STIGQter: STIG Summary: F5 BIG-IP Local Traffic Manager 11.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The BIG-IP Core implementation must be configured to validate certificates used for TLS functions for connections to virtual servers by constructing a certification path (which includes status information) to an accepted trust anchor.

DISA Rule

SV-215762r557356_rule

Vulnerability Number

V-215762

Group Title

SRG-NET-000164-ALG-000100

Rule Version

F5BI-LT-000083

Severity

CAT II

CCI(s)

• CCI-000185 - The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Weight

10

Fix Recommendation

If intermediary services for TLS are provided, configure the BIG-IP Core to validate certificates used for TLS functions by constructing a certification path with status information to an accepted trust anchor.

Check Contents

If the BIG-IP Core does not provide intermediary services for TLS, or application protocols that use TLS (e.g., DNSSEC or HTTPS) for virtual servers, this is not applicable.

When intermediary services for TLS are provided, verify the BIG-IP Core is configured to validate certificates used for TLS functions by constructing a certification path to an accepted trust anchor.

Navigate to the BIG-IP System manager >> Local traffic >> Profiles >> SSL >> Server.

Select a FIPS-compliant profile.

Review the configuration under "Server Authentication" section.

Verify "Server Certificate" is set to "Required".

Verify "Trusted Certificate Authorities" is set to a DoD-approved CA bundle.

If the BIG-IP Core is not configured to validate certificates used for TLS functions by constructing a certification path to an accepted trust anchor, this is a finding.

Vulnerability Number

V-215762

Documentable

False

Rule Version

F5BI-LT-000083

Severity Override Guidance

If the BIG-IP Core does not provide intermediary services for TLS, or application protocols that use TLS (e.g., DNSSEC or HTTPS) for virtual servers, this is not applicable.

When intermediary services for TLS are provided, verify the BIG-IP Core is configured to validate certificates used for TLS functions by constructing a certification path to an accepted trust anchor.

Navigate to the BIG-IP System manager >> Local traffic >> Profiles >> SSL >> Server.

Select a FIPS-compliant profile.

Review the configuration under "Server Authentication" section.

Verify "Server Certificate" is set to "Required".

Verify "Trusted Certificate Authorities" is set to a DoD-approved CA bundle.

If the BIG-IP Core is not configured to validate certificates used for TLS functions by constructing a certification path to an accepted trust anchor, this is a finding.

Check Content Reference

M

Target Key

4019

Comments