| Checked | Name | Title |
|---|
| ☐ | SV-104171r1_rule | If Symantec ProxySG filters externally initiated traffic, reverse proxy services must be configured. |
| ☐ | SV-104173r1_rule | Symantec ProxySG providing intermediary services for remote access communications traffic must ensure outbound traffic is monitored for compliance with remote access security policies. |
| ☐ | SV-104175r1_rule | Symantec ProxySG providing forward proxy intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52. |
| ☐ | SV-104177r1_rule | Symantec ProxySG providing reverse proxy intermediary services for TLS must be configured to version 1.1 or higher with an approved cipher suite. |
| ☐ | SV-104179r2_rule | Symantec ProxySG storing secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys. |
| ☐ | SV-104181r1_rule | Symantec ProxySG must implement security policies that enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies. |
| ☐ | SV-104183r1_rule | Symantec ProxySG must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. |
| ☐ | SV-104185r1_rule | Symantec ProxySG must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. |
| ☐ | SV-104187r1_rule | Symantec ProxySG must immediately use updates made to policy enforcement mechanisms such as policies and rules. |
| ☐ | SV-104189r2_rule | Symantec ProxySG providing user access control intermediary services must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network. |
| ☐ | SV-104191r1_rule | Symantec ProxySG providing user access control intermediary services for publicly accessible applications must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system. |
| ☐ | SV-104193r1_rule | Symantec ProxySG providing user access control intermediary services must generate audit records when successful/unsuccessful logon attempts occur. |
| ☐ | SV-104195r1_rule | Symantec ProxySG providing user access control intermediary services must generate audit records showing starting and ending time for user access to the system. |
| ☐ | SV-104197r1_rule | Symantec ProxySG providing user access control intermediary services must generate audit records when successful/unsuccessful attempts to access web resources occur. |
| ☐ | SV-104199r1_rule | Symantec ProxySG must produce audit records containing information to establish what type of events occurred. |
| ☐ | SV-104201r1_rule | Symantec ProxySG must produce audit records containing information to establish when (date and time) the events occurred. |
| ☐ | SV-104203r1_rule | Symantec ProxySG must produce audit records containing information to establish where the events occurred. |
| ☐ | SV-104205r1_rule | Symantec ProxySG must produce audit records containing information to establish the source of the events. |
| ☐ | SV-104207r1_rule | Symantec ProxySG must produce audit records containing information to establish the outcome of the events. |
| ☐ | SV-104209r1_rule | Symantec ProxySG must generate audit records containing information to establish the identity of any individual or process associated with the event. |
| ☐ | SV-104211r1_rule | Symantec ProxySG must use a centralized log server. |
| ☐ | SV-104213r1_rule | Symantec ProxySG must be configured to send the access logs to the centralized log server continuously. |
| ☐ | SV-104215r1_rule | Symantec ProxySG must provide an alert to, at a minimum, the SCA and ISSO of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server. |
| ☐ | SV-104217r1_rule | The reverse proxy Symantec ProxySG providing intermediary services for FTP must inspect inbound FTP communications traffic for protocol compliance and protocol anomalies. |
| ☐ | SV-104219r1_rule | Symantec ProxySG providing intermediary services for FTP must inspect outbound FTP communications traffic for protocol compliance and protocol anomalies. |
| ☐ | SV-104221r1_rule | Symantec ProxySG providing intermediary services for HTTP must inspect inbound HTTP traffic for protocol compliance and protocol anomalies. |
| ☐ | SV-104223r1_rule | Symantec ProxySG providing intermediary services for HTTP must inspect outbound HTTP traffic for protocol compliance and protocol anomalies. |
| ☐ | SV-104225r1_rule | Symantec ProxySG must not have unnecessary services and functions enabled. |
| ☐ | SV-104227r1_rule | Symantec ProxySG must be configured to remove or disable unrelated or unneeded application proxy services. |
| ☐ | SV-104229r1_rule | Symantec ProxySG must be configured to prohibit or restrict the use of network services as defined in the PPSM CAL and vulnerability assessments. |
| ☐ | SV-104231r1_rule | Symantec ProxySG providing user authentication intermediary services must require users to reauthenticate every 900 seconds when organization-defined circumstances or situations require reauthentication. |
| ☐ | SV-104233r1_rule | Symantec ProxySG must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). |
| ☐ | SV-104235r1_rule | Symantec ProxySG must be configured with a pre-established trust relationship and mechanisms with appropriate authorities that validate user account access authorizations and privileges. |
