldap, ltpa, netegrity, radius, saml-artifact, saml-authen-query, saml-signature, tivoli, token, validate-signer, ws-secureconversation, ws-trust, xmlfile, zosnss. To configure secure authorization, use the WebGUI to go to Objects >> XML Processing >> AAA Policy >> Press the "Add" button. After completing the parameters for authentication (Main, Identity extraction, Authentication, and Credential Mapping tabs), complete the parameters for authorization (Resource extraction, Resource mapping, and Authorization tabs). DataPower provides secure access to all of the above-listed supported authorization methods. For example, on the AAA Policy Authorization tab described above, select "Check membership in LDAP group" as the authentication method. Parameters will then appear that allow the configuration of a secure SSL/TLS connection to that authorization server.

b
If the DataPower Gateway uses discretionary access control, the DataPower Gateway must enforce organization-defined discretionary access control policies over defined subjects and objects.
AC-3 - Medium - CCI-002165 - V-65135 - SV-79625r1_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
WSDP-NM-000088
Vuln IDs
  • V-65135
Rule IDs
  • SV-79625r1_rule
Discretionary Access Control (DAC) is based on the notion that individual network administrators are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. The discretionary access control policies and the subjects and objects are defined uniquely for each network device, so they cannot be specified in the requirement.
Checks: C-65763r1_chk

Navigate to the DataPower Gateway RBM settings at Administration >> Access >> RBM, Authentication tab using the web interface. Verify that each role is authenticated according to appropriate control policy. If they are not, this is a finding.

Fix: F-71075r1_fix

As the DataPower administrator, configure the DataPower Gateway to enforce role-based access control policy over defined subjects and objects. In the WebGUI, go to Administration >> Access >> RBM Settings. On the Authentication tab, select the approved authentication server. Enter the information required for an authenticated user to access defined subjects and objects.

b
If the DataPower Gateway uses role-based access control, the DataPower Gateway must enforce role-based access control policies over defined subjects and objects.
CM-6 - Medium - CCI-000366 - V-65137 - SV-79627r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WSDP-NM-000089
Vuln IDs
  • V-65137
Rule IDs
  • SV-79627r1_rule
Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When administrators are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every administrator (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. The RBAC policies and the subjects and objects are defined uniquely for each network device, so they cannot be specified in the requirement.
Checks: C-65765r1_chk

Navigate to the DataPower Gateway RBM settings at Administration >> Access >> RBM, Authentication tab using the web interface. Verify that each role is authenticated according to appropriate control policy. If they are not, this is a finding.

Fix: F-71077r1_fix

As the DataPower administrator, configure the DataPower Gateway to enforce role-based access control policy over defined subjects and objects. In the WebGUI, go to Administration >> Access >> RBM Settings. On the Authentication tab, select the approved authentication server. Enter the information required for an authenticated user to access defined subjects and objects.

b
The DataPower Gateway must audit the execution of privileged functions.
AC-6 - Medium - CCI-002234 - V-65139 - SV-79629r1_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002234
Version
WSDP-NM-000091
Vuln IDs
  • V-65139
Rule IDs
  • SV-79629r1_rule
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
Checks: C-65767r1_chk

Using the WebGUI, go to Objects >> Logging Configuration >> Audit Log Settings. Confirm that the Administrative state is "enabled" and that the status displayed alongside the "Audit Log Settings" heading is "[up]". As a final test, execute a privileged function and confirm that an entry appears in the audit log. Using the WebGUI, go to Administration >> Access >> New User Account. Click "No". Select "Developer". Click Next. Enter "TestDeveloper" as the name and enter a password. Click Next. Click Commit. Click Done. Now view the Audit log by using the WebGUI to got to Status >> View Logs >> Audit Log. Scroll to the bottom of the log and confirm that you see the following entry: "user 'TestDeveloper' - Configuration added". If this event message does not appear in the audit log, this is a finding.

Fix: F-71079r1_fix

The DataPower device logs the execution of all privileged functions. The DataPower Audit log is enabled by default. To configure this log, go to the WebGUI at Objects >> Logging Configuration >> Audit Log Settings. Set the Administrative state to "enable". Specify the desired Log Size, Number of Rotations. Set the Audit Level to "full" (the default setting). The result of this configuration must be that the status displayed alongside the "Audit Log Settings" heading is "[up]".

b
The DataPower Gateway must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real-time.
AU-12 - Medium - CCI-001914 - V-65141 - SV-79631r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-001914
Version
WSDP-NM-000094
Vuln IDs
  • V-65141
Rule IDs
  • SV-79631r1_rule
If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important forensic information may be lost. This requirement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near-real-time, within minutes, or within hours. The individuals or roles to change the auditing are dependent on the security configuration of the network device--for example, it may be configured to allow only some administrators to change the auditing, while other administrators can review audit logs but not reconfigure auditing. Because this capability is so powerful, organizations should be extremely cautious about only granting this capability to fully authorized security personnel.
Checks: C-65769r1_chk

View the following three auditing configuration capabilities: Verify existing log targets and Event Subscriptions. Using the web interface, go to Objects >> Logging Configuration >> Log Target. View the Event Subscriptions tab to audit log subscription Event Priority levels. SNMP Settings. Using the web interface, go to Administration >> Access >> SNMP Settings, Trap Event Subscriptions tab. View the Event Subscriptions tab to verify audit log subscription Event Priority levels. Audit log settings. Using the web interface, go to Object >> Logging Configuration >> Audit Log Settings. Verify that the Audit Level is set at the full. If it is not, this is a finding.

Fix: F-71081r1_fix

Configure the following near real-time auditing capabilities: 1. Subscriptions to the DataPower audit logs and associated event categories and Minimum Event Priority. Set log targets and Event Subscription. Using the web interface, go to Objects >> Logging Configuration >> Log Target. Add an audit log target. View the Event Subscriptions tab to set audit log subscription Event Priority level. 2. SNMP trap event subscriptions to audit log events SNMP Settings. Using the web interface, go to Administration >> Access >> SNMP Settings, Trap Event Subscriptions tab. Add audit log event codes to the SNMP notification configuration. 3. Audit levels. Using the web interface, go to Object >> Logging Configuration >> Audit Log Settings. Set the Audit Levels at the desired level (standard or full).

b
The DataPower Gateway must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
AU-4 - Medium - CCI-001849 - V-65143 - SV-79633r1_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001849
Version
WSDP-NM-000095
Vuln IDs
  • V-65143
Rule IDs
  • SV-79633r1_rule
In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable. The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.
Checks: C-65771r2_chk

Development configuration (on-box logging): Using the DataPower web interface, navigate to Objects >> Logging Configuration >> Audit Log Settings. Verify that the desired Log Size, Number of Rotations has resulted in "[up]" status displayed after the "Audit Log Settings" heading at the top of page. In the WebGUI, navigate to Status >> View Logs >> System Logs. Ensure the following event message is not displayed: 0x82400067 Audit log space low - using audit reserve space. If this message appears, it is a finding. Production configuration (off-box logging) Using the DataPower WebGUI, navigate to Objects >> Logging Configuration >> Log Target. On the main tab, verify that the correct Target Type and Log Format are selected. Confirm that the remote host and port of an organizationally approved logging server are designated. Confirm that all additional parameters are chosen according to your requirements. Confirm that the status of the log target is displayed as [up] alongside the Log Target heading at the top of the page. If the status is not up, this is a finding.

Fix: F-71083r1_fix

Development configuration (on-box logging): Using the DataPower WebGUI, navigate to Objects >> Logging Configuration >> Audit Log Settings. Specify the desired Log Size, Number of Rotations, and audit level. Press Apply then Save Configuration. (Maximum available log space is approximately 50GB - less space consumed by other data on the device.) Production configuration (off-box logging): Using the DataPower WebGUI, navigate to Objects >> Logging Configuration >> Log Target. On the main tab, choose a Target Type, e.g., syslog-tcp, and a Log Format. Specify the remote host and port of the logging server. Enter other parameters according to your requirements, e.g., SSL security. On the Event Subscriptions tab, add an Event Subscription. Select "audit" as the Event Category. Select a minimum Event Priority, e.g., "error. Click "Apply" >> Click "Apply" >> Click "Save Configuration". Confirm that the status of the log target is displayed as [up] alongside the Log Target heading at the top of the page.

a
The DataPower Gateway must generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
AU-5 - Low - CCI-001855 - V-65145 - SV-79635r1_rule
RMF Control
AU-5
Severity
Low
CCI
CCI-001855
Version
WSDP-NM-000096
Vuln IDs
  • V-65145
Rule IDs
  • SV-79635r1_rule
If security personnel are not notified immediately upon storage volume utilization reaching 75%, they are unable to plan for storage capacity expansion. This could lead to the loss of audit information. Note that while the network device must generate the alert, notification may be done by a management server.
Checks: C-65773r1_chk

Production configuration (off-box logging): Using the DataPower WebGUI, navigate to Objects >> Logging Configuration >> Log Target. On the main tab, verify that the correct Target Type and Log Format are selected. Confirm that the remote host and port of an organizationally approved logging server are designated. Confirm that all additional parameters are chosen according to your requirements. Confirm that the status of the log target is displayed as [up] alongside the Log Target heading at the top of the page. To test 75 percent notification: Set the allowed maximum file size to a minimum value, e.g., 250k. Restart the DataPower Gateway several times to generate sufficient audit log messages to fill up the off-box audit log file. Confirm that notification is received at 75 percent of capacity. If it is not, this is a finding.

Fix: F-71085r1_fix

Production configuration (off-box logging): Off-box logging provides optimal storage size flexibility and log size notification capability. Using the DataPower WebGUI, navigate to Objects >> Logging Configuration >> Log Target. On the main tab, choose a Target Type, e.g., syslog-tcp, and a Log Format. Specify the remote host and port of the logging server. Enter other parameters according to your requirements, e.g., SSL security. On the Event Subscriptions tab, add an Event Subscription. Select "audit" as the Event Category. Select a minimum Event Priority, e.g., "error”. Click "Apply" >>Click "Apply” >> Click "Save Configuration." Confirm that the status of the log target is displayed as [up] alongside the Log Target heading at the top of the page. It is the responsibility of the target log server to provide an alert when the audit log has reached 75 percent of capacity.

a
The DataPower Gateway must generate an immediate real-time alert of all audit failure events.
AU-5 - Low - CCI-001858 - V-65147 - SV-79637r1_rule
RMF Control
AU-5
Severity
Low
CCI
CCI-001858
Version
WSDP-NM-000097
Vuln IDs
  • V-65147
Rule IDs
  • SV-79637r1_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).
Checks: C-65775r1_chk

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that "Trap Event Subscriptions" include Event Subscription codes that indicate audit failure: 0x80c0006a, 0x82400067, 0x00330034, and 0x80400080. On the "Trap and Notification Targets" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when audit failure events occur. On the Main tab, confirm that the "Administrative state" is set to "enabled". Additionally, confirm that that the run time state (shown at the top of the page after the text "SNMP Settings") indicates in brackets that the SNMP object is in an "up" state. If the SNMP object state is down, this is a finding.

Fix: F-71087r1_fix

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. On the Trap Event Subscriptions tab, set to "on" the "Enable Default Event Subscriptions" option >> Set to "warning" the "Minimum Priority" option >> Configure "Trap Event Subscriptions" to include Event Subscriptions that indicate audit log failure: add 0x80c0006a, 0x82400067, 0x00330034, and 0x80400080. On the "Trap and Notification Targets" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when audit failure events occur. On the Main tab, set the "Administrative state" to "enabled" >> Click "Save Configuration".

a
The DataPower Gateway must compare internal information system clocks at least every 24 hours with an authoritative time server.
AU-8 - Low - CCI-001891 - V-65149 - SV-79639r1_rule
RMF Control
AU-8
Severity
Low
CCI
CCI-001891
Version
WSDP-NM-000098
Vuln IDs
  • V-65149
Rule IDs
  • SV-79639r1_rule
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside of the configured acceptable allowance (drift) may be inaccurate. Additionally, unnecessary synchronization may have an adverse impact on system performance and may indicate malicious activity. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
Checks: C-65777r1_chk

Using the DataPower web interface, go to Network >> Interface >> NTP Service. Confirm that the Administrative state is enabled, NTP Servers are configured, and that the Refresh Interval is set to 2040 seconds or less. If it is not, this is a finding.

Fix: F-71089r1_fix

Configure the DataPower Gateway to synchronize internal information system clocks to the authoritative time source (NTP servers). In the DataPower WebGUI, go to Network >> Interface >> NTP Service. Specify the IP addresses of several approved NTP servers. The refresh interval may be defined at any value between 60 and 86400 seconds.

a
The DataPower Gateway must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
AU-8 - Low - CCI-002046 - V-65151 - SV-79641r1_rule
RMF Control
AU-8
Severity
Low
CCI
CCI-002046
Version
WSDP-NM-000099
Vuln IDs
  • V-65151
Rule IDs
  • SV-79641r1_rule
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems). Organizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in CCI-001891 because a comparison must be done in order to determine the time difference. The organization-defined time period will depend on multiple factors, most notably the granularity of time stamps in audit logs. For example, if time stamps only show to the nearest second, there is no need to have accuracy of a tenth of a second in clocks.
Checks: C-65779r1_chk

Using the DataPower web interface, go to Network >> Interface >> NTP Service. Confirm that the Administrative state is enabled, NTP Servers are configured, and that the Refresh Interval is set to 2040 seconds or less. If it is not, this is a finding.

Fix: F-71091r1_fix

Configure the DataPower Gateway to synchronize internal information system clocks to the authoritative time source (NTP servers). In the DataPower WebGUI, go to Network >> Interface >> NTP Service. Specify the IP addresses of several approved NTP servers. The refresh interval may be defined at any value between 60 and 86400 seconds.

b
The DataPower Gateway must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
CM-6 - Medium - CCI-000366 - V-65153 - SV-79643r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WSDP-NM-000100
Vuln IDs
  • V-65153
Rule IDs
  • SV-79643r1_rule
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
Checks: C-65781r1_chk

Using the DataPower web interface, go to Network >> Interface >> NTP Service. Confirm that the Administrative state is enabled, NTP Servers are configured, and that the Refresh Interval is set to 2040 seconds or less. If it is not, this is a finding.

Fix: F-71093r1_fix

In the DataPower WebGUI, go to Network >> Interface >> NTP Service. Specify the IP addresses of several approved NTP servers. The refresh interval may be defined at any value between 60 and 86400 seconds.

b
The DataPower Gateway must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
AU-8 - Medium - CCI-001890 - V-65155 - SV-79645r1_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001890
Version
WSDP-NM-000101
Vuln IDs
  • V-65155
Rule IDs
  • SV-79645r1_rule
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.
Checks: C-65783r1_chk

In the web interface, go to Status >> View Logs >> Audit Log to display current time stamped log entries. If the UTC format is not used, this is a finding.

Fix: F-71095r1_fix

By default, the DataPower Gateway records time stamps for audit records in Coordinated Universal Time (UTC). The following is an example: March 30, 2015 followed by the number of milliseconds since January 1, 1970. 20150330T072434.296Z

b
The DataPower Gateway must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.
CM-3 - Medium - CCI-001744 - V-65157 - SV-79647r1_rule
RMF Control
CM-3
Severity
Medium
CCI
CCI-001744
Version
WSDP-NM-000105
Vuln IDs
  • V-65157
Rule IDs
  • SV-79647r1_rule
Unauthorized changes to the baseline configuration could make the device vulnerable to various attacks or allow unauthorized access to the device. Changes to device configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the device. Examples of security responses include, but are not limited to the following: halting application processing; halting selected functions; or issuing alerts/notifications to organizational personnel when there is an unauthorized modification of a configuration item. The appropriate automated security response may vary depending on the nature of the baseline configuration change, the role of the network device, the availability of organizational personnel to respond to alerts, etc.
Checks: C-65785r1_chk

This requirement may be verified by executing each configuration item modification event that requires tracking and then examining the audit log (the most recent entry will be at the bottom of the log). Using the DataPower Gateway web interface, the audit log event code for each configuration item modification event shown in the audit log must be confirmed to exist in the list of Trap Event Subscriptions in the SNMP notification settings: Administration >> Access >> SNMP Settings, Trap Event Subscriptions tab. If the code is not present, this is a finding.

Fix: F-71097r1_fix

Configure the DataPower Gateway to use an SNMP trap to send the log failure event to a properly configured SNMP server. In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Configure "Trap Event Subscriptions" to include Event Subscriptions that indicate unauthorized configuration changes. Configure "Trap and Notification Targets" to include an approved SNMP server that generates alerts that will be forwarded to organizational personnel when a modification to a configuration item has occurred.

b
The DataPower Gateway must enforce access restrictions associated with changes to device configuration.
CM-5 - Medium - CCI-001813 - V-65159 - SV-79649r1_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
WSDP-NM-000106
Vuln IDs
  • V-65159
Rule IDs
  • SV-79649r1_rule
Failure to provide logical access restrictions associated with changes to device configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the device can potentially have significant effects on the overall security of the device. Accordingly, only qualified and authorized individuals should be allowed to obtain access to device components for the purposes of initiating changes, including upgrades and modifications. Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).
Checks: C-65787r1_chk

In the DataPower web interface, navigate to Administration >> Access. Check User Account, User Group, and RBM settings to ensure that appropriate access restrictions are in place If the User Account, User Group, and RBM settings have not been configured, this is a finding.

Fix: F-71099r1_fix

Configure DataPower Gateway to restrict actions associated with device configuration. This is defined and enforced through group and user access privileges as well as DataPower's Role-based management settings. Configure these settings using the DataPower WebGUI at Administration >> Access.

b
The DataPower Gateway must audit the enforcement actions used to restrict access associated with changes to the device.
CM-5 - Medium - CCI-001814 - V-65161 - SV-79651r1_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001814
Version
WSDP-NM-000107
Vuln IDs
  • V-65161
Rule IDs
  • SV-79651r1_rule
Without auditing the enforcement of access restrictions against changes to the device configuration, it will be difficult to identify attempted attacks, and an audit trail will not be available for forensic investigation for after-the-fact actions. Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.
Checks: C-65789r1_chk

Confirm that the Audit log administrative state is "up". Using the web interface, go to Object >> Logging Configuration >> Audit Log Settings. Confirm that the Audit Level is set to Full. If it is not, this is a finding.

Fix: F-71101r1_fix

Configure the DataPower Gateway to log all enforcement action audit events to an external log target. Using the web interface, go to Objects >> Logging Configuration >> Log Target. Add an audit log target. View the Event Subscriptions tab to set audit log subscription Event Priority level.

b
The DataPower Gateway must require users to re-authenticate when privilege escalation or role changes occur.
IA-11 - Medium - CCI-002038 - V-65163 - SV-79653r1_rule
RMF Control
IA-11
Severity
Medium
CCI
CCI-002038
Version
WSDP-NM-000108
Vuln IDs
  • V-65163
Rule IDs
  • SV-79653r1_rule
Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When devices provide the capability to change security roles, it is critical the user re-authenticate. In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances. (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) When the execution of privileged functions occurs; (v) After a fixed period of time; or (vi) Periodically. Within the DoD, the minimum circumstances requiring re-authentication are privilege escalation and role changes.
Checks: C-65791r1_chk

Go to Status >> Main >> Active Users and ensure that the user is not currently logged on. If the user is logged in, it is a finding.

Fix: F-71103r1_fix

After making any account privilege changes, administrator must go to Status >> Main >> Active Users and disconnect the user's current session if they are currently logged on.

c
The DataPower Gateway must use SNMPv3.
IA-3 - High - CCI-001967 - V-65165 - SV-79655r1_rule
RMF Control
IA-3
Severity
High
CCI
CCI-001967
Version
WSDP-NM-000112
Vuln IDs
  • V-65165
Rule IDs
  • SV-79655r1_rule
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability. For network device management, this has been determined to be network management device addresses, SNMP authentication, and NTP authentication.
Checks: C-65793r1_chk

For SNMP, go to Administration >> Access >> SNMP Settings. Ensure the SNMP v3 Security Level is set to Authenticate. If it is not, this is a finding.

Fix: F-71105r1_fix

The browser, SSH, and XML Management network interfaces are set to SSL/TLS and require authentication by default. For SNMP, go to Administration >> Access >> SNMP Settings. Set SNMP v3 Security Level to Authenticate. Create one or more new SNMPv3 users that employ Authentication (may be password or key). Network transport for SNMP uses TLS by default.

b
The DataPower Gateway must prohibit the use of cached authenticators after an organization-defined time period.
IA-5 - Medium - CCI-002007 - V-65167 - SV-79657r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-002007
Version
WSDP-NM-000115
Vuln IDs
  • V-65167
Rule IDs
  • SV-79657r1_rule
Some authentication implementations can be configured to use cached authenticators. If cached authentication information is out-of-date, the validity of the authentication information may be questionable. The organization-defined time period should be established for each device depending on the nature of the device; for example, a device with just a few administrators in a facility with spotty network connectivity may merit a longer caching time period than a device with many administrators.
Checks: C-65795r1_chk

Go to Administration >> Access >> RBM Settings. Click on the Authentication tab. Verify cache mode is set to absolute and set timeout value is set. If it is not, this is a finding.

Fix: F-71107r1_fix

Go to Administration >> Access >> RBM Settings. Click on the Authentication tab. Set cache mode to absolute and set timeout value as needed.

b
The IBM DataPower Gateway must only allow the use of protocols that implement cryptographic mechanisms to protect the integrity and confidentiality of management communications.
MA-4 - Medium - CCI-002890 - V-65169 - SV-79659r1_rule
RMF Control
MA-4
Severity
Medium
CCI
CCI-002890
Version
WSDP-NM-000117
Vuln IDs
  • V-65169
Rule IDs
  • SV-79659r1_rule
This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to manipulation, potentially allowing alteration and hijacking of maintenance sessions.
Checks: C-65797r1_chk

Go to Network >> Management >> Telnet Service and ensure that no active Telnet configurations exist for device management. Other administrative interfaces (SSH, browser, XML Management) are run over secure protocols by default and cannot be changed. If Telnet configurations exist, this is a finding.

Fix: F-71109r1_fix

Go to Network >> Management >> Telnet Service and ensure that no active Telnet configurations exist for device management. Other administrative interfaces (SSH, browser, XML Management) are run over secure protocols by default and cannot be changed.

b
The DataPower Gateway must off-load audit records onto a different system or media than the system being audited.
AU-4 - Medium - CCI-001851 - V-65171 - SV-79661r1_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
WSDP-NM-000128
Vuln IDs
  • V-65171
Rule IDs
  • SV-79661r1_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Checks: C-65799r1_chk

Go to Administration-Miscellaneous >> Manage Log Targets, Event Subscription Tab and check for acceptable configuration in the name and category fields. Go to the Main tab and check for the desired values in the protocol field. If no Log Targets are configured, this is a finding.

