STIGQter: STIG Summary: IBM DataPower ALG Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 25 Jan 2016:

The DataPower Gateway must invalidate session identifiers upon user logout or other session termination.

DISA Rule

SV-79725r1_rule

Vulnerability Number

V-65235

Group Title

SRG-NET-000231-ALG-000114

Rule Version

WSDP-AG-000050

Severity

CAT II

CCI(s)

• CCI-001185 - The information system invalidates session identifiers upon user logout or other session termination.

Weight

10

Fix Recommendation

From the DataPower command line, enter "use-fips on" to configure DataPower to generate unique session identifiers using a FIPS 140-2 approved random number generator. From the web interface, use "Set Cryptographic Mode" (Administration >> Miscellaneous >> Crypto Tools, Set Cryptographic Mode tab) to set the appliance to "FIPS 140-2 Level 1" mode.

This will achieve NIST SP800-131a compliance.

Check Contents

From the web interface for DataPower device management, verify that the DataPower Gateway Cryptographic Mode is Set to FIPS 140-2 Level 1; Status >> Crypto >> Cryptographic Mode Status.

Then, verify that the session identifiers (TIDs) in the System Log are random; Status >> View Logs >> Systems Logs.

If the device is not set to FIPS 140-2 Level 1, this is a finding.

Vulnerability Number

V-65235

Documentable

False

Rule Version

WSDP-AG-000050

Severity Override Guidance

From the web interface for DataPower device management, verify that the DataPower Gateway Cryptographic Mode is Set to FIPS 140-2 Level 1; Status >> Crypto >> Cryptographic Mode Status.

Then, verify that the session identifiers (TIDs) in the System Log are random; Status >> View Logs >> Systems Logs.

If the device is not set to FIPS 140-2 Level 1, this is a finding.

Check Content Reference

M

Target Key

2859

Comments