| ☐ | SV-104237r1_rule | Symantec ProxySG providing user authentication intermediary services must restrict user authentication traffic to specific authentication servers. |
| ☐ | SV-104239r2_rule | Symantec ProxySG providing user authentication intermediary services must implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
| ☐ | SV-104241r2_rule | Symantec ProxySG providing user authentication intermediary services must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
| ☐ | SV-104243r1_rule | Symantec ProxySG providing user authentication intermediary services must use multifactor authentication for network access to nonprivileged accounts. |
| ☐ | SV-104245r1_rule | Symantec ProxySG providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts. |
| ☐ | SV-104247r1_rule | Symantec ProxySG must prohibit the use of cached authenticators after 300 seconds at a minimum. |
| ☐ | SV-104249r1_rule | Symantec ProxySG, when configured for reverse proxy/WAF services and providing PKI-based user authentication intermediary services, must map the client certificate to the authentication server store. |
| ☐ | SV-104251r1_rule | Symantec ProxySG providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. |
| ☐ | SV-104253r1_rule | Symantec ProxySG providing user authentication intermediary services must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles. |
| ☐ | SV-104255r1_rule | Symantec ProxySG must terminate all network connections associated with a communications session at the end of the session or terminate user sessions (nonprivileged session) after 15 minutes of inactivity. |
| ☐ | SV-104257r1_rule | Symantec ProxySG providing forward proxy encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services. |
| ☐ | SV-104259r1_rule | Symantec ProxySG providing reverse proxy encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes. |
| ☐ | SV-104261r1_rule | Symantec ProxySG providing reverse proxy encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures. |
| ☐ | SV-104263r1_rule | Symantec ProxySG providing reverse proxy encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services. |
| ☐ | SV-104265r1_rule | Symantec ProxySG must use Transport Layer Security (TLS) to protect the authenticity of communications sessions. |
| ☐ | SV-104267r1_rule | If reverse proxy is used for validating and restricting certs from external entities, and this function is required by the SSP, Symantec ProxySG providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions. |
| ☐ | SV-104269r1_rule | Symantec ProxySG must fail to a secure state upon failure of initialization, shutdown, or abort actions. |
| ☐ | SV-104271r1_rule | Symantec ProxySG providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis. |
| ☐ | SV-104273r1_rule | Symantec ProxySG must implement load balancing to limit the effects of known and unknown types of denial-of-service (DoS) attacks. |
| ☐ | SV-104275r1_rule | Symantec ProxySG must block outbound traffic containing known and unknown denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints. |
| ☐ | SV-104277r1_rule | Symantec ProxySG must allow incoming communications only from organization-defined authorized sources routed to organization-defined authorized destinations. |
| ☐ | SV-104279r1_rule | Symantec ProxySG must fail securely in the event of an operational failure. |
| ☐ | SV-104281r1_rule | Symantec ProxySG must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |
| ☐ | SV-104283r1_rule | Symantec ProxySG must identify and log internal users associated with denied outgoing communications traffic posing a threat to external information systems. |
| ☐ | SV-104285r1_rule | Symantec ProxySG must tailor the Exceptions messages to generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries. |
| ☐ | SV-104287r1_rule | Symantec ProxySG providing content filtering must be configured to integrate with a system-wide intrusion detection system. |
| ☐ | SV-104289r1_rule | Symantec ProxySG providing content filtering must detect use of network services that have not been authorized or approved by the ISSM and ISSO, at a minimum. |
| ☐ | SV-104291r1_rule | Symantec ProxySG providing content filtering must generate a log record when access attempts to unauthorized websites and/or services are detected. |
| ☐ | SV-104293r1_rule | Symantec ProxySG providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when access attempts to unauthorized websites and/or services are detected. |
| ☐ | SV-104295r1_rule | Reverse proxy Symantec ProxySG providing content filtering must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions. |
| ☐ | SV-104297r1_rule | Symantec ProxySG providing content filtering must continuously monitor outbound communications traffic crossing internal security boundaries for unusual/unauthorized activities or conditions. |
| ☐ | SV-104299r1_rule | Symantec ProxySG providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur. |
| ☐ | SV-104301r1_rule | Symantec ProxySG providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when denial-of-service (DoS) incidents are detected. |
STIGQter: STIG Summary: