STIGQter: STIG Summary: CA API Gateway ALG Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 28 Apr 2017:

The CA API Gateway that provides intermediary services for FTP must inspect inbound and outbound FTP communications traffic for protocol compliance and protocol anomalies.

DISA Rule

SV-86101r1_rule

Vulnerability Number

V-71477

Group Title

SRG-NET-000512-ALG-000065

Rule Version

CAGW-GW-000930

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-001125 - The information system enforces adherence to protocol format.

Weight

10

Fix Recommendation

Open the CA API Gateway - Policy Manager and double-click all Registered Services requiring the inspection of FTP traffic for anomalies that did not include a "Route via FTP(s)" Assertion.

Add the "Route via FTP(s)" Assertion and configure in accordance with organizational requirements.

Also, if the FTP Listen Port was not present or configured properly, verify/add the FTP Listen Port by selecting "Tasks" from the main menu, choosing "Manage Listen Ports", and updating/adding the FTP/FTPS Protocol Listen Port in accordance with organizational requirements, including setting the maximum message size property.

Check Contents

Open the CA API Gateway - Policy Manager and double-click all Registered Services requiring the inspection of FTP traffic for anomalies.

Verify the "Route via FTP(s)" Assertion is included within the policies.

Also, verify the FTP Listen Port exists and the settings are configured in accordance with organizational requirements by selecting "Tasks" from the main menu, choosing "Manage Listen Ports", and validating that an FTP/FTPS Protocol Listen Port has been added/configured properly including setting the maximum message size property.

If the "Route via FTP(s)" Assertion is not included in the policies or the Listen port has not been added/configured in accordance with organizational requirements, this is a finding.

Vulnerability Number

V-71477

Documentable

False

Rule Version

CAGW-GW-000930

Severity Override Guidance

Open the CA API Gateway - Policy Manager and double-click all Registered Services requiring the inspection of FTP traffic for anomalies.

Verify the "Route via FTP(s)" Assertion is included within the policies.

Also, verify the FTP Listen Port exists and the settings are configured in accordance with organizational requirements by selecting "Tasks" from the main menu, choosing "Manage Listen Ports", and validating that an FTP/FTPS Protocol Listen Port has been added/configured properly including setting the maximum message size property.

If the "Route via FTP(s)" Assertion is not included in the policies or the Listen port has not been added/configured in accordance with organizational requirements, this is a finding.

Check Content Reference

M

Target Key

3049

Comments