STIGQter STIGQter: STIG Summary: IBM DataPower ALG Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 25 Jan 2016

CheckedNameTitle
SV-79469r1_ruleThe DataPower Gateway must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
SV-79681r1_ruleThe DataPower Gateway must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
SV-79683r1_ruleThe DataPower Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
SV-79685r1_ruleThe DataPower Gateway providing user access control intermediary services must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network.
SV-79687r1_ruleThe DataPower Gateway providing user access control intermediary services must retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
SV-79689r1_ruleThe DataPower Gateway providing user access control intermediary services for publicly accessible applications must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.
SV-79691r1_ruleThe DataPower Gateway providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
SV-79693r1_ruleThe DataPower Gateway that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
SV-79695r1_ruleThe DataPower Gateway that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
SV-79697r1_ruleThe DataPower Gateway providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
SV-79699r1_ruleThe DataPower Gateway must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs.
SV-79701r1_ruleThe DataPower Gateway must protect audit information from unauthorized read access.
SV-79703r1_ruleThe DataPower Gateway must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
SV-79705r1_ruleThe DataPower Gateway providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
SV-79707r1_ruleThe DataPower Gateway providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.
SV-79709r1_ruleThe DataPower Gateway providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s).
SV-79711r1_ruleThe DataPower Gateway providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts.
SV-79713r1_ruleThe DataPower Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
SV-79715r1_ruleThe DataPower Gateway that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
SV-79717r1_ruleThe DataPower Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account.
SV-79719r1_ruleThe DataPower Gateway providing user authentication intermediary services must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
SV-79721r1_ruleThe DataPower Gateway providing content filtering must not have a front side handler configured facing an internal network.
SV-79723r1_ruleThe DataPower Gateway must protect the authenticity of communications sessions.
SV-79725r1_ruleThe DataPower Gateway must invalidate session identifiers upon user logout or other session termination.
SV-79727r1_ruleThe DataPower Gateway must recognize only system-generated session identifiers.
SV-79729r1_ruleIn the event of a system failure of the DataPower Gateway function, the DataPower Gateway must save diagnostic information, log system messages, and load the most current security policies, rules, and signatures when restarted.
SV-79731r1_ruleThe DataPower Gateway must have ICMP responses disabled on all interfaces facing untrusted networks.
SV-79733r1_ruleTo protect against data mining, the DataPower Gateway providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
SV-79735r1_ruleTo protect against data mining, the DataPower Gateway providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.
SV-79737r1_ruleTo protect against data mining, the DataPower Gateway providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
SV-79739r1_ruleTo protect against data mining, the DataPower Gateway providing content filtering must detect code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
SV-79741r1_ruleTo protect against data mining, the DataPower Gateway providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
SV-79743r1_ruleTo protect against data mining, the DataPower Gateway providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code.
SV-79745r1_ruleThe DataPower Gateway providing user access control intermediary services must provide the capability for authorized users to select a user session to capture or view.
SV-79747r1_ruleThe DataPower Gateway must be configured to support centralized management and configuration.
SV-79749r1_ruleThe DataPower Gateway must off-load audit records onto a centralized log server.
SV-79751r1_ruleThe DataPower Gateway must provide an immediate real-time alert to, at a minimum, the SCA and ISSO, of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server.
SV-79753r1_ruleThe DataPower Gateway must prohibit the use of cached authenticators after an organization-defined time period.
SV-79755r1_ruleThe DataPower Gateway providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
SV-79757r1_ruleThe DataPower Gateway providing user authentication intermediary services must conform to FICAM-issued profiles.
SV-79759r1_ruleThe DataPower Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
SV-79761r1_ruleThe DataPower Gateway providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds).
SV-79763r1_ruleThe DataPower Gateway must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.
SV-79765r1_ruleThe DataPower Gateway providing content filtering must protect against known types of Denial of Service (DoS) attacks by employing signatures.
SV-79767r1_ruleThe DataPower Gateway providing content filtering must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing pattern recognition pre-processors.
SV-79769r1_ruleThe DataPower Gateway must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.
SV-79771r1_ruleThe DataPower Gateway must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
SV-79773r1_ruleThe DataPower Gateway providing content filtering must be configured to integrate with a system-wide intrusion detection system.
SV-79775r1_ruleThe DataPower Gateway providing content filtering must generate a log record when unauthorized network services are detected.
SV-79777r1_ruleThe DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when unauthorized network services are detected.
SV-79779r1_ruleThe DataPower Gateway providing content filtering must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.
SV-79781r1_ruleThe DataPower Gateway providing content filtering must continuously monitor outbound communications traffic crossing internal security boundaries for unusual/unauthorized activities or conditions.
SV-79783r1_ruleThe DataPower Gateway providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur.
SV-79785r1_ruleThe DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected.
SV-79787r1_ruleThe DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when root level intrusion events which provide unauthorized privileged access are detected.
SV-79789r1_ruleThe DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when user level intrusions which provide non-privileged access are detected.
SV-79791r1_ruleThe DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when denial of service incidents are detected.
SV-79793r1_ruleThe DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security of DoD systems is detected.
SV-79795r1_ruleThe DataPower Gateway providing user access control intermediary services must provide the capability for authorized users to capture, record, and log all content related to a selected user session.
SV-79797r1_ruleThe DataPower Gateway must check the validity of all data inputs except those specifically identified by the organization.
SV-79799r1_ruleThe DataPower Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
SV-79801r1_ruleThe DataPower Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
SV-79803r1_ruleThe DataPower Gateway providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
SV-79805r1_ruleThe DataPower Gateway must off-load audit records onto a centralized log server in real time.
SV-79807r1_ruleThe DataPower Gateway must not use 0.0.0.0 as a listening IP address for any service.