View STIG - Symantec Edge SWG NDM Security Technical Implementation Guide V1R2

c

The Edge SWG must be configured to use FIPS mode.

CM-7 - High - CCI-000382 - V-279248 - SV-279248r1170510_rule

RMF Control

CM-7

Severity

High

CCI

CCI-000382

Version

SYME-ND-000100

Vuln IDs

V-279248

Rule IDs

SV-279248r1170510_rule

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved. Satisfies: SRG-APP-000142-NDM-000245, SRG-APP-000179-NDM-000265, SRG-APP-000224-NDM-000270, SRG-APP-000411-NDM-000330, SRG-APP-000412-NDM-000331

Checks: C-83798r1170508_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "show configuration". If "FIPS mode" is not shown next to "!- Version: SGOS 7.4.x.x SWG Edition" this is a finding.

Fix: F-83703r1170509_fix

Note: This will wipe all configurations, so it is imperative to do this configuration before any other. 1. Log in to the Edge SWG SSH CLI. 2. Enter "fips-mode enable". Note: This will disable all disallowed ports and protocols for management like SNMPv2c/1 and HTTP. 3. Once warnings are accepted, the system will reboot.

c

The Edge SWG must be configured to use tlsv1.2 or greater.

IA-5 - High - CCI-000197 - V-279249 - SV-279249r1170513_rule

RMF Control

IA-5

Severity

High

CCI

CCI-000197

Version

SYME-ND-000110

Vuln IDs

V-279249

Rule IDs

SV-279249r1170513_rule

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Network devices can accomplish this by making direct function calls to encryption modules or by leveraging operating system encryption capabilities.

Checks: C-83799r1170511_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "management-services". 4. Enter "edit https-console". 5. Enter "view". If the "SSL Protocol version" does not equal both "tlsv1.2" and "tlsv1.3", this is a finding.

Fix: F-83704r1170512_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "management-services". 4. Enter "edit https-console". 5. Enter "attribute ssl-versions tlsv1.2 tlsv1.3".

c

The Edge SWG must be configured to assign appropriate user roles or access levels to authenticated users.

AC-3 - High - CCI-000213 - V-279250 - SV-279250r1170680_rule

RMF Control

AC-3

Severity

High

CCI

CCI-000213

Version

SYME-ND-000170

Vuln IDs

V-279250

Rule IDs

SV-279250r1170680_rule

Successful identification and authentication must not automatically give an entity full access to a network device or security domain. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DOD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset or set of resources. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Some network devices are preconfigured with security groups. Other network devices enable operators to create custom security groups with custom permissions. For example, an information system security manager (ISSM) may require read-only access to audit the network device. Operators may create an audit security group, define permissions and access levels for members of the group, and then assign the ISSM's user persona to the audit security group. This is still considered privileged access, but the ISSM's security group is more restrictive than the network administrator's security group. Network devices that rely on AAA brokers for authentication and authorization services may need to identify the available security groups or access levels available on the network devices and convey that information to the AAA operator. Once the AAA broker identifies the user persona on the centralized directory service, the user's security group memberships can be retrieved. The AAA operator may need to create a mapping that links target security groups from the directory service to the appropriate security groups or access levels on the network device. Once these mappings are configured, authorizations can happen dynamically, based on each user's directory service group membership. Satisfies: SRG-APP-000033-NDM-000212, SRG-APP-000038-NDM-000213, SRG-APP-000340-NDM-000288, SRG-APP-000378-NDM-000302, SRG-APP-000380-NDM-000304, SRG-APP-000516-NDM-000335

Checks: C-83800r1170678_chk

In the Edge SWG Web UI, navigate to the Visual Policy Manager (VPM). Under the layers, if an "Admin Access" layer is not configured, this is a finding. If an "Admin Access" layer is configured, for HTTPS-console, verify the group is derived from the CAC/LDAPS admin group; otherwise, this is a finding. For the SSH-console, verify the group is derived from the LDAPS admin group; otherwise, this is a finding.

Fix: F-83705r1170679_fix

1. In the Edge SWG Web UI, navigate to the VPM. 2. Click "Add Layer". 3. Scroll down and select "Admin Access", then click "Add". 4. Locate the Admin Access Layer (1) layer that was added and click "Add rule". 5. Inside of the rule, under "Source", left-click and select "Set". 6. Click "Add new Object". 7. Select "Group". 8. Under the group field, type in the full LDAPS Distinguished Name (DN) for the admin group. For example: "CN=roadcom.admins.gsg,OU=BROADCOM,OU=Vendors, DC=dod,DC=local" 9. Under the "Authentication Realm", select the "CAC certificate" realm. 10. Click "Apply", then click "Set". 11. In the same rule, left-click in the "Service" field and click "Set". 12. Select "Service Name: HTTPS-console" and click "Set". 13. In the same rule, left-click in the "Action" field and click "Set". 14. Select the action "Allow Read/Write Access" and click "Set". 15. Repeat these steps to add various read-only or read-write groups for the HTTPS-console. 16. For the SSH-Console click "Add rule". 17. Inside of the rule, under "Source", left-click and select "Set". 18. Click "Add new Object". 19. Select "Group". 20. Under the "Group" field, type in the full LDAPS Distinguished Name (DN) for the admin group. For example: CN=broadcom.admins.gsg,OU=BROADCOM,OU=Vendors, DC=dod,DC=local 21. Under the "Authentication Realm", select the "LDAPS" realm. Do not select the CAC certificate realm. 22. Click "Apply", then click "Set". 23. In the same rule, left-click in the "Service" field and click "Set". 24. Select "Service Name: SSH-console", and then click "Set". 25. In the same rule, left-click in the "Action" field and click "Set". 26. Select the action "Allow Read/Write Access" and click "Set". 27. Repeat these steps to add various read-only or read-write groups for the SSH-console.

c

The Edge SWG must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.

AU-10 - High - CCI-000166 - V-279251 - SV-279251r1192886_rule

RMF Control

AU-10

Severity

High

CCI

CCI-000166

Version

SYME-ND-000190

Vuln IDs

V-279251

Rule IDs

SV-279251r1192886_rule

Before continuing, the site must follow the configuration steps in SYME-ND-000100. Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. Satisfies: SRG-APP-000080-NDM-000220, SRG-APP-000516-NDM-000336, SRG-APP-000119-NDM-000236, SRG-APP-000120-NDM-000237, SRG-APP-000121-NDM-000238, SRG-APP-000122-NDM-000239, SRG-APP-000123-NDM-000240, SRG-APP-000131-NDM-000243, SRG-APP-000133-NDM-000244, SRG-APP-000156-NDM-000250, SRG-APP-000231-NDM-000271, SRG-APP-000329-NDM-000287, SRG-APP-000408-NDM-000314, SRG-APP-000149-NDM-000247, SRG-APP-000175-NDM-000262, SRG-APP-000177-NDM-000263, SRG-APP-000820-NDM-000170, SRG-APP-000825-NDM-000180

Checks: C-83801r1170681_chk

1. In the Edge SWG Web UI, navigate to the Configuration tab. 2. Go to Services >> Management Services. 3. Click "Edit" next to HTTPS-console. Under the "Service Settings", if "Verify Client" is not checked, this is a finding. Under the "Authentication" section under "Configuration and Realms and Domains", if a Certificate Realm is not configured and set with a valid LDAP authorization realm this is a finding. In the Edge SWG Web UI, navigate to the VPM. If an Admin Access layer is configured for HTTPS-console, verify the group is derived from the CAC/LDAPS admin group; otherwise, this is a finding. For the SSH-console, verify the group is derived from the LDAPS admin group; otherwise, this is a finding. 1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "ssh-console" and then "x509-auth". 4. Enter "view". If "x509 certificate authentication" states "disabled", this is a finding.

Fix: F-83706r1192885_fix

In the Edge SWG Web UI, navigate to the Configuration tab. 1. Under the "Authentication" section under "Configuration and Realms and Domains", click "Add Realm and LDAP". 2. Add a name. 3. Under "Primary Server", enter the fully qualified domain name (FDQN) of the LDAPS primary domain controller (e.g., dc1.dod.mil), then enter the port number, e.g., 636. 4. Click "Enable SSL". 5. Select the SSL device profile created in SYME-ND-000800. 6. Under "User attribute Type": userPrincipalName. 7. Click "Add DN". 8. Enter the path of the domain (e.g., dc=dod,dc=mil). 9. Click "Show" under "Advanced Settings". 10. Click "Use the same refresh time for all" and set the refresh time to 10 seconds. 11. Set the Inactivity Timeout to 600 seconds. 12. Select "Local" for Group Comparison. 13. Under Alternate Server, type the secondary LDAPS domain controller (e.g., dc2.dod.mil), then enter the port number, e.g., 636. 14. Under "Search", click "only Authorized" and add the search user and password (i.e., the LDAPS service account) in DN format (e.g., CN=broadcom_svc,OU=BROADCOM,DC=dod,DC=mil) 15. Under "Groups" select "user" for membership type and attribute as member of. 16. Under "Object Classes" ensure "container" is selected. 17. Click the "test Configuration" to ensure all configuration has been entered correctly. In the Edge SWG Web UI, navigate to the Configuration tab. 1. Under the Authentication section under "Configuration and Realms and Domains", click "Add Realm and Certificate". 2. Make the name: "CAC" 3. Under username enter: $(SubjectAltName.OtherName) 4. Under full username enter: $(SubjectAltName.OtherName.1) 5. Ensure "Authorization Realm" is checked and the previous LDAPS realm is selected. 6. Under "Authorization Username", select "Determined by Search". 7. Ensure the LDAPS search realm is selected. 8. Enter the following in the search filter: (userPrincipalName=$(cs-username)) and ensure the user attribute "Use FQDN" is selected. 9. Click "Show" advanced settings. 10. Ensure "Use persistent cookies" and "Verify the IP address in the cookie" are not checked. In the Edge SWG Web UI, navigate to the Configuration tab. 1. Under "Services", click "Proxy Services". 2. Click "Add Service". 3. Name the service "CAC-MC-Notify". 4. Under "Proxy type", select "HTTPS Reverse Proxy". 5. Under "Key Ring and CCL", use those created under SYME-ND-000800. 6. Ensure SSL version is TLS 1.2 or 1.3 only. 7. Under "Listeners", add the management IPv4 address intercepting on port 444. 8. Under "Listeners", add the management IPv6 address intercepting on port 444. In the Edge SWG Web UI, navigate to the VPM. 1. Go to the Symantec web portal to download the CPL text file called "AdminLoginBanner.txt", which will be used at https://knowledge.broadcom.com/external/article/388134. 2. Click "Add Layer". 3. Select "CPL". 4. Download the exact CPL file hosted on the Symantec website. 5. Click "Apply Policy" and ensure it loaded correctly. Go back to the main portion of the VPM. 1. Click "Add Layer". 2. Scroll down and select "Admin Access", then click "Add". 3. Locate the Admin Access Layer (1) that was added and click "Add rule". 4. Inside of the rule, under "Source", left-click and select "Set". 5. Click "Add new Object". 6. Select "Group". 7. Under "Group" type in the full LDAPS full Distinguished Name (DN) for the admin group. e.g., CN=broadcom.admins.gsg,OU=BROADCOM,OU=Vendors,DC=dod,DC=local 8. Under the "Authentication Realm", select the "CAC Certificate Realm". 9. Click "Apply", then click "Set". 10. In the same rule, left-click in the "Service" field and click "Set". 11. Select Service Name: HTTPS-console and click "Set". 12. In the same rule, left-click in the "Action" field and click "Set". 13. Select the action "Allow Read/Write Access" and click "Set". 14. Repeat these steps to add various read-only or read-write groups for the HTTPS-console. 15. For the SSH-Console click "Add rule". 16. Inside of the rule, under "Source", left-click and select "Set". 17. Click "Add new Object". 18. Select "Group". 19. Under the "Group" field type in the full LDAPS full Distinguished Name (DN) for the admin group. e.g., CN=broadcom.admins.gsg,OU=BROADCOM,OU=Vendors,DC=dod,DC=local 20. Under the "Authentication Realm", select the "LDAPS" realm; do not select the CAC certificate realm. 21. Click "Apply", then click "Set". 22. In the same rule, left-click in the "Service" field and click "Set". 23. Select "Service Name: SSH-console" and click "Set". 24. In the same rule, left-click in the "Action" field and click "Set". 25. Select the action "Allow Read/Write Access" and click "Set". 26. Repeat these steps to add various read-only or read-write groups for the SSH-console. 27. Click "Apply Policy" and ensure it loaded correctly. In the Edge SWG Web UI, navigate to the Configuration tab. 1. Under "Services", click "Management Services". 2. Click to edit the HTTPS-Console. 3. Ensure the keyring and CCL are those created in SYME-ND-000800. 4. Check "Verify Client" and select "Apply then save". 5. Close, then re-open the browser, then go to the URL associated with the login banner, https://proxy.dod.mil:444. 6. Once the login banner is presented, click "Accept". 7. Select the CAC certificate. Provide the PIN. The user must be authenticated. Note: If it is unsuccessful, it is possible the LDAPS credential is not valid, the group does not match, or there is an OCSP revocation issue.

c

The Edge SWG must be configured to send log data to at least one central log server for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).

AC-2 - High - CCI-001403 - V-279252 - SV-279252r1170685_rule

RMF Control

AC-2

Severity

High

CCI

CCI-001403

Version

SYME-ND-000410

Vuln IDs

V-279252

Rule IDs

SV-279252r1170685_rule

Before continuing, the site must follow the configuration steps under SYME-ND-000800. The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can be used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat. Satisfies: SRG-APP-000027-NDM-000209, SRG-APP-000026-NDM-000208, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000091-NDM-000223, SRG-APP-000095-NDM-000225, SRG-APP-000381-NDM-000305, SRG-APP-000515-NDM-000325, SRG-APP-000516-NDM-000350, SRG-APP-000795-NDM-000130

Checks: C-83802r1170683_chk

1. In the Edge SWG Web UI, navigate to the Administration tab. 2. Select the "Logging" and "Event Logging" areas. 3. Scroll down to the "Syslog Loghosts". If a syslog server hostname/IP address is not configured, this is a finding. If the syslog loghost is configured but is not using the TLS protocol, this is a finding. 4. Scroll down to the "Default Notification" section, under "Syslog". If it is not "Enabled" and set to "all messages", this is a finding.

Fix: F-83707r1170684_fix

1. In the Edge SWG Web UI, navigate to the Administration tab. 2. Select the "Logging" and "Event Logging" areas. Note: This section sets the "SSL Keyring", which is needed for the "SSL Device Profile". Once the SSL Device Profile has been created properly, scroll down to the "Syslog Loghosts". 3. Click "Add loghost". 4. Click "TLS". 5. Enter the fully qualified domain name of the log server. 6. Enter the port, by default TLS syslog is 6514. 7. Under "SSL Device Profile" select the profile associated with the DOD PKI certificate and key created previously. 8. Click "Add". 9. Scroll down to "Default Notifications", ensure "Syslog" is set to "Enabled", and the "Level" is "All Messages". 10. On the syslog server, ensure the server is receiving the messages and troubleshoot any TLS-related communications issues.

b

The Edge SWG must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.

AC-7 - Medium - CCI-000044 - V-279253 - SV-279253r1170687_rule

RMF Control

AC-7

Severity

Medium

CCI

CCI-000044

Version

SYME-ND-000500

Vuln IDs

V-279253

Rule IDs

SV-279253r1170687_rule

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.

Checks: C-83803r1170686_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Issue the command "security local-user-list edit local", then type "view". If "Max failed attempts" under "Account lockout" does not equal "3", this is finding. If "Lockout duration" under "Account lockout" does not equal "900 seconds", this is a finding.

Fix: F-83708r1170522_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Issue the command "security local-user-list create local". 4. Enter "security local-user-list edit local". 5. Enter "max-failed-attempts 3". 6. Enter "lockout-duration 900". 7. Enter "reset-interval 900".

b

The Edge SWG must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the device.

AC-8 - Medium - CCI-000048 - V-279254 - SV-279254r1170689_rule

RMF Control

AC-8

Severity

Medium

CCI

CCI-000048

Version

SYME-ND-000510

Vuln IDs

V-279254

Rule IDs

SV-279254r1170689_rule

Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users. Satisfies: SRG-APP-000068-NDM-000215, SRG-APP-000069-NDM-000216

Checks: C-83804r1170524_chk

1. In the Edge SWG Web UI, navigate to the Configuration tab. 2. Go to "Services" then "Proxy Services". If there is no "HTTP Reverse Proxy" service named "CAC-MC-Notify" this is a finding. 1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "show ssh-console pre-authentication-terms". If there is no text, or the text is not the following, this is a finding: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS),you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communication and work product are private and confidential. See User Agreement for details". 4. Enter "serial-console". 5. Enter "view pre-authentication-terms". If there is no text or the text is not the following, this is a finding: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS),you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communication and work product are private and confidential. See User Agreement for details".

