STIGQter: STIG Summary: CA API Gateway ALG Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 28 Apr 2017:

The CA API Gateway providing content filtering must block outbound traffic containing known and unknown Denial of Service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.

DISA Rule

SV-85987r1_rule

Vulnerability Number

V-71363

Group Title

SRG-NET-000192-ALG-000121

Rule Version

CAGW-GW-000370

Severity

CAT II

CCI(s)

• CCI-001094 - The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems.

Weight

10

Fix Recommendation

Open the CA API Gateway - Policy Manager.

Select "Tasks" from the main menu and choose "Create Policy". Give the policy a name and select "Global Policy Fragment" from the Policy Type drop-down menu.

Select "message-received" from the Policy Tag drop-down menu and click "OK".

Drag the "Apply Rate Limit" Assertion into the newly created Global Policy Fragment. Set the "Maximum requests per second" and/or "Maximum concurrent requests" and/or "Limit each:" values to meet the organization's requirements to protect against DoS attacks.

Click "Save and Activate”.

Also double-click each Registered Service requiring additional safeguards, such as quota limits message size limitations, to verify/add the "Apply Throughput Quota" and "Limit Message Size" Assertions and configure their settings in accordance with organizational requirements.

Check Contents

Open the CA API Gateway - Policy Manager.

Check the lower-left corner of the CA API Gateway - Policy Manager to see if a Global Policy is set that includes an "Apply Rate Limit" Assertion. (Global policies are displayed with a green icon beside their name.)

If the policy does not exist, this is a finding.

If it does exist, verify the Rate Limits are set to meet the organization's security requirements for DoS attacks.

Also check each Registered Service requiring additional safeguards such as quota limits and message size limitation to verify the "Apply Throughput Quota" and "Limit Message Size" Assertions have been added and configured to meet organizational requirements.

If they have not, this is also a finding.

Vulnerability Number

V-71363

Documentable

False

Rule Version

CAGW-GW-000370

Severity Override Guidance

Open the CA API Gateway - Policy Manager.

Check the lower-left corner of the CA API Gateway - Policy Manager to see if a Global Policy is set that includes an "Apply Rate Limit" Assertion. (Global policies are displayed with a green icon beside their name.)

If the policy does not exist, this is a finding.

If it does exist, verify the Rate Limits are set to meet the organization's security requirements for DoS attacks.

Also check each Registered Service requiring additional safeguards such as quota limits and message size limitation to verify the "Apply Throughput Quota" and "Limit Message Size" Assertions have been added and configured to meet organizational requirements.

If they have not, this is also a finding.

Check Content Reference

M

Target Key

3049

Comments