Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify the RiOS providing Signed SMB and Encrypted MAPI optimization services is configured to ensure the integrity and confidentiality of data transmitted over the WAN. Navigate to the device Management Console. Navigate to Configure >> Optimization >> Windows Domain Auth Verify that a Domain is defined under "Kerberos" Navigate to Configure >> Optimization >> CIFS (SMB1). Verify that "Enable SMB Signing", "NTLM Delegation Mode", and "Enable Kerberos Authentication Support" are selected. Navigate to Configure >> Optimization >> SMB2/3. Verify that "Enable SMB2 and SMB3 Signing", "NTLM Delegation Mode", and "Enable Kerberos Authentication Support" are selected. Navigate to Configure >> Optimization >> MAPI. Verify that "Enable Encrypted Optimization", "NTLM Delegation Mode", and "Enable Kerberos Authentication Support" are selected. If any SMB Signing or Encrypted MAPI is selected and the status of "In Domain Mode, Status: In a Domain" is not displayed, this is a finding.
On the Server-Side SteelHead appliance Navigate to the device Management Console. Navigate to Configure >> Optimization >> Windows Domain Auth Under Kerberos select "Add a New User" Enter the "Active Directory Domain Name". Enter the UserID in "Domain Login:". Enter the User Account Password in "Password". Enter "Password Confirm" Select "Enable RODC Password Replication Policy" Enter the "Domain Controller Name(s):" or IP Addresses. Click "Add". Verify that "In Domain Mode, Status: In a Domain" is displayed on the page. Navigate to Configure >> Optimization >> CIFS (SMB1). Select "Enable SMB Signing" Select "NTLM Delegation Mode" Select "Enable Kerberos Authentication Support". Click "Apply" Navigate to Configure >> Optimization >> SMB2/3. Select "Enable SMB2 and SMB3 Signing" Select "NTLM Delegation Mode" Select "Enable Kerberos Authentication Support". Click "Apply". Navigate to Configure >> Optimization >> MAPI. Select "Enable Encrypted Optimization" Select "NTLM Delegation Mode" Select "Enable Kerberos Authentication Support". Click "Apply". Navigate to the top of the web page and click "Save" to save these setting permanently.
Inspect the architectural placement of the device. Verify the traffic from the device is directed to the firewall and IDS or IPS for inspection. If RiOS is not configured to ensure inbound and outbound traffic is forwarded to be inspected by the firewall and IDPS in compliance with remote access security policies, this is a finding.
Architecturally place the SteelHead device to avoid the need to open TCP ports in the firewall. The recommended best practice for this device is to install it at the perimeter in front of the perimeter router and direct and configure to direct traffic to the router. Thus, inbound and outbound traffic is forwarded to be inspected by the firewall and IDPS in compliance with remote access security policies.
Verify that RiOS providing TLS optimization services is configured to ensure end-to-end security and protect private keys from unauthorized access. Navigate to the device Management Console. Navigate to Configure >> Optimization >> SSL Main Settings. Verify that "Enable SSL Optimization" is checked. Verify that "SSL Server Certificates:" contains the certificates for SSL services that the organization wants to optimize. If "Enable SSL Optimization" is not checked or there are no "SSL Sever Certificates", this is a finding.
Configure RiOS providing TLS optimization services to provide end-to-end security and protection for private keys. Navigate to the device Management Console. Navigate to Configure >> Optimization >> SSL Main Settings. Navigate to SSL Server Certificates. Select "Add a New SSL Certificate". Select "Import Existing Private Key and CA-Signed Public Key". Select "Local File". Navigate to the certificate location on the management workstation and select the certificate for import. Click "Add". Navigate to "Enable SSL Optimization" and check the box. Click "Apply". Navigate to the top of the web page and click "Save" to save these setting permanently.
Verify that the Riverbed Optimization System (RiOS) is configured to support TLS version 1.1 as a minimum and preferably TLS version 1.2. Navigate to the device Management Console. Navigate to Configure >> Optimization >> Advanced. Verify that "Peer Ciphers:" "Rank 1" contains the following string: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Verify that "Client Ciphers:" "Rank 1" contains the following string: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Verify that "Server Ciphers:" "Rank 1" contains the following string: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" If any of the above Ciphers contains strings or groups other than what is listed, this is a finding.
