STIGQter STIGQter: STIG Summary: F5 BIG-IP Local Traffic Manager 11.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The BIG-IP Core implementation must be configured to implement NIST FIPS-validated cryptography to generate cryptographic hashes when providing encryption traffic to virtual servers.

DISA Rule

SV-215798r557356_rule

Vulnerability Number

V-215798

Group Title

SRG-NET-000510-ALG-000025

Rule Version

F5BI-LT-000291

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

If encryption intermediary services are provided, configure the BIG-IP Core to implement NIST FIPS-validated cryptography to generate cryptographic hashes.

Check Contents

If the BIG-IP Core does not provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC) for virtual servers, this is not applicable.

When encryption intermediary services are provided, verify the BIG-IP Core is configured to implement NIST FIPS-validated cryptography to generate cryptographic hashes.

Navigate to the BIG-IP System manager >> Local traffic >> Profiles >> SSL >> Client.

Verify a profile exists that is FIPS Compliant.

Select a FIPS-compliant profile.

Select "Advanced" next to "Configuration".

Verify "Ciphers" under "Configuration" section is configured to use FIPS-compliant ciphers.

Verify applicable virtual servers are configured in the BIG-IP LTM to use a FIPS-compliant client profile:

Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.

Select Virtual Servers(s) from the list to verify.

Verify under "Configuration" section, that a FIPS-compliant profile is in the "Selected" area of "SSL Profile (Client)".

If the BIG-IP Core is not configured to implement NIST FIPS-validated cryptography to generate cryptographic hashes, this is a finding.

Vulnerability Number

V-215798

Documentable

False

Rule Version

F5BI-LT-000291

Severity Override Guidance

If the BIG-IP Core does not provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC) for virtual servers, this is not applicable.

When encryption intermediary services are provided, verify the BIG-IP Core is configured to implement NIST FIPS-validated cryptography to generate cryptographic hashes.

Navigate to the BIG-IP System manager >> Local traffic >> Profiles >> SSL >> Client.

Verify a profile exists that is FIPS Compliant.

Select a FIPS-compliant profile.

Select "Advanced" next to "Configuration".

Verify "Ciphers" under "Configuration" section is configured to use FIPS-compliant ciphers.

Verify applicable virtual servers are configured in the BIG-IP LTM to use a FIPS-compliant client profile:

Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.

Select Virtual Servers(s) from the list to verify.

Verify under "Configuration" section, that a FIPS-compliant profile is in the "Selected" area of "SSL Profile (Client)".

If the BIG-IP Core is not configured to implement NIST FIPS-validated cryptography to generate cryptographic hashes, this is a finding.

Check Content Reference

M

Target Key

4019

Comments