Fix: F-83709r1170688_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "serial-console". 4. Enter "inline pre-authentication-terms ~", then press enter. 5. Paste the exact required text below along with the EOF marker of ~: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communication and work product are private and confidential. See User Agreement for details. ~ 6. Enter "exit". 7. Enter "ssh-console". 8. Enter "inline pre-authentication-terms ~". 9. Paste the exact DOD required text below along with the EOF marker of ~: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communication and work product are private and confidential. See User Agreement for details. ~ Note: To add the required login banner for the HTTPS-console, the complete required fix detailed in SYME-ND-000190 must first be implemented.

b

The Edge SWG must produce audit records containing information to establish when (date and time) the events occurred.

AU-3 - Medium - CCI-000131 - V-279255 - SV-279255r1170692_rule

RMF Control

AU-3

Severity

Medium

CCI

CCI-000131

Version

SYME-ND-000530

Vuln IDs

V-279255

Rule IDs

SV-279255r1170692_rule

It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done to compile an accurate risk assessment. Logging the date and time of each detected event provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured network device. To establish and correlate the series of events leading up to an outage or attack, it is imperative that the date and time are recorded in all log records. Satisfies: SRG-APP-000096-NDM-000226, SRG-APP-000097-NDM-000227, SRG-APP-000098-NDM-000228, SRG-APP-000099-NDM-000229, SRG-APP-000100-NDM-000230, SRG-APP-000101-NDM-000231, SRG-APP-000343-NDM-000289, SRG-APP-000505-NDM-000322, SRG-APP-000506-NDM-000323, SRG-APP-000516-NDM-000334, SRG-APP-000319-NDM-000283, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321

Checks: C-83805r1170690_chk

1. In the Edge SWG Web UI, navigate to the Administration tab. 2. Select the "Logging" and "Event Logging" areas. 3. Scroll down to the "Syslog Loghosts". If a syslog server hostname/IP address is not configured, this is a finding. If the syslog loghost is configured but is not using the TLS protocol, this is a finding. 4. Scroll down to the "Default Notification" section. If "Syslog" is not "Enabled" and set to "all messages", this is a finding.

Fix: F-83710r1170691_fix

1. In the Edge SWG Web UI, navigate to the Administration tab. 2. Select the "Logging" and "Event Logging" areas. Note: This section sets the "SSL Keyring", which is needed for the "SSL Device Profile". 3. Once the SSL Device Profile has been created properly, scroll down to the "Syslog Loghosts". 4. Click "Add loghost". 5. Click "TLS". 6. Enter the fully qualified domain name of the log server. 7. Enter the port, by default TLS syslog is 6514. 8. Under "SSL Device Profile", select the profile associated with the DOD PKI certificate and key created previously. 9. Click "Add". 10. Scroll down to "Default Notifications". Ensure that "Syslog" is set to "Enabled" and the "Level" is "All Messages". 11. On the syslog server, ensure the server is receiving the messages and troubleshoot any TLS-related communications issues.

b

The Edge SWG must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.

AC-2 - Medium - CCI-001358 - V-279256 - SV-279256r1170694_rule

RMF Control

AC-2

Severity

Medium

CCI

CCI-001358

Version

SYME-ND-000590

Vuln IDs

V-279256

Rule IDs

SV-279256r1170694_rule

Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary. The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.

Checks: C-83806r1170693_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Issue the command "show security local-user-list". If any user exists in either the "local_user_database" or "local" list, this is a finding. Note: The admin user is not included in either list as it is the emergency account of last resort.

Fix: F-83711r1170531_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Issue the command "security local-user-list edit local". 4. To delete any local user, type "user delete <username> force". 5. Enter "view" to show any other users that may remain.

b

The Edge SWG must enforce a minimum 15-character password length.

- Medium - CCI-004066 - V-279257 - SV-279257r1170535_rule

RMF Control

Severity

Medium

CCI

CCI-004066

Version

SYME-ND-000600

Vuln IDs

V-279257

Rule IDs

SV-279257r1170535_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that must be tested before the password is compromised. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.

Checks: C-83807r1170533_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "show configuration". 3. Move down the configuration to the "security password-policy" section. If the configuration "security password-policy min-length" is not set to "15", this is a finding.

Fix: F-83712r1170534_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "security password-policy min-length 15". 4. Enter "security password-policy min-groups 4".

b

The Edge SWG must enforce password complexity by requiring at least one uppercase character be used.

- Medium - CCI-004066 - V-279258 - SV-279258r1170538_rule

RMF Control

Severity

Medium

CCI

CCI-004066

Version

SYME-ND-000610

Vuln IDs

V-279258

Rule IDs

SV-279258r1170538_rule

Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-83808r1170536_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "show configuration". 3. Move down the configuration to the "security password-policy" section. If the configuration "security password-policy min-uppercase" is not set to "1", this is a finding.

Fix: F-83713r1170537_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "security password-policy min-uppercase 1". 4. Enter "security password-policy min-groups 4".

b

The Edge SWG must enforce a 60-day password lifetime.

- Medium - CCI-004066 - V-279259 - SV-279259r1170541_rule

RMF Control

Severity

Medium

CCI

CCI-004066

Version

SYME-ND-000615

Vuln IDs

V-279259

Rule IDs

SV-279259r1170541_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-83809r1170539_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "security local-user-list edit local". 4. Enter "view". If the "Password expiration:" and "Max password age:" do not state "60 days", this is a finding.

Fix: F-83714r1170540_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "security local-user-list edit local". 4. Enter "max-password-age 60".

b

The Edge SWG must enforce password complexity by requiring at least one lowercase character be used.

- Medium - CCI-004066 - V-279260 - SV-279260r1170544_rule

RMF Control

Severity

Medium

CCI

CCI-004066

Version

SYME-ND-000620

Vuln IDs

V-279260

Rule IDs

SV-279260r1170544_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-83810r1170542_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "show configuration". 3. Move down the configuration to the "security password-policy" section. If the configuration "security password-policy min-lowercase" is not set to "1", this is a finding.

Fix: F-83715r1170543_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "security password-policy min-lowercase 1". 4. Enter "security password-policy min-groups 4".

b

The Edge SWG must enforce password complexity by requiring at least one numeric character be used.

- Medium - CCI-004066 - V-279261 - SV-279261r1170547_rule

RMF Control

Severity

Medium

CCI

CCI-004066

Version

SYME-ND-000630

Vuln IDs

V-279261

Rule IDs

SV-279261r1170547_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-83811r1170545_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "show configuration". 3. Move down the configuration to the "security password-policy" section. If the configuration "security password-policy min-digits" is not set to "1", this is a finding.

Fix: F-83716r1170546_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "security password-policy min-digits 1". 4. Enter "security password-policy min-groups 4".

b

The Edge SWG must enforce password complexity by requiring at least one special character be used.

- Medium - CCI-004066 - V-279262 - SV-279262r1170550_rule

RMF Control

Severity

Medium

CCI

CCI-004066

Version

SYME-ND-000640

Vuln IDs

V-279262

Rule IDs

SV-279262r1170550_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-83812r1170548_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "show configuration". 3. Move down the configuration to the "security password-policy" section. If the configuration "security password-policy min-special" is not set to "1", this is a finding.

Fix: F-83717r1170549_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "security password-policy min-special 1". 4. Enter "security password-policy min-groups 4".

b

The Edge SWG must require that when a password is changed, the characters are changed in at least eight of the positions within the password.

- Medium - CCI-004066 - V-279263 - SV-279263r1170553_rule

RMF Control

Severity

Medium

CCI

CCI-004066

Version

SYME-ND-000650

Vuln IDs

V-279263

Rule IDs

SV-279263r1170553_rule

If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-83813r1170551_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "show configuration". 3. Move down the configuration to the "security password-policy" section. If the configuration "security password-policy min-changes" is not set to "8", this is a finding.

Fix: F-83718r1170552_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "security password-policy min-changes 8". 4. Enter "security password-policy min-groups 4".

c

The Edge SWG must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill documented and validated mission requirements.

SC-10 - High - CCI-001133 - V-279264 - SV-279264r1172802_rule

RMF Control

SC-10

Severity

High

CCI

CCI-001133

Version

SYME-ND-000660

Vuln IDs

V-279264

Rule IDs

SV-279264r1172802_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level, or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Checks: C-83814r1172801_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "show security". Under "Account", if "CLI session timeout" does not say "5 minutes", this is a finding. Under "Account", if "Web interface session timeout" does not say "5 minutes", this is a finding.

Fix: F-83719r1170555_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "security management web-timeout 5". 4. Enter "security management cli-timeout 5".

b

The Edge SWG must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.

AU-4 - Medium - CCI-001849 - V-279265 - SV-279265r1170559_rule

RMF Control

AU-4

Severity

Medium

CCI

CCI-001849

Version

SYME-ND-000680

Vuln IDs

V-279265

Rule IDs

SV-279265r1170559_rule

Network devices must be able to allocate audit record storage capacity to ensure sufficient storage capacity in which to write the audit logs. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable. The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.

Checks: C-83815r1170557_chk

1. In the Edge SWG Web UI, navigate to the Administration tab. 2. Select the "Logging" and "Event Logging" areas. Scroll down to the "General Settings" section. If "Limit Event Log File Size" is not enabled and set to a site's defined number or 101 MB, this is a finding.

Fix: F-83720r1170558_fix

1. In the Edge SWG Web UI, navigate to the Administration tab. 2. Select the "Logging" and "Event Logging" areas. 3. Scroll down to the "General Settings" section. 4. Enable the settings and set the "Limit Event Log File Size" to at least 101 MB or a site-defined number.

b

The Edge SWG must generate an immediate real-time alert of all audit failure events requiring real-time alerts.

AU-5 - Medium - CCI-001858 - V-279266 - SV-279266r1170696_rule

RMF Control

AU-5

Severity

Medium

CCI

CCI-001858

Version

SYME-ND-000690

Vuln IDs

V-279266

Rule IDs

SV-279266r1170696_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).

Checks: C-83816r1170695_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "show event-log notifications". Under "Account", if "Syslog" does not say "Enabled state: enabled", this is a finding. Under "Account", if "Syslog" does not say "Event level: verbose", this is a finding.

Fix: F-83721r1170561_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "event-log". 4. Enter "notifications". 5. Enter "default syslog enable". 6. Enter "default syslog level verbose".

b

The Edge SWG must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

IA-3 - Medium - CCI-001967 - V-279268 - SV-279268r1170603_rule

RMF Control

IA-3

Severity

Medium

CCI

CCI-001967

Version

SYME-ND-000710

Vuln IDs

V-279268

Rule IDs

SV-279268r1170603_rule

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.

Checks: C-83818r1170601_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "show snmp". If the line for SNMPv1 and SNMPv2c does not say "disabled", this is a finding. Below is an example of what the line will look in a correct state: "SNMPv1 is disabled. SNMPv2c is disabled."

