STIGQter STIGQter: STIG Summary: Symantec ProxySG ALG Security Technical Implementation Guide

Version: 1

Release: 2 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-104171r1_ruleIf Symantec ProxySG filters externally initiated traffic, reverse proxy services must be configured.
SV-104173r1_ruleSymantec ProxySG providing intermediary services for remote access communications traffic must ensure outbound traffic is monitored for compliance with remote access security policies.
SV-104175r1_ruleSymantec ProxySG providing forward proxy intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
SV-104177r1_ruleSymantec ProxySG providing reverse proxy intermediary services for TLS must be configured to version 1.1 or higher with an approved cipher suite.
SV-104179r2_ruleSymantec ProxySG storing secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
SV-104181r1_ruleSymantec ProxySG must implement security policies that enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
SV-104183r1_ruleSymantec ProxySG must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
SV-104185r1_ruleSymantec ProxySG must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
SV-104187r1_ruleSymantec ProxySG must immediately use updates made to policy enforcement mechanisms such as policies and rules.
SV-104189r1_ruleSymantec ProxySG providing user access control intermediary services must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network.
SV-104191r1_ruleSymantec ProxySG providing user access control intermediary services for publicly accessible applications must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.
SV-104193r1_ruleSymantec ProxySG providing user access control intermediary services must generate audit records when successful/unsuccessful logon attempts occur.
SV-104195r1_ruleSymantec ProxySG providing user access control intermediary services must generate audit records showing starting and ending time for user access to the system.
SV-104197r1_ruleSymantec ProxySG providing user access control intermediary services must generate audit records when successful/unsuccessful attempts to access web resources occur.
SV-104199r1_ruleSymantec ProxySG must produce audit records containing information to establish what type of events occurred.
SV-104201r1_ruleSymantec ProxySG must produce audit records containing information to establish when (date and time) the events occurred.
SV-104203r1_ruleSymantec ProxySG must produce audit records containing information to establish where the events occurred.
SV-104205r1_ruleSymantec ProxySG must produce audit records containing information to establish the source of the events.
SV-104207r1_ruleSymantec ProxySG must produce audit records containing information to establish the outcome of the events.
SV-104209r1_ruleSymantec ProxySG must generate audit records containing information to establish the identity of any individual or process associated with the event.
SV-104211r1_ruleSymantec ProxySG must use a centralized log server.
SV-104213r1_ruleSymantec ProxySG must be configured to send the access logs to the centralized log server continuously.
SV-104215r1_ruleSymantec ProxySG must provide an alert to, at a minimum, the SCA and ISSO of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server.
SV-104217r1_ruleThe reverse proxy Symantec ProxySG providing intermediary services for FTP must inspect inbound FTP communications traffic for protocol compliance and protocol anomalies.
SV-104219r1_ruleSymantec ProxySG providing intermediary services for FTP must inspect outbound FTP communications traffic for protocol compliance and protocol anomalies.
SV-104221r1_ruleSymantec ProxySG providing intermediary services for HTTP must inspect inbound HTTP traffic for protocol compliance and protocol anomalies.
SV-104223r1_ruleSymantec ProxySG providing intermediary services for HTTP must inspect outbound HTTP traffic for protocol compliance and protocol anomalies.
SV-104225r1_ruleSymantec ProxySG must not have unnecessary services and functions enabled.
SV-104227r1_ruleSymantec ProxySG must be configured to remove or disable unrelated or unneeded application proxy services.
SV-104229r1_ruleSymantec ProxySG must be configured to prohibit or restrict the use of network services as defined in the PPSM CAL and vulnerability assessments.
SV-104231r1_ruleSymantec ProxySG providing user authentication intermediary services must require users to reauthenticate every 900 seconds when organization-defined circumstances or situations require reauthentication.
SV-104233r1_ruleSymantec ProxySG must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
SV-104235r1_ruleSymantec ProxySG must be configured with a pre-established trust relationship and mechanisms with appropriate authorities that validate user account access authorizations and privileges.
SV-104237r1_ruleSymantec ProxySG providing user authentication intermediary services must restrict user authentication traffic to specific authentication servers.
SV-104239r1_ruleSymantec ProxySG providing user authentication intermediary services must implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.
SV-104241r1_ruleSymantec ProxySG providing user authentication intermediary services must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
SV-104243r1_ruleSymantec ProxySG providing user authentication intermediary services must use multifactor authentication for network access to nonprivileged accounts.
SV-104245r1_ruleSymantec ProxySG providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
SV-104247r1_ruleSymantec ProxySG must prohibit the use of cached authenticators after 300 seconds at a minimum.
SV-104249r1_ruleSymantec ProxySG, when configured for reverse proxy/WAF services and providing PKI-based user authentication intermediary services, must map the client certificate to the authentication server store.
SV-104251r1_ruleSymantec ProxySG providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
SV-104253r1_ruleSymantec ProxySG providing user authentication intermediary services must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles.
SV-104255r1_ruleSymantec ProxySG must terminate all network connections associated with a communications session at the end of the session or terminate user sessions (nonprivileged session) after 15 minutes of inactivity.
SV-104257r1_ruleSymantec ProxySG providing forward proxy encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
SV-104259r1_ruleSymantec ProxySG providing reverse proxy encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
SV-104261r1_ruleSymantec ProxySG providing reverse proxy encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
SV-104263r1_ruleSymantec ProxySG providing reverse proxy encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
SV-104265r1_ruleSymantec ProxySG must use Transport Layer Security (TLS) to protect the authenticity of communications sessions.
SV-104267r1_ruleIf reverse proxy is used for validating and restricting certs from external entities, and this function is required by the SSP, Symantec ProxySG providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
SV-104269r1_ruleSymantec ProxySG must fail to a secure state upon failure of initialization, shutdown, or abort actions.
SV-104271r1_ruleSymantec ProxySG providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis.
SV-104273r1_ruleSymantec ProxySG must implement load balancing to limit the effects of known and unknown types of denial-of-service (DoS) attacks.
SV-104275r1_ruleSymantec ProxySG must block outbound traffic containing known and unknown denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
SV-104277r1_ruleSymantec ProxySG must allow incoming communications only from organization-defined authorized sources routed to organization-defined authorized destinations.
SV-104279r1_ruleSymantec ProxySG must fail securely in the event of an operational failure.
SV-104281r1_ruleSymantec ProxySG must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
SV-104283r1_ruleSymantec ProxySG must identify and log internal users associated with denied outgoing communications traffic posing a threat to external information systems.
SV-104285r1_ruleSymantec ProxySG must tailor the Exceptions messages to generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries.
SV-104287r1_ruleSymantec ProxySG providing content filtering must be configured to integrate with a system-wide intrusion detection system.
SV-104289r1_ruleSymantec ProxySG providing content filtering must detect use of network services that have not been authorized or approved by the ISSM and ISSO, at a minimum.
SV-104291r1_ruleSymantec ProxySG providing content filtering must generate a log record when access attempts to unauthorized websites and/or services are detected.
SV-104293r1_ruleSymantec ProxySG providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when access attempts to unauthorized websites and/or services are detected.
SV-104295r1_ruleReverse proxy Symantec ProxySG providing content filtering must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.
SV-104297r1_ruleSymantec ProxySG providing content filtering must continuously monitor outbound communications traffic crossing internal security boundaries for unusual/unauthorized activities or conditions.
SV-104299r1_ruleSymantec ProxySG providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur.
SV-104301r1_ruleSymantec ProxySG providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when denial-of-service (DoS) incidents are detected.