Fix: F-71111r1_fix

Use the CLI copy command. Syntax: copy -f sourceURL destinationURL -f is an optional switch that forces an unconditional copy. Example: xi52(config)# copy audit:audit-log sftp://test@xx.xx.x.xxx/LOGS/x/Week1.log. Or, go to Administration-Miscellaneous >> Manage Log Targets, Event Subscription Tab, provide a name, press Add, choose Category “audit”. Go to Main tab, choose protocol (NFS, SMTP, SNMP, File, etc.) and configure.

b
The DataPower Gateway must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and in accordance with CJCSM 6510.01B.
CM-6 - Medium - CCI-000366 - V-65173 - SV-79663r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WSDP-NM-000131
Vuln IDs
  • V-65173
Rule IDs
  • SV-79663r1_rule
By immediately displaying an alarm message, potential security violations can be identified more quickly even when administrators are not logged into the network device. An example of a mechanism to facilitate this would be through the utilization of SNMP traps.
Checks: C-65801r1_chk

Go to Administration >> Access >> SNMP Settings. Verify the IP address, port, and security settings. Go to the Trap and Notification Targets tab. Verify the remote server/receiver information. If these values have not been set, this is a finding.

Fix: F-71113r1_fix

Go to Administration >> Access >> SNMP Settings. Configure the IP address, port, and security settings. Go to the Trap and Notification Targets tab. Enter the remote server/receiver information.

b
The DataPower Gateway must generate audit log events for a locally developed list of auditable events.
CM-6 - Medium - CCI-000366 - V-65175 - SV-79665r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WSDP-NM-000132
Vuln IDs
  • V-65175
Rule IDs
  • SV-79665r1_rule
Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack; to recognize resource utilization or capacity thresholds; or to identify an improperly configured network device. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.
Checks: C-65803r1_chk

Go to Administration >> Miscellaneous >> Manage Log Targets. Verify the settings. If they are blank, this is a finding.

Fix: F-71115r1_fix

Go to Administration >> Miscellaneous >> Manage Log Targets. Click the log target or add one. Go to the Event Subscriptions tab and click on the event categories that are required to be audited.

b
The DataPower Gateway must employ automated mechanisms to centrally manage authentication settings.
CM-6 - Medium - CCI-000366 - V-65177 - SV-79667r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WSDP-NM-000134
Vuln IDs
  • V-65177
Rule IDs
  • SV-79667r1_rule
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.
Checks: C-65805r1_chk

Go to Administration >> Access >> RBM Settings. Verify Authentication Method is LDAP. If it is not, this is a finding.

Fix: F-71117r1_fix

Go to Administration >> Access >> RBM Settings. Set Authentication Method to LDAP. Configure LDAP connection as needed.

b
The DataPower Gateway must employ automated mechanisms to centrally apply authentication settings.
CM-6 - Medium - CCI-000366 - V-65179 - SV-79669r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WSDP-NM-000135
Vuln IDs
  • V-65179
Rule IDs
  • SV-79669r1_rule
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.
Checks: C-65807r1_chk

Go to Administration >> Access >> RBM Settings. Verify Authentication Method is LDAP. If it is not, this is a finding.

Fix: F-71119r1_fix

Go to Administration >> Access >> RBM Settings. Set Authentication Method to LDAP. Configure LDAP connection as needed.

b
The DataPower Gateway must employ automated mechanisms to centrally verify authentication settings.
CM-6 - Medium - CCI-000366 - V-65181 - SV-79671r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WSDP-NM-000136
Vuln IDs
  • V-65181
Rule IDs
  • SV-79671r1_rule
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.
Checks: C-65809r1_chk

Go to Administration >> Access >> RBM Settings. Verify Authentication Method is LDAP. If it is not, this is a finding.

Fix: F-71121r1_fix

Go to Administration >> Access >> RBM Settings. Set Authentication Method to LDAP. Configure LDAP connection as needed. The connection will be verified.

b
The DataPower Gateway must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.
CM-6 - Medium - CCI-000366 - V-65183 - SV-79673r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WSDP-NM-000138
Vuln IDs
  • V-65183
Rule IDs
  • SV-79673r1_rule
System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who utilize this critical network component. This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.
Checks: C-65811r1_chk

Go to Administration >> Main >> System Control. Verify Secure Backup. If it is not configured, this is a finding.

Fix: F-71123r1_fix

Go to Administration >> Main >> System Control and configure Secure Backup. Go to Administration >> Configuration >> Export Configuration to do the backup. This can be automated via external scripting or Scheduled Rule - XML Manager in default domain.

b
The DataPower Gateway must employ automated mechanisms to assist in the tracking of security incidents.
CM-6 - Medium - CCI-000366 - V-65185 - SV-79675r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WSDP-NM-000140
Vuln IDs
  • V-65185
Rule IDs
  • SV-79675r1_rule
Despite the investment in perimeter defense technologies, enclaves are still faced with detecting, analyzing, and remediating network breaches and exploits that have made it past the network device. An automated incident response infrastructure allows network operations to immediately react to incidents by identifying, analyzing, and mitigating any network device compromise. Incident response teams can perform root cause analysis, determine how the exploit proliferated, and identify all affected nodes, as well as contain and eliminate the threat. The network device assists in the tracking of security incidents by logging detected security events. The audit log and network device application logs capture different types of events. The audit log tracks audit events occurring on the components of the network device. The application log tracks the results of the network device content filtering function. These logs must be aggregated into a centralized server and can be used as part of the organization's security incident tracking and analysis.
Checks: C-65813r1_chk

Go to Administration >> Miscellaneous >> Manage Log Targets. Verify the log target. If no log target exists, this is a finding.

Fix: F-71125r1_fix

Go to Administration >> Miscellaneous >> Manage Log Targets. Click the log target or add one. Go to the Event Subscriptions tab and click on the event categories that are required to be audited.

b
The DataPower Gateway must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
CM-6 - Medium - CCI-000366 - V-65187 - SV-79677r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WSDP-NM-000141
Vuln IDs
  • V-65187
Rule IDs
  • SV-79677r1_rule
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice.
Checks: C-65815r1_chk

Go to Objects >> Crypto Configuration >> Crypto Certificate (for certs) or Crypto Key (for keys) to verify external keys/certs on the encrypted flash or FIPS 140-2 Level 3 HSM. If none exist, this is a finding.

Fix: F-71127r1_fix

Go to Objects >> Crypto Configuration >> Crypto Certificate (for certs) or Crypto Key (for keys) to upload external keys/certs to the encrypted flash or FIPS 140-2 Level 3 HSM.

b
The DataPower Gateway must not use 0.0.0.0 as the management IP address.
AC-4 - Medium - CCI-001368 - V-65189 - SV-79679r1_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001368
Version
WSDP-NM-000143
Vuln IDs
  • V-65189
Rule IDs
  • SV-79679r1_rule
If 0.0.0.0 as the management IP address, the DataPower appliance will listen on all configured interfaces for management traffic. This can allow an attacker to gain privileged-level access from an untrusted network.
Checks: C-65817r1_chk

Using an administrator account, log on to the default domain of the appliance. Navigate to Network >> Management >> Web Management Service. View the Local Address field; if the value is “0.0.0.0”, this is a finding.

Fix: F-71129r1_fix

To configure the DataPower appliance for web management: Using an administrator account, log on to the default domain of the appliance. On the Configure Web Management Service screen, complete the required information. Set the Administrative state to “enabled”. For the Local Address, use the IP address from the management subnet assigned to the unit.