Fix: F-83723r1170602_fix

1. In the Edge SWG Web UI, navigate to the Administration tab. 2. Select the "SNMP" and "SNMP" areas. 3. Under "V3 Users", click "Add User". 4. Enter the username. 5. Select "SHA" for authentication and type a passphrase. 6. Select AES and type a passphrase. 7. Under "V3 Traps and Informs", add a trap destination if applicable. 1. In the Edge SWG Web UI, navigate to the Configuration tab. 2. Select the "Services" and "Management Services" areas. 3. Enable SNMP, add the listener for both IPv4 and IPv6. 1. In the Edge SWG Web UI, navigate to the Visual Policy Manager. Note: Ensure the Admin Access Layer was created before moving on to this step. 2. Under the "Admin Access Layer", click "Add Rule". 3. Under "Source", select "Any". 4. Under "Service", select "Service Name: SNMP". 5. Under "Action", select "Allow Read-only Access". 6. Apply the policy.

b

The Edge SWG must authenticate Network Time Protocol sources using authentication that is cryptographically based.

IA-3 - Medium - CCI-001967 - V-279269 - SV-279269r1170698_rule

RMF Control

IA-3

Severity

Medium

CCI

CCI-001967

Version

SYME-ND-000720

Vuln IDs

V-279269

Rule IDs

SV-279269r1170698_rule

If Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source. Satisfies: SRG-APP-000395-NDM-000347, SRG-APP-000920-NDM-000320, SRG-APP-000925-NDM-000330

Checks: C-83819r1170697_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "show ntp". If NTP is not enabled, this is a finding. If there are not two NTP servers in use, this is a finding. If the two NTP servers are not using SHA1 preshared keys for authentication, this is a finding.

Fix: F-83724r1170567_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "ntp enable". 4. Enter "ntp server <NTP SERVER IP/HOSTNAME> <KEY ID> sha1". Note: The key ID must be a number and match the NTP server. 5. When prompted with "key:", enter the hexadecimal SHA preshared key. 6. Repeat these steps for the site's second NTP server.

b

The Edge SWG must prohibit the use of cached authenticators after an organization-defined time period.

IA-5 - Medium - CCI-002007 - V-279270 - SV-279270r1170571_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-002007

Version

SYME-ND-000730

Vuln IDs

V-279270

Rule IDs

SV-279270r1170571_rule

Some authentication implementations can be configured to use cached authenticators. If cached authentication information is out-of-date, the validity of the authentication information may be questionable. The organization-defined time period should be established for each device depending on the nature of the device; for example, a device with just a few administrators in a facility with spotty network connectivity may merit a longer caching time period than a device with many administrators.

Checks: C-83820r1170569_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "show realms". If under LDAP Realm the "Authorization refresh", "Credentials refresh", and "Surrogates refresh" are not set to 10 seconds, or what the site requires, this is a finding.

Fix: F-83725r1170570_fix

1. In the Edge SWG Web UI, navigate to the Configuration tab. 2. Select the "Authentication" and "Realms and Domains" areas. 3. Select the previously configured LDAP domain. 4. Click "Show" for "Advanced Settings". 5. Check "Use the same refresh time for all". 6. Under "Credential refresh time", add 10 seconds, or whatever the site requires.

b

The Edge SWG must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.

SC-5 - Medium - CCI-002385 - V-279271 - SV-279271r1170700_rule

RMF Control

SC-5

Severity

Medium

CCI

CCI-002385

Version

SYME-ND-000740

Vuln IDs

V-279271

Rule IDs

SV-279271r1170700_rule

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of network devices to mitigate the impact of DoS attacks that have occurred or are ongoing on device availability. For each network device, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the device opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. The security safeguards cannot be defined at the DOD level because they vary according to the capabilities of the individual network devices and the security controls applied on the adjacent networks (for example, firewalls performing packet filtering to block DoS attacks).

Checks: C-83821r1170699_chk

1. In the Edge SWG Web UI and navigate to the Configuration tab. 2. Go to "Authentication" and "Console Access". If under "Console Access" there is no configured ACL, this is a finding. If there is a configured ACL, but "Enforce ACL for built-in administrators" is not checked, this is a finding. 1. Log in to the Edge SWG SSH CLI. 2. Enter "show security". If under "Account" "CLI session timeout" does not say "5 minutes", this is a finding. If under "Account" "Web interface session timeout" does not say "5 minutes", this is a finding. 1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Issue the command "security local-user-list edit local", then type "view". If "Max failed attempts" under "Account lockout" does not equal "3", this is a finding. If "Lockout duration" under "Account lockout" does not equal "900 seconds", this is a finding.

Fix: F-83726r1170573_fix

1. In the Edge SWG Web UI, navigate to the Configuration tab. 2. Go to "Authentication" and "Console Access". 3. Under "Console Access", click "Add ACL Entry". 4. In the open block, add the IPv4 or IPv6 source address or network under "Source Address", then add the subnet mask or CIDR prefix under "Prefix Length" (e.g., 2001:db8:1:: and 48). 5. Click "Apply" next to the entry. 6. Repeat the above steps by adding all the allowed management prefixes. Note: Ensure the subnet is in one of the allowed IPv4 or IPv6 subnets or the session will be disconnected after clicking "Save". 7. Once completed, click "Save". To add the timeouts: 1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "security management web-timeout 5". 4. Enter "security management cli-timeout 5". To add lockout configurations: 1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Issue the command "security local-user-list create local". 4. Enter "security local-user-list edit local". 5. Enter "max-failed-attempts 3". 6. Enter "lockout-duration 900". 7. Enter "reset-interval 900".

b

The Edge SWG must be configured to conduct backups of system-level information contained in the information system when changes occur.

