STIGQter STIGQter: STIG Summary: F5 BIG-IP Application Security Manager 11.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 29 May 2015: The BIG-IP ASM module supporting intermediary services for remote access communications traffic must ensure inbound traffic is monitored for compliance with remote access security policies.

DISA Rule

SV-74497r1_rule

Vulnerability Number

V-60067

Group Title

SRG-NET-000061-ALG-000009

Rule Version

F5BI-AS-000031

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

If intermediary services for remote access communications traffic for virtual servers is supported by the BIG-IP ASM module, configure an ASM security policy to monitor inbound traffic for compliance with remote access security policies, to be applied to the applicable virtual servers in the BIG-IP LTM module.

Check Contents

If the BIG-IP ASM module does not support intermediary services for remote access traffic (e.g., web content filter, TLS, and webmail) for virtual servers, this is not applicable.

When the BIG-IP ASM module is used to support intermediary services for remote access communications traffic to virtual servers, verify the security policy is configured as follows:

Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.

Select the applicable Virtual Servers(s) from the list to verify.

Navigate to the Security >> Policies tab.

Verify an ASM policy is assigned and Enabled for "Application Security Policy".

Verify configuration of the identified ASM policy:

Navigate to the BIG-IP System manager >> Security >> Application Security >> Security Policies.

Review the list under "Active Security Policies" for a security policy that monitors inbound traffic for compliance with remote access security policies.

Verify "Enforcement Mode" is set to "Transparent" or "Blocking" in accordance with the requirements for the applicable virtual server.

If the BIG-IP ASM module is not configured with a policy to monitor inbound traffic for compliance with remote access security policies and applied to the applicable virtual servers, this is a finding.

Vulnerability Number

V-60067

Documentable

False

Rule Version

F5BI-AS-000031

Severity Override Guidance

If the BIG-IP ASM module does not support intermediary services for remote access traffic (e.g., web content filter, TLS, and webmail) for virtual servers, this is not applicable.

When the BIG-IP ASM module is used to support intermediary services for remote access communications traffic to virtual servers, verify the security policy is configured as follows:

Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.

Select the applicable Virtual Servers(s) from the list to verify.

Navigate to the Security >> Policies tab.

Verify an ASM policy is assigned and Enabled for "Application Security Policy".

Verify configuration of the identified ASM policy:

Navigate to the BIG-IP System manager >> Security >> Application Security >> Security Policies.

Review the list under "Active Security Policies" for a security policy that monitors inbound traffic for compliance with remote access security policies.

Verify "Enforcement Mode" is set to "Transparent" or "Blocking" in accordance with the requirements for the applicable virtual server.

If the BIG-IP ASM module is not configured with a policy to monitor inbound traffic for compliance with remote access security policies and applied to the applicable virtual servers, this is a finding.

Check Content Reference

M

Target Key

2841

Comments