STIGQter STIGQter: STIG Summary: A10 Networks ADC ALG Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 15 Apr 2016

CheckedNameTitle
SV-82447r1_ruleThe A10 Networks ADC, when used for TLS encryption and decryption, must be configured to comply with the required TLS settings in NIST SP 800-52.
SV-82449r1_ruleThe A10 Networks ADC, when used to load balance web applications, must enable external logging for accessing Web Application Firewall data event messages.
SV-82451r1_ruleThe A10 Networks ADC must send an alert to, at a minimum, the ISSO and SCA when connectivity to the Syslog servers is lost.
SV-82453r1_ruleThe A10 Networks ADC must not have unnecessary scripts installed.
SV-82455r1_ruleThe A10 Networks ADC must use DNS Proxy mode when Global Server Load Balancing is used.
SV-82457r1_ruleThe A10 Networks ADC must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.
SV-82459r1_ruleThe A10 Networks ADC when used for TLS encryption and decryption must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
SV-82463r1_ruleThe A10 Networks ADC must not have any unnecessary or unapproved virtual servers configured.
SV-82465r1_ruleThe A10 Networks ADC, when used to load balance web applications, must strip HTTP response headers.
SV-82467r1_ruleThe A10 Networks ADC, when used to load balance web applications, must replace response codes.
SV-82469r1_ruleTo protect against data mining, the A10 Networks ADC must detect and prevent SQL and other code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
SV-82471r1_ruleTo protect against data mining, the A10 Networks ADC must detect and prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.
SV-82473r1_ruleTo protect against data mining, the A10 Networks ADC providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
SV-82477r1_ruleTo protect against data mining, the A10 Networks ADC providing content filtering must detect code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
SV-82479r1_ruleTo protect against data mining, the A10 Networks ADC providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
SV-82481r1_ruleTo protect against data mining, the A10 Networks ADC providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code.
SV-82483r1_ruleThe A10 Networks ADC being used for TLS encryption and decryption using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certificate Authorities (CAs) for the establishment of protected sessions.
SV-82485r1_ruleThe A10 Networks ADC must protect against TCP and UDP Denial of Service (DoS) attacks by employing Source-IP based connection-rate limiting.
SV-82487r1_ruleThe A10 Networks ADC must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.
SV-82489r1_ruleThe A10 Networks ADC must enable DDoS filters.
SV-82491r1_ruleThe A10 Networks ADC, when used to load balance web applications, must examine incoming user requests against the URI White Lists.
SV-82495r1_ruleThe A10 Networks ADC, when used to load balance web applications, must enable external logging for WAF data event messages.
SV-82499r1_ruleThe A10 Networks ADC must enable logging for packet anomaly events.
SV-82501r1_ruleThe A10 Networks ADC must enable logging of Denial of Service (DoS) attacks.
SV-82503r1_ruleThe A10 Networks ADC, when used for load-balancing web servers, must not allow the HTTP TRACE and OPTIONS methods.
SV-82505r1_ruleThe A10 Networks ADC must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
SV-82509r1_ruleThe A10 Networks ADC must, at a minimum, off-load audit log records onto a centralized log server.
SV-82511r1_ruleThe A10 Networks ADC, when used for load balancing web servers, must deploy the WAF in active mode.
SV-82513r1_ruleIf the Data Owner requires it, the A10 Networks ADC must be configured to perform CCN Mask, SSN Mask, and PCRE Mask Request checks.
SV-82515r1_ruleThe A10 Networks ADC must protect against ICMP-based Denial of Service (DoS) attacks by employing ICMP Rate Limiting.
SV-82517r1_ruleThe A10 Networks ADC must protect against TCP SYN floods by using TCP SYN Cookies.
SV-82519r1_ruleThe A10 Networks ADC must be a FIPS-compliant version.
SV-82595r1_ruleThe A10 Networks ADC must generate an alert to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected.