STIGQter: STIG Summary: Forescout Network Access Control Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

Forescout that stores device keys must have a key management process that is FIPS-approved and protected by Advanced Encryption Standard (AES) block cipher algorithms.

DISA Rule

SV-233333r611394_rule

Vulnerability Number

V-233333

Group Title

SRG-NET-000525-NAC-002430

Rule Version

FORE-NC-000280

Severity

CAT I

CCI(s)

• CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.

Weight

10

Fix Recommendation

If the Forescout Appliance is using FIPS mode, then TLS 1.2 is set as part of that configuration and does not need to be configured manually.

If not in FIPS mode, then:
1. Select Tools >> Option >> HPS Inspection Engine >> SecureConnector.
2. In the Client-Server Connection, set the Minimum Supported TLS Version to TLS version 1.2.

Check Contents

If the NAC does not store device keys, this is not applicable.

Verify the NAC is configured to use FIPS-mode or a key management process that is protected by Advanced Encryption Standard (AES) block cipher algorithms.

If the NAC does not use FIPS-mode or key management process that is FIPS-approved and protected by Advanced Encryption Standard (AES) block cipher algorithms, this is a finding.

Vulnerability Number

V-233333

Documentable

False

Rule Version

FORE-NC-000280

Severity Override Guidance

If the NAC does not store device keys, this is not applicable.

Verify the NAC is configured to use FIPS-mode or a key management process that is protected by Advanced Encryption Standard (AES) block cipher algorithms.

If the NAC does not use FIPS-mode or key management process that is FIPS-approved and protected by Advanced Encryption Standard (AES) block cipher algorithms, this is a finding.

Check Content Reference

M

Target Key

5250

Comments