Configure the Riverbed Optimization System (RiOS) to support TLS version 1.1 as a minimum and preferably TLS version 1.2. Navigate to the device Management Console. Navigate to Configure >> Optimization >> Advanced Settings Select "Add a New Peer Cipher". Scroll down options list until the following is reached: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Select that string and a "Rank" of "2". Click "Add". Select "Rank 1" "Default" Cipher String. Click "Remove Selected". Select "Add a New Client Cipher". Scroll down options list until the following is reached: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Select that string and a "Rank" of "2". Click "Add". Select "Rank 1" "Default" Cipher String. Click "Remove Selected". Select "Add a New Server Cipher". Scroll down options list until the following is reached: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Select that string and a "Rank" of "2". Click "Add". Select "Rank 1" "Default" Cipher String. Click "Remove Selected". Navigate to the top of the web page and click "Save" to save these settings permanently.
Verify the Riverbed Optimization System (RiOS) is configured to support FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys. Navigate to the device Management Console. Navigate to Configure >> Optimization >> Advanced. Verify that "Peer Ciphers:" "Rank 1" contains the following string: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Verify that "Client Ciphers:" "Rank 1" contains the following string: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Verify that "Server Ciphers:" "Rank 1" contains the following string: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" If any of the above Ciphers contains strings or groups other than what is listed, this is a finding.
Configure the Riverbed Optimization System (RiOS) to support FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys. Navigate to the device Management Console. Navigate to Configure >> Optimization >> Advanced Settings Select "Add a New Peer Cipher". Scroll down options list until the following is reached: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Select that string and a "Rank" of "2". Click "Add". Select "Rank 1" "Default" Cipher String. Click "Remove Selected". Select "Add a New Client Cipher". Scroll down options list until the following is reached: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Select that string and a "Rank" of "2". Click "Add". Select "Rank 1" "Default" Cipher String. Click "Remove Selected". Select "Add a New Server Cipher". Scroll down options list until the following is reached: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Select that string and a "Rank" of "2". Click "Add". Select "Rank 1" "Default" Cipher String. Click "Remove Selected". Navigate to the top of the web page and click "Save" to save these settings permanently.
Verify that the Riverbed Optimization System (RiOS) is configured to support TLS version 1.1 as a minimum and preferably TLS version 1.2. Navigate to the device Management Console. Navigate to Configure >> Optimization >> Advanced. Verify that "Peer Ciphers:" "Rank 1" contains the following string: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Verify that "Client Ciphers:" "Rank 1" contains the following string: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Verify that "Server Ciphers:" "Rank 1" contains the following string: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" If any of the above Ciphers contains strings or groups other than what is listed, this is a finding.
Configure the Riverbed Optimization System (RiOS) to support TLS version 1.1 as a minimum and preferably TLS version 1.2. Navigate to the device Management Console. Navigate to Configure >> Optimization >> Advanced. Select "Add a New Peer Cipher". Scroll down options list until the following is reached: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Select that string and a "Rank" of "2". Click "Add". Select "Rank 1" "Default" Cipher String. Click "Remove Selected". Select "Add a New Client Cipher". Scroll down options list until the following is reached: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Select that string and a "Rank" of "2". Click "Add". Select "Rank 1" "Default" Cipher String. Click "Remove Selected". Select "Add a New Server Cipher". Scroll down options list until the following is reached: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Select that string and a "Rank" of "2". Click "Add". Select "Rank 1" "Default" Cipher String. Click "Remove Selected". Navigate to the top of the web page and click "Save" to save these settings permanently.
Verify that the Riverbed Optimization System (RiOS) is configured to support TLS version 1.1 as a minimum and preferably TLS version 1.2. Navigate to the device Management Console. Navigate to Configure >> Optimization >> Advanced. Verify that "Peer Ciphers:" "Rank 1" contains the following string: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Verify that "Client Ciphers:" "Rank 1" contains the following string: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Verify that "Server Ciphers:" "Rank 1" contains the following string: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" If any of the above Ciphers contains strings or groups other than what is listed, this is a finding.
Configure the Riverbed Optimization System (RiOS) to support TLS version 1.1 as a minimum and preferably TLS version 1.2. Navigate to the device Management Console. Navigate to Configure >> Optimization >> Advanced Settings Select "Add a New Peer Cipher". Scroll down options list until the following is reached: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Select that string and a "Rank" of "2". Click "Add". Select "Rank 1" "Default" Cipher String. Click "Remove Selected". Select "Add a New Client Cipher". Scroll down options list until the following is reached: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Select that string and a "Rank" of "2". Click "Add". Select "Rank 1" "Default" Cipher String. Click "Remove Selected". Select "Add a New Server Cipher". Scroll down options list until the following is reached: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Select that string and a "Rank" of "2". Click "Add". Select "Rank 1" "Default" Cipher String. Click "Remove Selected". Navigate to the top of the web page and click "Save" to save these settings permanently.
