STIGQter STIGQter: STIG Summary: Forescout Network Access Control Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

Forescout must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and Forescout for the purposes of client posture assessment.

DISA Rule

SV-233332r611394_rule

Vulnerability Number

V-233332

Group Title

SRG-NET-000062-NAC-000340

Rule Version

FORE-NC-000270

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Log on to the Forescout UI.

1. Select Tools >> Options >> Certificates.
2. Check that in the Ongoing TLS Sessions section, view the Re-verify TLS Sessions.
3. Change the Re-verify TLS Sessions to Every 1 Day or in accordance with the site's SSP, then click "Apply".
4. Next select the HPS Inspection Engine >> SecureConnector.
5. In the Client-Server Connection, ensure the Minimum Supported TLS Version is set to TLS version 1.2.

Check Contents

Verify Forescout is configured to a list of DoD-approved certificate types and CAs.

Verify the TLS session is configured to automatically terminate any session if the client does not have a suitable certificate.

For TLS connections, if Forescout is not configured to use TLS 1.2 at a minimum, this is a finding.

Vulnerability Number

V-233332

Documentable

False

Rule Version

FORE-NC-000270

Severity Override Guidance

Verify Forescout is configured to a list of DoD-approved certificate types and CAs.

Verify the TLS session is configured to automatically terminate any session if the client does not have a suitable certificate.

For TLS connections, if Forescout is not configured to use TLS 1.2 at a minimum, this is a finding.

Check Content Reference

M

Target Key

5250

Comments