STIGQter STIGQter: STIG Summary: Symantec ProxySG NDM Security Technical Implementation Guide

Version: 1

Release: 2 Benchmark Date: 24 Jan 2020

SV-104305r2_ruleSymantec ProxySG must enable Attack Detection.
SV-104483r1_ruleSymantec ProxySG must be configured with only one local account that is used as the account of last resort.
SV-104485r1_ruleSymantec ProxySG must be configured to enforce user authorization to implement least privilege.
SV-104487r1_ruleSymantec ProxySG must configure Web Management Console access restrictions to authorized IP address/ranges.
SV-104489r1_ruleSymantec ProxySG must be configured to enforce assigned privilege levels for approved administrators when accessing the management console, SSH, and the command line interface (CLI).
SV-104491r1_ruleSymantec ProxySG must be configured to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
SV-104493r1_ruleSymantec ProxySG must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
SV-104495r1_ruleSymantec ProxySG must enable event access logging.
SV-104497r1_ruleSymantec ProxySG must be configured to support centralized management and configuration of the audit log.
SV-104499r1_ruleSymantec ProxySG must generate an alert to the console when a log processing failure is detected such as loss of communications with the Central Log Server or log records are no longer being sent.
SV-104501r1_ruleSymantec ProxySG must compare internal information system clocks at least every 24 hours with an authoritative time server.
SV-104503r1_ruleSymantec ProxySG must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
SV-104505r1_ruleSymantec ProxySG must protect the Web Management Console, SSH, and command line interface (CLI) from unauthorized modification.
SV-104507r1_ruleSymantec ProxySG must protect the Web Management Console, SSH, and command line interface (CLI) from unauthorized access.
SV-104509r1_ruleSymantec ProxySG must back up event logs onto a different system or system component than the system or component being audited.
SV-104511r1_ruleSymantec ProxySG must employ automated mechanisms to centrally verify authentication settings.
SV-104513r1_ruleAccounts for device management must be configured on the authentication server and not on Symantec ProxySG itself, except for the account of last resort.
SV-104515r1_ruleSymantec ProxySG must use Role-Based Access Control (RBAC) to assign privileges to users for access to files and functions.
SV-104517r1_ruleSymantec ProxySG must employ automated mechanisms to centrally apply authentication settings.
SV-104519r1_ruleSymantec ProxySG must support organizational requirements to conduct backups of system level information contained in the ProxySG when changes occur or weekly, whichever is sooner.
SV-104521r1_ruleSymantec ProxySG must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
SV-104523r1_ruleSymantec ProxySG must configure the maintenance and health monitoring to send an alarm when a critical condition occurs for a component.
SV-104525r1_ruleSymantec ProxySG must use only approved management services protocols.
SV-104527r1_ruleSymantec ProxySG must implement HTTPS-console to provide replay-resistant authentication mechanisms for network access to privileged accounts.
SV-104529r1_ruleSymantec ProxySG must configure SNMPv3 so that cryptographically-based bidirectional authentication is used.
SV-104531r1_ruleSymantec ProxySG must be configured to enforce a minimum 15-character password length for local accounts.
SV-104533r1_ruleSymantec ProxySG must transmit only encrypted representations of passwords.
SV-104535r1_ruleSymantec ProxySG must not have a default manufacturer passwords when deployed.
SV-104537r1_ruleSymantec ProxySG must be configured to use only FIPS 140-2 approved algorithms for authentication to a cryptographic module with any application or protocol.
SV-104539r1_ruleThe Symantec ProxySG Web Management Console and SSH sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
SV-104541r1_ruleThe Symantec ProxySG must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.
SV-104543r1_ruleSymantec ProxySG must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.