CM-6 - Medium - CCI-000366 - V-279272 - SV-279272r1172804_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

SYME-ND-000780

Vuln IDs

V-279272

Rule IDs

SV-279272r1172804_rule

System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial-of-service (DoS) condition is possible for all who utilize this critical network component. This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups. Satisfies: SRG-APP-000516-NDM-000340, SRG-APP-000516-NDM-000341

Checks: C-83822r1170701_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "show archive-configuration". If no server is configured, this is a finding. If "Automatic upload" is not set to "Enabled", this is a finding. If "Upload interval" is not set for "every 10080 minutes", this is a finding.

Fix: F-83727r1172803_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "archive-configuration archive-signing enforce-signed enable". 4. Enter "archive-configuration automatic-upload". 5. Enter "archive-configuration host" and add the IP address or hostname of the site's SCP backup server. 6. Enter "archive-configuration username" and add the username of the site's SCP backup server. 7. Enter "archive-configuration password" and add the site's password of the site's SCP backup server. 8. Enter "archive-configuration path" and add the site's backup server path (e.g., /home/tachyon-ftp/files/broadcom/). 9. Enter "archive-configuration filename-prefix SG_%l_%Y%m%d%H%M". 10. Enter "archive-configuration periodic-upload minutes 10080". 11. Enter "archive-configuration protocol scp". 12. Enter "archive-configuration scp-authentication password". 13. Enter "archive-configuration ssl-device-profile" and add the "SSL Device Profile" in use for the HTTPS-console and x509 authentication.

b

The Edge SWG must obtain its public key certificates from an appropriate certificate policy through an approved service provider.

CM-6 - Medium - CCI-000366 - V-279273 - SV-279273r1170704_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

SYME-ND-000800

Vuln IDs

V-279273

Rule IDs

SV-279273r1170704_rule

Before continuing, the site must follow the configuration steps in SYME-ND-000100. For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this certification authority will suffice. Satisfies: SRG-APP-000516-NDM-000344, SRG-APP-000910-NDM-000300

Checks: C-83823r1170703_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Issue the command "ssl", then issue the command "view keyring". 4. Find the keyrings that state: "FIPS compliant: yes". 1. Log in to the Edge SWG Web UI. 2. Navigate to the Configuration tab. 3. Click the SSL, and then keyrings section. If the keyring in use was not FIPS compliant from step #3 above, this is a finding. Click the keyring in use. If the certificate in the keyring was not issued by a DOD certificate authority this is a finding.

Fix: F-83728r1170579_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "ssl". 4. Enter "create fips keyring show fips-keyring 2048". The "fips-keyring" name can be changed to whatever the site wants to use. 5. Enter "create signing-request fips-keyring". 6. Enter "view signing-request fips-keyring". Copy the signing request PEM data and provide it to the CA for certificate issuance. 7. Once the DOD CA issues/signs the certificate for the keyring type "inline certificate fips-keyring ~", paste the raw certificate data into a text editor, then press enter. Ensure the "~" is present at the end of the inserted text. 8. For each LDAP server, CA certificate, and CAC authentication CA certificate, issue the following command: "inline fips ca-certificate DODCA1 ~". Ensure the ~ is entered at the end of the certificate data paste. Note: DODCA1 is used as an example. 9. Repeat the "inline fips ca-certificate" command for all CA certificates in use for LDAPS and CAC authentication. 10. Create a new FIPS-enabled CCL by entering: "create fips ccl fips-ccl". The fips-ccl name can be changed to whatever the site wants to use. 11. Enter "edit ccl fips-ccl". 12. Enter "add", then enter all the CAs added in all previous steps. 13. Create an SSL device profile by entering: "create fips ssl-device-profile fips-profile fips-keyring". The "fips-profile" name can be changed to whatever the site wants to use.

b

The Edge SWG must limit the number of concurrent management sessions to a maximum of three.

AC-10 - Medium - CCI-000054 - V-279274 - SV-279274r1172805_rule

RMF Control

AC-10

Severity

Medium

CCI

CCI-000054

Version

SYME-ND-000810

Vuln IDs

V-279274

Rule IDs

SV-279274r1172805_rule

Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to denial-of-service (DoS) attacks. This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions must be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions.

Checks: C-83824r1170705_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "show security". If under "Account", "Maximum number of administrative sessions allowed per user" does not say "3" or less, this is a finding.

Fix: F-83729r1170706_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "security management max-user-sessions 3" or less.

c

The Edge SWG must be running an operating system release that is currently supported by the vendor.

CM-6 - High - CCI-000366 - V-279275 - SV-279275r1170586_rule

RMF Control

CM-6

Severity

High

CCI

CCI-000366

Version

SYME-ND-000820

Vuln IDs

V-279275

Rule IDs

SV-279275r1170586_rule

Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. Satisfies: SRG-APP-000516-NDM-000351, SRG-APP-000457-NDM-000352

Checks: C-83825r1170584_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "show version". If this version is not the same as the latest supported image showing on the Broadcom support site: https://support.broadcom.com/group/ecx/products, this is a finding.

Fix: F-83730r1170585_fix

1. Log in to the Broadcom Symantec Support Portal: https://support.broadcom.com/group/ecx/products. 2. Click "My Downloads". 3. Select "Cyber Security Software". 4. Search for "ISG Proxy" for the software downloads specific to Edge SWG (proxy) on ISG. 5. Expand the ISG Proxy, then scroll down for the builds. 6. Select the release to be downloaded (using 7.4.7.2 as an example) to be directed to the page containing the builds.

b

The Edge SWG must be configured to allow user selection of long passwords and passphrases, including spaces and all printable characters for password-based authentication.

- Medium - CCI-004064 - V-279276 - SV-279276r1170589_rule

RMF Control

Severity

Medium

CCI

CCI-004064

Version

SYME-ND-000850

Vuln IDs

V-279276

Rule IDs

SV-279276r1170589_rule

Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.

Checks: C-83826r1170587_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "show configuration". 3. Move down the configuration to the "security password-policy" section. If the configuration "security password-policy" is set to "prohibit-whitespace", this is a finding.

Fix: F-83731r1170588_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "no security password-policy prohibit-whitespace".

b

The Edge SWG must be configured to implement a local cache of revocation data to support path discovery and validation for public key-based authentication.

- Medium - CCI-004068 - V-279277 - SV-279277r1170713_rule

RMF Control

Severity

Medium

CCI

CCI-004068

Version

SYME-ND-000860

Vuln IDs

V-279277

Rule IDs

SV-279277r1170713_rule

Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network.

Checks: C-83827r1170712_chk

1. In the Edge SWG Web UI, navigate to the Configuration tab. 2. Select the "SSL" and "OCSP" areas. If no OCSP responder is configured, this is a finding. If the OCSP responder is configured, but the "Issuer CCL" does not match the CCL in the HTTPS-console or the SSH-console x.509 CCL, this is a finding. If the "Response Cache TTL" is not set for "from OCSP response", this is a finding. If any of the "Ignore Settings" are checked, this is a finding.

Fix: F-83732r1170591_fix

1. In the Edge SWG Web UI, navigate to the Configuration tab. 2. Select the "SSL" and "OCSP" area. 3. Select "Add Responder". 4. Under URL, select "from certificate". 5. Check "Issuer CCL" and select the one that matches the HTTPS-console or the SSH-console x.509 CCL. 6. Check "Response CCL" and select the one that matches the HTTPS-console or the SSH-console x.509 CCL. 7. Under "SSL Device Profile", ensure it matches the one in the HTTPS-console. 8. Check "Enable Forwarding". Do not check any of the "Ignore Settings". 9. Click "Apply" and "Save".

b

The Edge SWG must be configured to verify when users create or update passwords, and that the passwords are not found on the list of commonly used, expected, or compromised passwords in IA-5 (1) (a) for password-based authentication.

- Medium - CCI-004061 - V-279283 - SV-279283r1170595_rule

RMF Control

Severity

Medium

CCI

CCI-004061

Version

SYME-ND-001040

Vuln IDs

V-279283

Rule IDs

SV-279283r1170595_rule

Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.

Checks: C-83833r1170593_chk

1. Log in to the Edge SWG SSH CLI. 2. Enter "show configuration". 3. Move down the configuration to the "security password-policy" section. If the configuration "security password-policy" is not set to "prohibit-common-words", this is a finding.

Fix: F-83738r1170594_fix

1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "security password-policy prohibit-common-words".

Symantec Edge SWG NDM Security Technical Implementation Guide - V1R2

Compare

View

Checks: C-83798r1170508_chk

Fix: F-83703r1170509_fix

Generate Mitigation Statement:

Checks: C-83799r1170511_chk

Fix: F-83704r1170512_fix

Generate Mitigation Statement:

Checks: C-83800r1170678_chk

Fix: F-83705r1170679_fix

Generate Mitigation Statement:

Checks: C-83801r1170681_chk

Fix: F-83706r1192885_fix

Generate Mitigation Statement:

Checks: C-83802r1170683_chk

Fix: F-83707r1170684_fix

Generate Mitigation Statement:

Checks: C-83803r1170686_chk

Fix: F-83708r1170522_fix

Generate Mitigation Statement:

Checks: C-83804r1170524_chk

Fix: F-83709r1170688_fix

Generate Mitigation Statement:

Checks: C-83805r1170690_chk

Fix: F-83710r1170691_fix

Generate Mitigation Statement:

Checks: C-83806r1170693_chk

Fix: F-83711r1170531_fix

Generate Mitigation Statement:

Checks: C-83807r1170533_chk

Fix: F-83712r1170534_fix

Generate Mitigation Statement:

Checks: C-83808r1170536_chk

Fix: F-83713r1170537_fix

Generate Mitigation Statement:

Checks: C-83809r1170539_chk

Fix: F-83714r1170540_fix

Generate Mitigation Statement:

Checks: C-83810r1170542_chk

Fix: F-83715r1170543_fix

Generate Mitigation Statement:

Checks: C-83811r1170545_chk

Fix: F-83716r1170546_fix

Generate Mitigation Statement:

Checks: C-83812r1170548_chk

Fix: F-83717r1170549_fix

Generate Mitigation Statement:

Checks: C-83813r1170551_chk

Fix: F-83718r1170552_fix

Generate Mitigation Statement:

Checks: C-83814r1172801_chk

Fix: F-83719r1170555_fix

Generate Mitigation Statement:

Checks: C-83815r1170557_chk

Fix: F-83720r1170558_fix

Generate Mitigation Statement:

Checks: C-83816r1170695_chk

Fix: F-83721r1170561_fix

Generate Mitigation Statement:

Checks: C-83818r1170601_chk

Fix: F-83723r1170602_fix

Generate Mitigation Statement:

Checks: C-83819r1170697_chk

Fix: F-83724r1170567_fix

Generate Mitigation Statement:

Checks: C-83820r1170569_chk

Fix: F-83725r1170570_fix

Generate Mitigation Statement:

Checks: C-83821r1170699_chk

Fix: F-83726r1170573_fix

Generate Mitigation Statement:

Checks: C-83822r1170701_chk

Fix: F-83727r1172803_fix

Generate Mitigation Statement:

Checks: C-83823r1170703_chk

Fix: F-83728r1170579_fix

Generate Mitigation Statement:

Checks: C-83824r1170705_chk

Fix: F-83729r1170706_fix