STIGQter: STIG Summary: IBM DataPower ALG Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 25 Jan 2016:

The DataPower Gateway must recognize only system-generated session identifiers.

DISA Rule

SV-79727r1_rule

Vulnerability Number

V-65237

Group Title

SRG-NET-000233-ALG-000115

Rule Version

WSDP-AG-000051

Severity

CAT II

CCI(s)

• CCI-001664 - The information system recognizes only session identifiers that are system-generated.

Weight

10

Fix Recommendation

From the DataPower command line, enter "use-fips on" to configure DataPower to generate unique session identifiers using a FIPS 140-2 approved random number generator. From the web interface, use "Set Cryptographic Mode" (Administration >> Miscellaneous >> Crypto Tools, Set Cryptographic Mode tab) to set the appliance to "FIPS 140-2 Level 1" mode.

This will achieve NIST SP800-131a compliance.

Check Contents

From the web interface for DataPower device management, verify that the DataPower Gateway Cryptographic Mode is Set to FIPS 140-2 Level 1; Status >> Crypto >> Cryptographic Mode Status

Then, verify that the session identifiers (TIDs) in the System Log are random; Status >> View Logs >> Systems Logs.

If these items are not configured, this is a finding.

Vulnerability Number

V-65237

Documentable

False

Rule Version

WSDP-AG-000051

Severity Override Guidance

From the web interface for DataPower device management, verify that the DataPower Gateway Cryptographic Mode is Set to FIPS 140-2 Level 1; Status >> Crypto >> Cryptographic Mode Status

Then, verify that the session identifiers (TIDs) in the System Log are random; Status >> View Logs >> Systems Logs.

If these items are not configured, this is a finding.

Check Content Reference

M

Target Key

2859

Comments