STIGQter: STIG Summary: IBM DataPower ALG Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 25 Jan 2016:

The DataPower Gateway providing content filtering must continuously monitor outbound communications traffic crossing internal security boundaries for unusual/unauthorized activities or conditions.

DISA Rule

SV-79781r1_rule

Vulnerability Number

V-65291

Group Title

SRG-NET-000391-ALG-000140

Rule Version

WSDP-AG-000112

Severity

CAT II

CCI(s)

CCI-002662 - The information system monitors outbound communications traffic per organization-defined frequency for unusual or unauthorized activities or conditions.

Weight

Fix Recommendation

Create a new service, such as a MultiProtocol Gateway, by clicking the icon on the Control Panel.

Click Add to create a new service >> Set the Name and back end destination for the service.

Under MultiProtocol Gateway Policy, click “+” to create a new Policy >> Provide a name for the Policy >> Click New Rule >> Set the Rule Direction to Client to Server >> Double-click the existing Match Action on the rule line and select default-accept-service providers >> Drag the Validate action down onto the processing line >> Double-click the action.

Upload the necessary schema definition file to the action >> Click Done.

Drag the AAA action onto the processing line after the Validate action >> Double-click the action to open it >> Click “+” to create a new AAA Policy >> Follow the wizard steps to create the desired policy.

When done, close the action >> Click Apply to complete the Policy.

Click New Rule >> Set the direction to Server to Client >> Double-click the existing Match Action on the rule line and select default-accept-service providers >> Drag the Validate action down onto the processing line >> Double-click the action.

Upload the necessary schema definition file to the action >> Click Done.

Drag the AAA action onto the processing line after the Validate action >> Double-click the action to open it. Click “+” to create a new AAA Policy >> Follow the wizard steps to create the desired policy.

When done, close the action >> Click Apply to complete the Policy.

Complete the Gateway configuration by clicking Apply.

Check Contents

Verify a service, such as a MultiProtocol Gateway, by clicking the icon on the Control Panel.

Click the name of the service in the list >> Set the Name and back end destination for the service.

Under MultiProtocol Gateway Policy, click “...” to inspect the Policy >> Verify one Rule Direction is set to Client to Server.

Double-click the existing Match Action on the rule line and verify it is set default-accept-service providers.

Double-click the Validate action >> Verify that it is set to a schema file.

Upload the necessary schema definition file to the action >> Click Done.

Double-click the AAA action to open it >> Click “...” to inspect the AAA Policy >> Follow the wizard steps to review the desired policy.

When done, click cancel.

Verify one Rule Direction is set to Server to Client.

Double-click the existing Match Action on the rule line and verify it is set default-accept-service providers.

Double-click the Validate action >> Verify that it is set to a schema file.

Double-click the AAA action to open it >> Click “...” to inspect the AAA Policy >> Follow the wizard steps to review the desired policy.

When done, click cancel.

Click Cancel or Close Window to close the Policy.

If these items have not been configured, this is a finding.

The DataPower Gateway providing content filtering must continuously monitor outbound communications traffic crossing internal security boundaries for unusual/unauthorized activities or conditions.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments