Symantec ProxySG NDM Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2019-05-21

Updated At: 2019-07-06 12:01:56

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-104305r1_rule SYMP-NM-000320 CCI-002385 HIGH Symantec ProxySG must enable Attack Detection. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Symantec ProxySG Attack Detection prevents or limits the effects of de
    SV-104483r1_rule SYMP-NM-000010 CCI-001358 MEDIUM Symantec ProxySG must be configured with only one local account that is used as the account of last resort. Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authenti
    SV-104485r1_rule SYMP-NM-000020 CCI-000213 HIGH Symantec ProxySG must be configured to enforce user authorization to implement least privilege. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems must be properly configured to incorporate access control methods that do not rely solely on the poss
    SV-104487r1_rule SYMP-NM-000030 CCI-000213 HIGH Symantec ProxySG must configure Web Management Console access restrictions to authorized IP address/ranges. It is important that administrative access (SSH, web) to an appliance using the account of last resort be able to be restricted to only the appropriate networks/subnets in order to reduce the likelihood of unauthorized access.
    SV-104489r1_rule SYMP-NM-000040 CCI-001368 MEDIUM Symantec ProxySG must be configured to enforce assigned privilege levels for approved administrators when accessing the management console, SSH, and the command line interface (CLI). A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Info
    SV-104491r1_rule SYMP-NM-000050 CCI-000044 MEDIUM Symantec ProxySG must be configured to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
    SV-104493r1_rule SYMP-NM-000060 CCI-000048 LOW Symantec ProxySG must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device. Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, a
    SV-104495r1_rule SYMP-NM-000070 CCI-000169 MEDIUM Symantec ProxySG must enable event access logging. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the
    SV-104497r1_rule SYMP-NM-000080 CCI-001851 MEDIUM Symantec ProxySG must be configured to support centralized management and configuration of the audit log. Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. The DoD
    SV-104499r1_rule SYMP-NM-000090 CCI-001858 LOW Symantec ProxySG must generate an alert to the console when a log processing failure is detected such as loss of communications with the Central Log Server or log records are no longer being sent. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without an alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be a
    SV-104501r1_rule SYMP-NM-000100 CCI-001891 MEDIUM Symantec ProxySG must compare internal information system clocks at least every 24 hours with an authoritative time server. Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. S
    SV-104503r1_rule SYMP-NM-000110 CCI-000366 MEDIUM Symantec ProxySG must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources. The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by i
    SV-104505r1_rule SYMP-NM-000120 CCI-001494 MEDIUM Symantec ProxySG must protect the Web Management Console, SSH, and command line interface (CLI) from unauthorized modification. Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Network devices providing tools to interface wi
    SV-104507r1_rule SYMP-NM-000130 CCI-001493 MEDIUM Symantec ProxySG must protect the Web Management Console, SSH, and command line interface (CLI) from unauthorized access. Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Network devices providing tools to interface wi
    SV-104509r1_rule SYMP-NM-000140 CCI-001348 MEDIUM Symantec ProxySG must back up event logs onto a different system or system component than the system or component being audited. Protection of log data includes assuring log data is not accidentally lost or deleted. Regularly backing up audit records to a different system or onto separate media than the system being audited helps to assure, in the event of a catastrophic system fai
    SV-104511r1_rule SYMP-NM-000150 CCI-000366 MEDIUM Symantec ProxySG must employ automated mechanisms to centrally verify authentication settings. The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without
    SV-104513r1_rule SYMP-NM-000160 CCI-000366 MEDIUM Accounts for device management must be configured on the authentication server and not on Symantec ProxySG itself, except for the account of last resort. Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrat
    SV-104515r1_rule SYMP-NM-000170 CCI-000366 MEDIUM Symantec ProxySG must use Role-Based Access Control (RBAC) to assign privileges to users for access to files and functions. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When administrators are assigned to
    SV-104517r1_rule SYMP-NM-000180 CCI-000366 MEDIUM Symantec ProxySG must employ automated mechanisms to centrally apply authentication settings. The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without
    SV-104519r1_rule SYMP-NM-000190 CCI-000366 MEDIUM Symantec ProxySG must support organizational requirements to conduct backups of system level information contained in the ProxySG when changes occur or weekly, whichever is sooner. System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backu
    SV-104521r1_rule SYMP-NM-000200 CCI-000366 MEDIUM Symantec ProxySG must obtain its public key certificates from an appropriate certificate policy through an approved service provider. For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Aut
    SV-104523r1_rule SYMP-NM-000210 CCI-000366 MEDIUM Symantec ProxySG must configure the maintenance and health monitoring to send an alarm when a critical condition occurs for a component. Predictable failure prevention requires organizational planning to address device failure issues. If components key to maintaining the device's security fail to function, the device could continue operating in an insecure state. If appropriate actions are
    SV-104525r1_rule SYMP-NM-000220 CCI-000382 HIGH Symantec ProxySG must use only approved management services protocols. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocol
    SV-104527r1_rule SYMP-NM-000230 CCI-001941 MEDIUM Symantec ProxySG must implement HTTPS-console to provide replay-resistant authentication mechanisms for network access to privileged accounts. A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process
    SV-104529r1_rule SYMP-NM-000240 CCI-001967 MEDIUM Symantec ProxySG must configure SNMPv3 so that cryptographically-based bidirectional authentication is used. Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of gre
    SV-104531r1_rule SYMP-NM-000250 CCI-000205 MEDIUM Symantec ProxySG must be configured to enforce a minimum 15-character password length for local accounts. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a passwor
    SV-104533r1_rule SYMP-NM-000260 CCI-000197 HIGH Symantec ProxySG must transmit only encrypted representations of passwords. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Network devices can accomplish this by making
    SV-104535r1_rule SYMP-NM-000270 CCI-002041 MEDIUM Symantec ProxySG must not have a default manufacturer passwords when deployed. Network devices not protected with strong password schemes provide the opportunity for anyone to crack the password and gain access to the device, which can result in loss of availability, confidentiality, or integrity of network traffic. Many default v
    SV-104537r1_rule SYMP-NM-000280 CCI-000803 HIGH Symantec ProxySG must be configured to use only FIPS 140-2 approved algorithms for authentication to a cryptographic module with any application or protocol. Unapproved mechanisms that are used for authentication to the cryptographic module are not validated and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. The Symantec ProxySG can be configured in F
    SV-104539r1_rule SYMP-NM-000290 CCI-003123 HIGH The Symantec ProxySG Web Management Console and SSH sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications. This requirement requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, t
    SV-104541r1_rule SYMP-NM-000300 CCI-002890 HIGH The Symantec ProxySG must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications. Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Nonlocal maintenance and diagnostic activiti
    SV-104543r1_rule SYMP-NM-000310 CCI-001133 HIGH Symantec ProxySG must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat