STIGQter: STIG Summary: IBM DataPower Network Device Management Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Oct 2017:

The DataPower Gateway must generate unique session identifiers using a FIPS 140-2 approved random number generator.

DISA Rule

SV-79599r1_rule

Vulnerability Number

V-65109

Group Title

SRG-APP-000224-NDM-000270

Rule Version

WSDP-NM-000072

Severity

CAT II

CCI(s)

• CCI-001188 - The information system generates unique session identifiers for each session with organization-defined randomness requirements.

Weight

10

Fix Recommendation

From the DataPower command line, enter "use-fips on" to configure DataPower to generate unique session identifiers using a FIPS 140-2 approved random number generator. From the web interface, use "Set Cryptographic Mode" (Administration >> Miscellaneous >> Crypto Tools, Set Cryptographic Mode tab) to set the appliance to "FIPS 140-2 Level 1" mode.

This will achieve NIST SP800-131a compliance.

Check Contents

From the web interface for DataPower device management, verify that the DataPower Gateway Cryptographic Mode is Set to FIPS 140-2 Level 1; Status >> Crypto >> Cryptographic Mode Status.

If it is not set to FIPS 140-2, this is a finding.

Then, verify that the session identifiers (TIDs) in the System Log are random: Status >> View Logs >> Systems Logs.

If they are not random, this is a finding.

Vulnerability Number

V-65109

Documentable

False

Rule Version

WSDP-NM-000072

Severity Override Guidance

From the web interface for DataPower device management, verify that the DataPower Gateway Cryptographic Mode is Set to FIPS 140-2 Level 1; Status >> Crypto >> Cryptographic Mode Status.

If it is not set to FIPS 140-2, this is a finding.

Then, verify that the session identifiers (TIDs) in the System Log are random: Status >> View Logs >> Systems Logs.

If they are not random, this is a finding.

Check Content Reference

M

Target Key

2861

Comments