STIGQter STIGQter: STIG Summary: CA API Gateway ALG Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 28 Apr 2017:

The CA API Gateway that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.

DISA Rule

SV-86103r1_rule

Vulnerability Number

V-71479

Group Title

SRG-NET-000512-ALG-000066

Rule Version

CAGW-GW-000940

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Open the CA API Gateway - Policy Manager and double-click all Registered Services requiring the inspection of HTTP traffic for anomalies that did not include a "Route via HTTP(s)" Assertion.

Add the "Route via HTTP(s)" Assertion and configure in accordance with organizational requirements.

Also, if the HTTP Listen Port was not present or configured properly, verify/add the HTTP Listen Port by selecting "Tasks" from the main menu choosing "Manage Listen Ports", and updating/adding the HTTP/HTTPS Protocol Listen Port in accordance with organizational requirements, including setting the maximum message size property.

Additionally, the policy can be updated to add other threat protections, such as the "Protect Against Code Injection" or other Assertions listed in the "Threat Protection" Folder Assertion list.

For more details, refer to the “CA API Management Documentation Wiki" at https://wiki.ca.com/display/GATEWAY90/CA+API+Gateway+Home.

Check Contents

Open the CA API Gateway - Policy Manager and double-click all Registered Services requiring the inspection of HTTP traffic for anomalies.

Verify the "Route via HTTP(s)" Assertion is included within the policies.

Also, verify the HTTP Listen Port exists and the settings are configured in accordance with organizational requirements by selecting "Tasks" from the main menu, choosing "Manage Listen Ports", and validating that an HTTP/HTTPS Protocol Listen Port has been added/configured properly, including setting the maximum message size property.

If the "Route via HTTP(s):" Assertion is not included in the policies or the Listen Port has not been added/configured in accordance with organizational requirements, this is a finding.

Vulnerability Number

V-71479

Documentable

False

Rule Version

CAGW-GW-000940

Severity Override Guidance

Open the CA API Gateway - Policy Manager and double-click all Registered Services requiring the inspection of HTTP traffic for anomalies.

Verify the "Route via HTTP(s)" Assertion is included within the policies.

Also, verify the HTTP Listen Port exists and the settings are configured in accordance with organizational requirements by selecting "Tasks" from the main menu, choosing "Manage Listen Ports", and validating that an HTTP/HTTPS Protocol Listen Port has been added/configured properly, including setting the maximum message size property.

If the "Route via HTTP(s):" Assertion is not included in the policies or the Listen Port has not been added/configured in accordance with organizational requirements, this is a finding.

Check Content Reference

M

Target Key

3049

Comments