STIGQter: STIG Summary: F5 BIG-IP Local Traffic Manager 11.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The BIG-IP Core implementation must be configured to deny-by-default all PKI-based authentication to virtual servers supporting path discovery and validation if unable to access revocation information via the network.

DISA Rule

SV-215784r557356_rule

Vulnerability Number

V-215784

Group Title

SRG-NET-000345-ALG-000099

Rule Version

F5BI-LT-000203

Severity

CAT II

CCI(s)

• CCI-001991 - The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

Weight

10

Fix Recommendation

If user access control intermediary services are provided, configure the BIG-IP Core to deny-by-default when access to revocation information via the network is inaccessible.

Check Contents

If the BIG-IP Core does not provide user authentication intermediary services for virtual servers, this is not applicable.

When user authentication intermediary services are provided, verify the BIG-IP Core is configured to deny-by-default user access when revocation information is not accessible via the network.

Navigate to the BIG-IP System manager >> Local Traffic >> Profiles >> SSL >> Client.

Select an SSL client profile that is used for client authentication with Virtual Server(s).

Review the configuration under the "Client Authentication" section.

Verify that "Client Certificate" is set to "require" if not using the APM.

Verify that “On Demand Cert Auth” in the access profile is set to “Require” if using APM.

If the BIG-IP Core is not configured to deny-by-default when unable to access revocation information via the network, this is a finding.

Vulnerability Number

V-215784

Documentable

False

Rule Version

F5BI-LT-000203

Severity Override Guidance

If the BIG-IP Core does not provide user authentication intermediary services for virtual servers, this is not applicable.

When user authentication intermediary services are provided, verify the BIG-IP Core is configured to deny-by-default user access when revocation information is not accessible via the network.

Navigate to the BIG-IP System manager >> Local Traffic >> Profiles >> SSL >> Client.

Select an SSL client profile that is used for client authentication with Virtual Server(s).

Review the configuration under the "Client Authentication" section.

Verify that "Client Certificate" is set to "require" if not using the APM.

Verify that “On Demand Cert Auth” in the access profile is set to “Require” if using APM.

If the BIG-IP Core is not configured to deny-by-default when unable to access revocation information via the network, this is a finding.

Check Content Reference

M

Target Key

4019

Comments