STIGQter STIGQter: STIG Summary: Forescout Network Access Control Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

For TLS connections, Forescout must automatically terminate the session when a client certificate is requested and the client does not have a suitable certificate.

DISA Rule

SV-233331r611394_rule

Vulnerability Number

V-233331

Group Title

SRG-NET-000517-NAC-002370

Rule Version

FORE-NC-000260

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Log on to the Forescout UI.

1. Select Tools >> Options >> Certificates.
2. Check that in the Ongoing TLS Sessions section, view the Re-verify TLS Sessions.
3. Change the Re-verify TLS Sessions to Every 1 Day or in accordance with the site's SSP, then click "Apply".
4. Next select the HPS Inspection Engine >> SecureConnector.
5. In the Client-Server Connection, ensure the Minimum Supported TLS Version is set to TLS version 1.2.

Check Contents

Verify Forescout is configured to a list of DoD-approved certificate types and CAs.

Verify the TLS session is configured to automatically terminate any session if the client does not have a suitable certificate.

For TLS connections, if Forescout is not configured to automatically terminate the session when the client does not have a suitable certificate, this is a finding.

Vulnerability Number

V-233331

Documentable

False

Rule Version

FORE-NC-000260

Severity Override Guidance

Verify Forescout is configured to a list of DoD-approved certificate types and CAs.

Verify the TLS session is configured to automatically terminate any session if the client does not have a suitable certificate.

For TLS connections, if Forescout is not configured to automatically terminate the session when the client does not have a suitable certificate, this is a finding.

Check Content Reference

M

Target Key

5250

Comments