If RiOS is installed on the SteelHead appliance, this is a finding. Inspect the services and applications that are installed on the host with the RiOS application suite. Ask the site representative if a security review using the applicable STIG has been performed on the operating system and applications that are co-hosted. If unrelated or unnecessary services are installed on the same host as the RiOS, this is a finding. If a security review using the applicable STIG has not been performed on the operating system and applications co-hosted on with the RiOS, this is a finding.
Disable or uninstall unrelated or unnecessary services from the host.
Verify that the Riverbed Optimization System (RiOS) is configured to disable unrelated or unneeded application proxy services. Obtain documentation for which applications are approved/disapproved for optimization by the organization. Navigate to the device Management Console Navigate to Optimize >> Optimization Verify that the approved or disapproved applications are enabled or disabled according to organization requirements. If optimization features are not enabled or disabled according to the organizations requirements, this is a finding.
Check to see if services other than the authorized services are enabled for optimization. Obtain documentation for which applications are approved/disapproved for optimization by the organization. Navigate to the device Management Console Navigate to Optimize >> Optimization Set the approved or disapproved applications to enabled or disabled according to organization requirements.
Verify that the Riverbed Optimization System (RiOS) is configured to disable unrelated or unneeded application proxy services. Obtain documentation for which applications are approved/disapproved for optimization by the organization. Navigate to the device Management Console Navigate to Optimize >> Optimization Verify that the approved or disapproved applications are enabled or disabled according to organization requirements. If optimization features are not enabled or disabled according to the organizations requirements, this is a finding.
Check to see if services other than the authorized services are enabled for optimization. Obtain documentation for which applications are approved/disapproved for optimization by the organization. Navigate to the device Management Console Navigate to Optimize >> Optimization Set the approved or disapproved applications to enabled or disabled according to organization requirements.
Verify that RiOS is configured to validate certificates used for TLS functions by performing certificate path validation. Navigate to the device Management Console. Navigate to Configure >> Optimization >> CRL Management. Verify that "Enable Automatic CRL Polling For CAs" and "Enable Automatic CRL Polling For Peering CAs" is checked. If "Enable Automatic CRL Polling For CAs" and/or "Enable Automatic CRL Polling For Peering CAs" is not set, this is a finding.
Configure RiOS to validate certificates used for TLS functions by performing certificate path validation. Navigate to the device Management Console. Navigate to Configure >> Optimization >> CRL Management. Set the checkbox for "Enable Automatic CRL Polling For CAs". Set the checkbox for "Enable Automatic CRL Polling For Peering CAs". Click "Apply". Navigate to the top of the web page and click "Save".
Verify that the Riverbed Optimization System (RiOS) is configured to support TLS version 1.1 as a minimum and preferably TLS version 1.2. Navigate to the device Management Console. Navigate to Configure >> Optimization >> Advanced. Verify that "Peer Ciphers:" "Rank 1" contains the following string: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Verify that "Client Ciphers:" "Rank 1" contains the following string: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Verify that "Server Ciphers:" "Rank 1" contains the following string: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" If any of the above Ciphers contains strings or groups other than what is listed, this is a finding.
Configure the Riverbed Optimization System (RiOS) to support TLS version 1.1 as a minimum and preferably TLS version 1.2. Navigate to the device Management Console. Navigate to Configure >> Optimization >> Advanced Settings Select "Add a New Peer Cipher". Scroll down options list until the following is reached: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Select that string and a "Rank" of "2". Click "Add". Select "Rank 1" "Default" Cipher String. Click "Remove Selected". Select "Add a New Client Cipher". Scroll down options list until the following is reached: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Select that string and a "Rank" of "2". Click "Add". Select "Rank 1" "Default" Cipher String. Click "Remove Selected". Select "Add a New Server Cipher". Scroll down options list until the following is reached: "TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL" Select that string and a "Rank" of "2". Click "Add". Select "Rank 1" "Default" Cipher String. Click "Remove Selected". Navigate to the top of the web page and click "Save" to save these settings permanently.