STIGQter STIGQter: STIG Summary: Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 12 Sep 2017

CheckedNameTitle
SV-91087r1_ruleKona Site Defender must immediately use updates made to policy enforcement mechanisms to enforce that all traffic flows over HTTPS port 443.
SV-91089r1_ruleKona Site Defender must immediately apply updates to the Kona Rule Set to block designated traffic of interest in response to new or emerging threats.
SV-91091r1_ruleKona Site Defender must immediately use updates made to policy enforcement mechanisms to block traffic from organizationally defined geographic regions.
SV-91093r1_ruleKona Site Defender must immediately use updates made to policy enforcement mechanisms to block traffic from organizationally defined IP addresses (i.e., IP blacklist).
SV-91095r1_ruleKona Site Defender must immediately use updates made to policy enforcement mechanisms to allow traffic from organizationally defined IP addresses (i.e., IP whitelist).
SV-91097r1_ruleKona Site Defender that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
SV-91099r1_ruleTo protect against data mining, Kona Site Defender providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
SV-91101r1_ruleTo protect against data mining, Kona Site Defender providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.
SV-91103r1_ruleTo protect against data mining, Kona Site Defender providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
SV-91105r1_ruleTo protect against data mining, Kona Site Defender providing content filtering must detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
SV-91107r1_ruleTo protect against data mining, Kona Site Defender providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
SV-91109r1_ruleTo protect against data mining, Kona Site Defender providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code.
SV-91111r1_ruleKona Site Defender must off-load audit records onto a centralized log server.
SV-91113r1_ruleKona Site Defender must off-load audit records onto a centralized log server in real time.
SV-91115r1_ruleKona Site Defender must not strip origin-defined HTTP session headers.
SV-91117r1_ruleKona Site Defender providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis.
SV-91119r1_ruleKona Site Defender providing content filtering must protect against known types of denial-of-service (DoS) attacks by employing signatures.
SV-91121r1_ruleKona Site Defender that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.
SV-91123r1_ruleKona Site Defender providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
SV-91125r1_ruleKona Site Defender providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
SV-91127r1_ruleKona Site Defender providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
SV-91129r1_ruleKona Site Defender providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
SV-91131r1_ruleKona Site Defender providing content filtering must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.
SV-91133r1_ruleKona Site Defender providing content filtering must block malicious code upon detection.
SV-91135r1_ruleKona Site Defender providing content filtering must send an immediate (within seconds) alert to the system administrator, at a minimum, in response to malicious code detection.
SV-91137r1_ruleKona Site Defender providing content filtering must be configured to integrate with a system-wide intrusion detection system.
SV-91139r1_ruleKona Site Defender providing content filtering must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.
SV-91141r1_ruleKona Site Defender providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur.
SV-91143r1_ruleKona Site Defender providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected.
SV-91145r1_ruleKona Site Defender providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when denial-of-service (DoS) incidents are detected.
SV-91147r1_ruleKona Site Defender must check the validity of all data inputs except those specifically identified by the organization.
SV-91149r1_ruleKona Site Defender must reveal error messages only to the ISSO, ISSM, and SCA.
SV-91151r1_ruleKona Site Defender must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.