{"stig":{"title":"F5 BIG-IP TMOS ALG Security Technical Implementation Guide","version":"1","release":"2"},"checks":[{"vulnId":"V-266137","ruleId":"SV-266137r1024833_rule","severity":"medium","ruleTitle":"The F5 BIG-IP appliance providing user access control intermediary services must limit the number of concurrent sessions to one or an organization-defined number for each access profile.","description":"The \"Max In Progress Sessions Per Client IP\" setting in an APM Access Profile is a security configuration that limits the number of simultaneous sessions that can be initiated from a single IP address. This is particularly helpful in preventing a session flood, where a hacker might attempt to overwhelm the system by initiating many sessions from a single source. By capping the number of sessions per IP, this setting can help maintain the system's stability and integrity while also providing a layer of protection against such potential attacks.\n\nFalse positives may result from this setting in networks where users are behind a shared proxy. Sites must conduct operational testing to determine if there are adverse operational impacts. View Log reports to identify recurring IP sources within the user community.\n\nMax In Progress Sessions per Client IP represents the maximum number of sessions that can be in progress for a client IP address. When setting this value, take into account whether users will come from a NAT-ed or proxied client address and, if so, increase the value accordingly.","checkContent":"If the BIG-IP appliance does not provide user access control intermediary services, this is not applicable.\n\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click the Name of the Access profile.\n5. Under \"Settings\", verify \"Max Sessions per User\" is set to \"1\" or to an organization-defined number.\n\nIf the BIG-IP appliance is not configured to limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding.","fixText":"From the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click the Name of the Access profile.\n5. Under \"Settings\", set \"Max Sessions per User\" to \"1\" or to an organization-defined number.\n6. Update.","ccis":["CCI-000054"]},{"vulnId":"V-266138","ruleId":"SV-266138r1024835_rule","severity":"medium","ruleTitle":"The F5 BIG-IP appliance providing intermediary services for remote access communications traffic must ensure inbound and outbound traffic is monitored for compliance with remote access security policies.","description":"Automated monitoring of remote access traffic allows organizations to detect cyberattacks and also ensure ongoing compliance with remote access policies by inspecting connection activities of remote access capabilities.\n\nRemote access methods include both unencrypted and encrypted traffic (e.g., web portals, web content filter, TLS, and webmail). With inbound TLS inspection, the traffic must be inspected prior to being allowed on the enclave's web servers hosting TLS or HTTPS applications. With outbound traffic inspection, traffic must be inspected prior to being forwarded to destinations outside of the enclave, such as external email traffic.","checkContent":"If the BIG-IP appliance does not serve as an intermediary for remote access traffic, this is not applicable.\n\nFrom the BIG-IP GUI:\n1. Security.\n2. Application Security.\n3. Security Policies.\n4. Policies List.\n5. Review the list of policies and confirm they are applied to virtual servers being used for intermediary services for remote access communications traffic.\n\nIf the BIG-IP appliance is not configured to ensure inbound and outbound traffic is monitored for compliance with remote access security policies, this is a finding.","fixText":"From the BIG-IP GUI:\n1. Local Traffic.\n2. Virtual Servers.\n3. Virtual Server List.\n4. Click on the name of a virtual server.\n5. Security tab >> Policies.\n6. Set \"Application Security Policy\" to \"Enabled\".\n7. Select the policy from the drop-down.\n8. Update.\n9. Repeat for additional virtual servers.","ccis":["CCI-000067"]},{"vulnId":"V-266139","ruleId":"SV-266139r1024837_rule","severity":"high","ruleTitle":"The F5 BIG-IP appliance providing intermediary services for remote access must use FIPS-validated cryptographic algorithms, including TLS 1.2 at a minimum.","description":"Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\n\nRemote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies).\n\nEncryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information.\n\nThis requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or SSL VPN gateway).\n\nSatisfies: SRG-NET-000062-ALG-000011, SRG-NET-000062-ALG-000150, SRG-NET-000063-ALG-000012, SRG-NET-000230-ALG-000113, SRG-NET-000355-ALG-000117","checkContent":"If the BIG-IP appliance does not provide intermediary services for remote access (e.g., web content filter, TLS, and webmail), TLS, or application protocols that use TLS (e.g., DNSSEC or HTTPS), this is not applicable.\n\nClient SSL Profile\nFrom the BIG-IP GUI:\n1. Local Traffic.\n2. Profiles.\n3. SSL.\n4. Client.\n5. Click on the name of the SSL Profile.\n6. Change \"Configuration\" to \"Advanced\".\n7. Verify \"Ciphers\" is configured to use NIST FIPS-validated ciphers.\n8. Repeat for other SSL Profiles in use.\n\nVirtual Server\nFrom the BIG-IP GUI:\n1. Local Traffic.\n2. Virtual Servers.\n3. Virtual Server List.\n4. Click the name of the virtual server.\n5. Verify that the \"SSL Profile (Client)\" is using a NIST FIPS-validated SSL Profile.\n6. Repeat these steps to review all other virtual servers.\n\nIf the BIG-IP appliance is not configured to use TLS 1.2 or higher, this is a finding.","fixText":"Client SSL Profile\nFrom the BIG-IP GUI:\n1. Local Traffic.\n2. Profiles.\n3. SSL.\n4. Client.\n5. Click on the name of the SSL Profile.\n6. Change \"Configuration\" to \"Advanced\".\n7. Configure \"Ciphers\" to use NIST FIPS-validated ciphers.\n8. Click \"Update\".\n9. Repeat for other SSL Profiles in use.\n\nVirtual Server\nFrom the BIG-IP GUI:\n1. Local Traffic.\n2. Virtual Servers.\n3. Virtual Server List.\n4. Click the name of the virtual server.\n5. Configure \"SSL Profile (Client)\" to use a NIST FIPS-validated SSL Profile.\n6. Click \"Update\".\n7. Repeat for other virtual servers.","ccis":["CCI-000068","CCI-001453","CCI-001184","CCI-002470"]},{"vulnId":"V-266140","ruleId":"SV-266140r1024838_rule","severity":"medium","ruleTitle":"To protect against data mining, the F5 BIG-IP appliance providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.","description":"Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from unauthorized data mining may result in the compromise of information.\n\nInjection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database or change data on a website. Web applications frequently access databases to store, retrieve, and update information. An attacker can construct inputs that the database will execute. This is most commonly referred to as a code injection attack. This type of attack includes XPath and LDAP injections.\n\nCompliance requires the ALG to have the capability to prevent code injections. Examples include a Web Application Firewalls (WAFs) or database application gateways.\n\nSatisfies: SRG-NET-000318-ALG-000014, SRG-NET-000319-ALG-000015","checkContent":"If the ALG does not perform content filtering as part of the traffic management functions, this is not applicable.\n\nFrom the BIG-IP GUI:\n1. Security.\n2. Application Security.\n3. Security Policies.\n4. Policies List.\n5. Click the name of the policy.\n6. Verify \"Enforcement Mode\" is set to \"Blocking\".\n7. Select \"Attack Signatures\".\n8. Click the filter at the top left of the signatures window.\n9. Select \"XPath Injection\" in the \"Attack Type\" field and click \"Apply\".\n10. Verify \"Block\" is checked for all signatures and \"Status\" is set to \"Enforced\".\n11. Click the filter at the top left of the signatures window.\n12. Select \"LDAP Injection\" in the \"Attack Type\" field and click \"Apply\".\n13. Verify \"Block\" is checked for all signatures and \"Status\" is set to \"Enforced\".\n\nIf the BIG-IP appliance is not configured to prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields, this is a finding.","fixText":"From the BIG-IP GUI:\n1. Security.\n2. Application Security.\n3. Security Policies.\n4. Policies List.\n5. Click the name of the policy.\n6. Set \"Enforcement Mode\" to \"Blocking\".\n7. Select \"Attack Signatures\".\n8. Click the filter at the top left of the signatures window.\n9. Select \"XPath Injection\" in the \"Attack Type\" field and click \"Apply\".\n10. Select all signatures in the filtered list and click \"Enforce\".\n11. Click \"Enforce\" again.\n12. Click the filter at the top left of the signatures window.\n13. Select \"LDAP Injection\" in the \"Attack Type\" field and click \"Apply\".\n14. Select all signatures in the filtered list and click \"Enforce\".\n15. Click \"Enforce\" again.\n16. Click \"Apply Policy\".","ccis":["CCI-002346","CCI-002347"]},{"vulnId":"V-266141","ruleId":"SV-266141r1024839_rule","severity":"medium","ruleTitle":"To protect against data mining, the F5 BIG-IP appliance providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.","description":"Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from unauthorized data mining may result in the compromise of information.\n\nInjection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database or change data on a website. These attacks include buffer overrun, XML, JavaScript, and HTML injections.\n \nCompliance requires the ALG to have the capability to prevent code injections. Examples include a Web Application Firewalls (WAFs) or database application gateways.\n\nSatisfies: SRG-NET-000318-ALG-000151, SRG-NET-000319-ALG-000153","checkContent":"If the ALG does not perform content filtering as part of the traffic management functions, this is not applicable.\n\nFrom the BIG-IP GUI:\n1. Security.\n2. Application Security.\n3. Security Policies.\n4. Policies List.\n5. Click the name of the policy.\n6. Verify \"Enforcement Mode\" is set to \"Blocking\".\n7. Select \"Attack Signatures\".\n8. Click the filter at the top left of the signatures window.\n9. Select \"Buffer Overflow\" in the \"Attack Type\" field and click \"Apply\".\n10. Verify \"Block\" is checked for all signatures and \"Status\" is set to \"Enforced\".\n11. Click the filter at the top left of the signatures window.\n12. Select \"Server Side Code Injection\" in the \"Attack Type\" field and click \"Apply\".\n13. Verify \"Block\" is checked for all signatures and \"Status\" is set to \"Enforced\".\n\nIf the BIG-IP appliance is not configured to prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code, this is a finding.","fixText":"From the BIG-IP GUI:\n1. Security.\n2. Application Security.\n3. Security Policies.\n4. Policies List.\n5. Click the name of the policy.\n6. Set \"Enforcement Mode\" to \"Blocking\".\n7. Select \"Attack Signatures\".\n8. Click the filter at the top left of the signatures window.\n9. Select \"Buffer Overflow\" in the \"Attack Type\" field and click \"Apply\".\n10. Select all signatures in the filtered list and click \"Enforce\".\n11. Click \"Enforce\" again.\n12. Click the filter at the top left of the signatures window.\n13. Select \"Server Side Code Injection\" in the \"Attack Type\" field and click \"Apply\".\n14. Select all signatures in the filtered list and click \"Enforce\".\n15. Click \"Enforce\" again.\n16. Click \"Apply Policy\".","ccis":["CCI-002346","CCI-002347"]},{"vulnId":"V-266142","ruleId":"SV-266142r1024368_rule","severity":"medium","ruleTitle":"To protect against data mining, the F5 BIG-IP appliance providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.","description":"Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from unauthorized data mining may result in the compromise of information.\n\nSQL injection attacks are the most prevalent attacks against web applications and databases. These attacks inject SQL commands that can read, modify, or compromise the meaning of the original SQL query. An attacker can spoof identity; expose, tamper, destroy, or make existing data unavailable; or gain unauthorized privileges on the database server.\n\nCompliance requires the ALG to have the capability to prevent SQL code injections. Examples include a Web Application Firewalls (WAFs) or database application gateways.\n\nSatisfies: SRG-NET-000318-ALG-000152, SRG-NET-000319-ALG-000020","checkContent":"If the ALG does not perform content filtering as part of the traffic management functions, this is not applicable.\n\nFrom the BIG-IP GUI:\n1. Security.\n2. Application Security.\n3. Security Policies.\n4. Policies List.\n5. Click the name of the policy.\n6. Verify \"Enforcement Mode\" is set to \"Blocking\".\n7. Select \"Attack Signatures\".\n8. Click the filter at the top left of the signatures window.\n9. Select \"SQL-Injection\" in the \"Attack Type\" field and click \"Apply\".\n10. Verify \"Block\" is checked for all signatures and \"Status\" is set to \"Enforced\".\n\nIf the BIG-IP appliance is not configured to prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields, this is a finding.","fixText":"From the BIG-IP GUI:\n1. Security.\n2. Application Security.\n3. Security Policies.\n4. Policies List.\n5. Click the name of the policy.\n6. Set \"Enforcement Mode\" to \"Blocking\".\n7. Select \"Attack Signatures\".\n8. Click the filter at the top left of the signatures window.\n9. Select \"SQL-Injection\" in the \"Attack Type\" field and click \"Apply\".\n10. Select all signatures in the filtered list and click \"Enforce\".\n11. Click \"Enforce\" again.\n12. Click \"Apply Policy\".","ccis":["CCI-002346","CCI-002347"]},{"vulnId":"V-266143","ruleId":"SV-266143r1024370_rule","severity":"high","ruleTitle":"The F5 BIG-IP appliance providing user access control intermediary services must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.","description":"Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise of and unauthorized access to sensitive information. All DOD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access.\n\nAuthorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization.\n\nAccess control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary.","checkContent":"If the BIG-IP appliance does not provide user access control intermediary services, this is not applicable.\n\nIf Advanced Resource Assign VPE agent is not used in any policy, this is not a finding.\n\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click \"Edit\" under \"Per-Session Policy\" for the Access Profile.\n5. Review each Resource.\n- If the Advanced Resource Assign agent is used, verify that each expression listed is explicitly configured to use an authorization list.\n\nIf the Big IP F5 appliance Access Policy has any assigned resources that are not configured with a specific authorization list, this is a finding.","fixText":"For each APM Access Policy, ensure that for each resource, all Advanced Resource Assign agents used in the configuration are explicitly configured to use an authorization list. \n\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click \"Edit\" under \"Per-Session Policy\" for the Access Profile.\n5. Click on any items that use the Advanced Resource Assign VPE object.\n6. For each entry with an expression that is \"Empty\", click \"change\".\n7. Add an appropriate expression that validates the user's authorization to access the resource specified in the item.\n8. Click \"Finished\".\n9. Click \"Save\".\n10. Click \"Apply Access Policy\".","ccis":["CCI-000213"]},{"vulnId":"V-266144","ruleId":"SV-266144r1024371_rule","severity":"high","ruleTitle":"The F5 BIG-IP appliance providing user access control intermediary services must implement attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.","description":"Information flow control regulates where information is allowed to travel within a network. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data.\n\nInformation flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems. Examples of information flow control restrictions include keeping export controlled information from being transmitted in the clear to the internet or blocking information marked as classified but is being transported to an unapproved destination.\n\nALGs enforce approved authorizations by employing security policy and/or rules that restrict information system services, provide packet filtering capability based on header or protocol information and/or message filtering capability based on data content (e.g., implementing key word searches or using document characteristics).\n\nSatisfies: SRG-NET-000018-ALG-000017, SRG-NET-000019-ALG-000018","checkContent":"From the BIG-IP GUI:\n1. Security.\n2. Network Firewall.\n3. Active Rules.\n4. Verify \"Policy Type\" is set to \"Enforced\".\n5. Inspect the different \"Context\" choices and verify rules are configured to enforce approved authorizations for controlling the flow of information within the network.\n\nIf the BIG-IP appliance is not configured to enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic, this is a finding.","fixText":"From the BIG-IP GUI:\n1. Security.\n2. Network Firewall.\n3. Policies.\n4. Create and/or edit firewall policies that are applied to the Context needed to enforce approved authorizations for controlling the flow of information within the network.","ccis":["CCI-001368","CCI-001414"]},{"vulnId":"V-266145","ruleId":"SV-266145r1024372_rule","severity":"medium","ruleTitle":"The F5 BIG-IP appliance providing user access control intermediary services must display the Standard Mandatory DOD-approved Notice and Consent Banner before granting access to the network.","description":"Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to network elements that have the concept of a user account and have the logon function residing on the network element.\n\nThe banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n \nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nThis policy only applies to ALGs (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.\n\nSatisfies: SRG-NET-000041-ALG-000022, SRG-NET-000042-ALG-000023, SRG-NET-000043-ALG-000024","checkContent":"From the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click \"Edit...\" in the \"Per-Session Policy\" column for an Access Profile used for granting access.\n5. Verify the Access Profile is configured to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system. The banner must be exactly formatted in accordance with the policy (see below).\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the BIG-IP APM module is not configured to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system, this is a finding.","fixText":"From the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click \"Edit...\" in the \"Per-Session Policy\" column for an Access Profile used for granting access.\n5. Configure the Access Profile to display the Standard Mandatory DOD Notice and Consent Banner below before granting access to the system.\n6. Click \"Apply Access Policy\".\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"","ccis":["CCI-000048","CCI-000050","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"]},{"vulnId":"V-266146","ruleId":"SV-266146r1024841_rule","severity":"medium","ruleTitle":"The F5 BIG-IP appliance must generate event log records that can be forwarded to the centralized events log.","description":"Without generating audit records that log usage of objects by subjects and other objects, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. The device logs internal users associated with denied outgoing communications traffic posing a threat to external information systems.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). Security objects are data objects which are controlled by security policy and bound to security attributes.\n\nSatisfies: SRG-NET-000492-ALG-000027, SRG-NET-000494-ALG-000029, SRG-NET-000495-ALG-000030, SRG-NET-000496-ALG-000031, SRG-NET-000497-ALG-000032, SRG-NET-000498-ALG-000033, SRG-NET-000499-ALG-000034, SRG-NET-000500-ALG-000035, SRG-NET-000501-ALG-000036, SRG-NET-000502-ALG-000037, SRG-NET-000503-ALG-000038, SRG-NET-000505-ALG-000039, SRG-NET-000513-ALG-000026, SRG-NET-000074-ALG-000043, SRG-NET-000075-ALG-000044, SRG-NET-000076-ALG-000045, SRG-NET-000077-ALG-000046, SRG-NET-000078-ALG-000047, SRG-NET-000079-ALG-000048, SRG-NET-000249-ALG-000146, SRG-NET-000383-ALG-000135, SRG-NET-000385-ALG-000138, SRG-NET-000392-ALG-000141, SRG-NET-000392-ALG-000142, SRG-NET-000392-ALG-000143, SRG-NET-000392-ALG-000147, SRG-NET-000392-ALG-000148, SRG-NET-000392-ALG-000149, SRG-NET-000370-ALG-000125","checkContent":"APM Default Log Profile:\nFrom the BIG-IP GUI:\n1. Access.\n2. Overview.\n3. Event Logs.\n4. Settings.\n5. Check the box for the \"default-log-setting\" and click \"Edit\".\n6. Verify \"Enable Access System Logs\" is checked.\n7. On the \"Access System Logs\" tab, verify all items are set to \"Notice\".\n\n\nAccess Profile Log Setting:\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles (Per-Session Policies).\n4. Click the Name of the Access Profile.\n5. Logs tab.\n6. Verify \"default-log-setting\" is in the \"Selected\" column.\n\nIf the BIG-IP appliance is not configured to generate log records, this is a finding.","fixText":"Note: Performing this Fix modifies the \"default-log-setting\" log profile, but users can use a different log profile for the Access Profile. However, this requires using the APM Module.\n\nAPM Default Log Profile:\nFrom the BIG-IP GUI:\n1. Access.\n2. Overview.\n3. Event Logs.\n4. Settings.\n5. Check the box for the \"default-log-setting\" and click \"Edit\".\n6. Check \"Enable Access System Logs\".\n7. On the \"Access System Logs\" tab, set all items are to \"Notice\".\n8. Click \"OK\".\n\nAccess Profile Log Setting:\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles (Per-Session Policies).\n4. Click the Name of the Access Profile.\n5. Logs tab.\n6. Move \"default-log-setting\" to the \"Selected\" column.\n7. Click \"Update\".","ccis":["CCI-000172","CCI-000130","CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-001487","CCI-001243","CCI-002656","CCI-002684","CCI-002664","CCI-002400"]},{"vulnId":"V-266147","ruleId":"SV-266147r1024374_rule","severity":"medium","ruleTitle":"The F5 BIG-IP appliance that provides intermediary services for SMTP must inspect inbound and outbound SMTP and Extended SMTP communications traffic for protocol compliance and protocol anomalies.","description":"Application protocol anomaly detection examines application layer protocols such as SMTP to identify attacks based on observed deviations in the normal RFC behavior of a protocol or service. This type of monitoring allows for the detection of known and unknown exploits which exploit weaknesses of commonly used protocols.\n\nSince protocol anomaly analysis examines the application payload for patterns or anomalies, an SMTP proxy must be included in the ALG. This ALG will be configured to inspect inbound and outbound SMTP and extended SMTP communications traffic to detect protocol anomalies such as malformed message and command insertion attacks.","checkContent":"If the BIG-IP appliance does not provide intermediary/proxy services for SMTP communications traffic, this is not applicable.\n\nSMTP Profile:\nFrom the BIG-IP GUI:\n1. Local Traffic.\n2. Profiles.\n3. Services.\n4. SMTP.\n5. Click the name of the SMTP profile.\n6. Verify \"Protocol Security\" is checked.\n\nSMTP Virtual Server:\n1. Local Traffic.\n2. Virtual Servers.\n3. Virtual Server List.\n4. Click the name of the SMTP virtual server.\n5. Verify the SMTP profile is selected in the \"SMTP Profile\" drop-down list.\n\nIf the BIG-IP appliance is not configured to inspect inbound and outbound SMTP and Extended SMTP communications traffic for protocol compliance and protocol anomalies, this is a finding.","fixText":"SMTP Profile:\nFrom the BIG-IP GUI:\n1. Local Traffic.\n2. Profiles.\n3. Services.\n4. SMTP.\n5. Click the name of the SMTP profile.\n6. Check \"Protocol Security\".\n7. Click \"Update\".\n\nSMTP Virtual Server:\n1. Local Traffic.\n2. Virtual Servers.\n3. Virtual Server List.\n4. Click the name of the SMTP virtual server.\n5. Select the SMTP profile from the \"SMTP Profile\" drop-down list.\n6. Click \"Update\".\n\nRefer to vendor documentation for more information.","ccis":["CCI-000366","CCI-001125"]},{"vulnId":"V-266148","ruleId":"SV-266148r1024375_rule","severity":"medium","ruleTitle":"The F5 BIG-IP appliance that intermediary services for FTP must inspect inbound and outbound FTP communications traffic for protocol compliance and protocol anomalies.","description":"Application protocol anomaly detection examines application layer protocols such as FTP to identify attacks based on observed deviations in the normal RFC behavior of a protocol or service. This type of monitoring allows for the detection of known and unknown exploits which exploit weaknesses of commonly used protocols.\n\nSince protocol anomaly analysis examines the application payload for patterns or anomalies, an FTP proxy must be included in the ALG. This ALG will be configured to inspect inbound and outbound FTP communications traffic to detect protocol anomalies such as malformed message and command insertion attacks.","checkContent":"If the BIG-IP appliance does not provide intermediary/proxy services for FTP communications traffic, this is not applicable.\n\nFTP Profile:\nFrom the BIG-IP GUI:\n1. Local Traffic.\n2. Profiles.\n3. Services.\n4. FTP.\n5. Click the name of the FTP profile.\n6. Verify \"Protocol Security\" is checked.\n\nFTP Virtual Server:\n1. Local Traffic.\n2. Virtual Servers.\n3. Virtual Server List.\n4. Click the name of the FTP virtual server.\n5. Verify the FTP profile is selected in the \"FTP Profile\" drop-down list.\n\nIf the BIG-IP appliance is not configured to inspect inbound and outbound FTP communications traffic for protocol compliance and protocol anomalies, this is a finding.","fixText":"FTP Profile:\nFrom the BIG-IP GUI:\n1. Local Traffic.\n2. Profiles.\n3. Services.\n4. FTP.\n5. Click the name of the FTP profile.\n6. Check \"Protocol Security\".\n7. Click \"Update\".\n\nFTP Virtual Server:\n1. Local Traffic.\n2. Virtual Servers.\n3. Virtual Server List.\n4. Click the name of the FTP virtual server.\n5. Select the FTP profile from the \"FTP Profile\" drop-down list.\n6. Click \"Update\".\n\nRefer to vendor documentation for more information.","ccis":["CCI-000366","CCI-001125"]},{"vulnId":"V-266149","ruleId":"SV-266149r1024844_rule","severity":"medium","ruleTitle":"The F5 BIG-IP appliance that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.","description":"Application protocol anomaly detection examines application layer protocols such as HTTP to identify attacks based on observed deviations in the normal RFC behavior of a protocol or service. This type of monitoring allows for the detection of known and unknown exploits which exploit weaknesses of commonly used protocols.\n\nSince protocol anomaly analysis examines the application payload for patterns or anomalies, an HTTP proxy must be included in the ALG. This ALG will be configured to inspect inbound and outbound HTTP communications traffic to detect protocol anomalies such as malformed message and command insertion attacks.\n\nAll inbound and outbound traffic, including HTTPS, must be inspected. However, the intention of this policy is not to mandate HTTPS inspection by the ALG. Typically, HTTPS traffic is inspected either at the source, destination and/or is directed for inspection by organizationally-defined network termination point.","checkContent":"If the BIG-IP appliance does not provide intermediary/proxy services for HTTP communications traffic, this is not applicable.\n\nApplication Security Policy:\nFrom the BIG-IP GUI:\n1. Security.\n2. Application Security.\n3. Policy Building.\n4. Learning and Blocking Settings.\n5. Verify the correct policy is selected from the drop-down in the upper left.\n6. Expand \"HTTP protocol compliance failed\".\n7. Verify the proper inspection criteria are selected.\n\nHTTP Virtual Server:\nFrom the BIG-IP GUI:\n1. Local Traffic.\n2. Virtual Servers.\n3. Virtual Server List.\n4. Click the name of the HTTP Virtual Server.\n5. Security >> Policies tab.\n6. Verify the correct policy is selected for \"Application Security Policy\".\n\nIf the BIG-IP appliance is not configured to inspect inbound and outbound HTTP communications traffic for protocol compliance and protocol anomalies, this is a finding.","fixText":"Application Security Policy:\nFrom the BIG-IP GUI:\n1. Security.\n2. Application Security.\n3. Policy Building.\n4. Learning and Blocking Settings.\n5. Select the correct policy from the drop-down in the upper left.\n6. Expand \"HTTP protocol compliance failed\".\n7. Select the proper inspection criteria.\n8. Click \"Save\".\n9. Click \"Apply Policy\".\n\nHTTP Virtual Server:\nFrom the BIG-IP GUI:\n1. Local Traffic.\n2. Virtual Servers.\n3. Virtual Server List.\n4. Click the name of the HTTP virtual server.\n5. Security >> Policies tab.\n6. Set \"Application Security Policy\" to \"Enabled\".\n7. Select the correct policy from the drop-down.\n8. Click \"Update\".\n\nRefer to vendor documentation for more information.","ccis":["CCI-000366","CCI-001125"]},{"vulnId":"V-266150","ruleId":"SV-266150r1024377_rule","severity":"high","ruleTitle":"The F5 BIG-IP appliance must be configured to prohibit or restrict the use of unnecessary or prohibited functions, ports, protocols, and/or services, including those defined in the PPSM CAL and vulnerability assessments.","description":"To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.\n\nALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DOD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DOD policy. The ALG is a key network element for preventing these noncompliant ports, protocols, and services from causing harm to DOD information systems.\n\nThe network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known nonsecure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.\n\nSatisfies: SRG-NET-000132-ALG-000087, SRG-NET-000131-ALG-000085","checkContent":"From the BIG-IP GUI:\n1. Local Traffic.\n2. Virtual Servers.\n3. Verify the list of virtual servers are not configured to listen on unnecessary and/or nonsecure functions, ports, protocols, and/or services.\n\nIf any services are running that must not be, this is a finding.","fixText":"Check the PPSM CAL and the site's System Security Plan/documentation for a list of prohibited ports, protocols, and services.\n\nFrom the BIG-IP GUI:\n1. Local Traffic.\n2. Virtual Servers.\n3. For any virtual server(s) listening on all unnecessary and/or nonsecure functions, ports, protocols, and/or services, check the box next to the virtual server and click \"Delete\".\n4. Click \"Delete\" again.","ccis":["CCI-000382","CCI-000381"]},{"vulnId":"V-266152","ruleId":"SV-266152r1024845_rule","severity":"high","ruleTitle":"The F5 BIG-IP appliance providing user authentication intermediary services must uniquely identify and authenticate users using redundant authentication servers and multifactor authentication (MFA).","description":"To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following.\n\n1. Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication.\n2. Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.\n\nThis requirement applies to ALGs that provide user proxy services, including identification and authentication. This service must use the site's directory service (e.g., Active Directory). Directory services must not be installed onto the gateway.\n\nSatisfies: SRG-NET-000138-ALG-000063, SRG-NET-000138-ALG-000088, SRG-NET-000339-ALG-000090, SRG-NET-000340-ALG-000091, SRG-NET-000140-ALG-000094, SRG-NET-000166-ALG-000101, SRG-NET-000169-ALG-000102","checkContent":"From the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles (Per-Session Policies).\n4. Click \"Edit\" for the Access Profile being used.\n5. Verify the Access Profile uses an authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication.\n\nIf the BIG-IP appliance is not configured to use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication, this is a finding.","fixText":"From the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles (Per-Session Policies).\n4. Click \"Edit\" for the Access Profile being used.\n5. Configure the Access Profile to use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication.\n\nNote: To create an authentication object in the VPE, it must first be created in APM under Access >> Authentication. Once it has been created, add it to the Access Policy VPE by clicking the \"+\", selecting the \"Authentication\" tab, and select the appropriate type of authentication.","ccis":["CCI-000764","CCI-001951","CCI-001948","CCI-000766","CCI-000187","CCI-000804"]},{"vulnId":"V-266153","ruleId":"SV-266153r1024380_rule","severity":"high","ruleTitle":"The F5 BIG-IP appliance must configure certification path validation to ensure revoked machine credentials are prohibited from establishing an allowed session.","description":"A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. \n\nCertification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.","checkContent":"If the BIG-IP appliance does not provide intermediary services for TLS, or application protocols that use TLS (e.g., DNSSEC or HTTPS), this is not applicable.\n\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click \"Edit\" under \"Per-Session Policy\" for the Access Profile.\n5. Verify an \"OCSP Auth\" object is configured in the Access Profile for \"Machine\" type or a CRLDP object is configured.\n\nIf the BIG-IP appliance is not configured to use OCSP or CRLDP to ensure revoked machine credentials are prohibited from establishing an allowed session, this is a finding.","fixText":"If the Access Profile is configured to pull a machine cert using the \"Machine Cert Auth\" object in the policy, then perform the following actions. Note that pulling a Machine Cert requires the use of the APM Edge Client installed on the client.\n\nTo add OCSP machine certificate verification to an access policy:\n\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click \"Edit\" under \"Per-Session Policy\" for the Access Profile.\n5. Click the \"+\" icon on the Successful branch of the Machine Cert Auth object.\n6. Authentication tab.\n7. Select \"OCSP Auth\".\n8. Click \"Add Item\".\n9. From the OCSP Responder list, select an OCSP responder.\nNote: To create an OCSP Responder, go to Access >> Authentication >> OCSP Responder.\n10. From the Certificate Type list, select \"Machine\".\n11. Click \"Save\".\n12. Click \"Apply Access Policy\".\n\nTo add CRLDP certificate verification to an access policy:\n\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click \"Edit\" under \"Per-Session Policy\" for the Access Profile.\n5. Click the \"+\" icon on the Successful branch of the Machine Cert Auth object.\n6. Authentication tab.\n7. Select \"CRLDP Auth\".\n8. Click \"Add Item\".\n9. Select an item from the CRLDP Server list.\nNote: To create a CRLDP Server, go to Access >> Authentication >> CRLDP.\n10. Click \"Save\".\n11. Click \"Apply Access Policy\".","ccis":["CCI-000185"]},{"vulnId":"V-266154","ruleId":"SV-266154r1024381_rule","severity":"medium","ruleTitle":"The F5 BIG-IP appliance providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.","description":"Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).\n\nThe intent of this requirement is to require support for a secondary certificate validation method using a locally cached revocation data, such as Certificate Revocation List (CRL), in case access to OCSP (required by CCI-000185) is not available. Based on a risk assessment, an alternate mitigation is to configure the system to deny access when revocation data is unavailable. \n\nThis requirement applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management).","checkContent":"If the BIG-IP appliance does not provide PKI-based user authentication intermediary services, this is not applicable.\n\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click \"Edit\" under \"Per-Session Policy\" for the Access Profile.\n5. Verify an \"OSCP Auth\" and/or \"CRLDP\" object is configured in the Access Profile VPE AND that the fallback branch of these objects leads to a \"Deny\" ending.\n\nIf the BIG-IP appliance is not configured to deny access when revocation data is unavailable, this is a finding.","fixText":"From the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click \"Edit\" under \"Per-Session Policy\" for the Access Profile.\n5. Add \"OCSP Auth\" and/or \"CRLDP\" object in the Access Profile.\nNote: To create an OCSP Responder, go to Access >> Authentication >> OCSP Responder.\nNote: To create a CRLDP object, go to Access >> Authentication >> CRLDP.\n6. Ensure the fallback branch of these objects goes to a \"Deny\" ending.\n7. Click \"Apply Access Policy\".","ccis":["CCI-001991"]},{"vulnId":"V-266155","ruleId":"SV-266155r1024382_rule","severity":"high","ruleTitle":"The F5 BIG-IP appliance must terminate all network connections associated with a communications session at the end of the session or after 15 minutes of inactivity.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. Quickly terminating an idle session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection.\n\nALGs may provide session control functionality as part of content filtering, load balancing, or proxy services.","checkContent":"From the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click the name of the Access Profile.\n5. Verify \"Inactivity Timeout\" is configured for 900 seconds.\n\nIf the BIG-IP appliance is not configured to terminate all network connections associated with a user (nonprivileged) communications session after 15 minutes of inactivity, this is a finding.","fixText":"From the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click the name of the Access Profile.\n5. Set \"Inactivity Timeout\" to 900 seconds.\nNote: If the setting is grayed out, check the box to the right of the setting.\n6. Click \"Update\".","ccis":["CCI-001133"]},{"vulnId":"V-266156","ruleId":"SV-266156r1024848_rule","severity":"medium","ruleTitle":"The F5 BIG-IP appliance providing content filtering must employ rate-based attack prevention behavior analysis.","description":"If the network does not provide safeguards against denial-of-service (DoS) attacks, network resources will be unavailable to users.\n\nInstallation of content filtering gateways and application layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type.\n\nDetection components that use rate-based behavior analysis can detect attacks when signatures for the attack do not exist or are not installed. These attacks include zero-day attacks which are new attacks for which vendors have not yet developed signatures. Rate-based behavior analysis can detect sophisticated, distributed DoS (DDoS) attacks by correlating traffic information from multiple network segments or components.\n \nThis requirement applies to the communications traffic functionality of the ALG as it pertains to handling communications traffic, rather than to the ALG device itself.\n\nSatisfies: SRG-NET-000362-ALG-000112, SRG-NET-000362-ALG-000126, SRG-NET-000192-ALG-000121","checkContent":"If the BIG-IP appliance does not perform content filtering as part of the traffic management functions, this is not applicable.\n\nFrom the BIG-IP GUI:\n1. Security.\n2. DoS Protection.\n3. Device Protection.\n4. Expand each of the applicable families (Network, DNS, SIP) depending on the traffic being handled by the BIG-IP and verify the \"State\" is set to \"Mitigate\" for all signatures in that family.\n\nIf the BIG-IP appliance is not configured to protect against known and unknown types of DoS attacks by employing rate-based attack prevention behavior analysis, this is a finding.","fixText":"From the BIG-IP GUI:\n1. Security.\n2. DoS Protection.\n3. Device Protection.\n4. Expand each of the applicable families (Network, DNS, SIP) one at a time depending on the traffic being handled by the BIG-IP and do the following for each:\na. Check the box at the top of the list of signatures to select all.\nb. Set \"Set State\" to \"Mitigate\".\n5. Click \"Commit Changes to System\".\n\nNote: Sites must operationally test or initially use learning mode prior to turning on all of the options in all families to prevent operational impacts, particularly in implementations with large traffic volumes.","ccis":["CCI-002385","CCI-001094"]},{"vulnId":"V-266157","ruleId":"SV-266157r1024386_rule","severity":"medium","ruleTitle":"The F5 BIG-IP appliance providing content filtering must protect against or limit the effects of known and unknown types of denial-of-service (DoS) attacks by employing pattern recognition pre-processors.","description":"If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users.\n\nInstallation of content filtering gateways and application layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks.\n\nDetection components that use pattern recognition pre-processors can detect attacks when signatures for the attack do not exist or are not installed. These attacks include zero-day attacks which are new attacks for which vendors have not yet developed signatures.\n\nThis requirement applies to the communications traffic functionality of the ALG as it pertains to handling communications traffic, rather than to the ALG device itself.","checkContent":"If the BIG-IP appliance does not perform content filtering as part of the traffic management functions, this is not applicable.\n\nFrom the BIG-IP GUI:\n1. Security.\n2. DoS Protection.\n3. Device Protection.\n4. Expand \"Network\" and verify \"Dynamic Signatures\" are enabled.\n5. If applicable, expand \"DNS\" and verify \"Dynamic Signatures\" are enabled.\n\nIf the BIG-IP appliance is not configured to protect against or limit the effects of known and unknown types of DoS attacks by employing pattern recognition pre-processors, this is a finding.","fixText":"From the BIG-IP GUI:\n1. Security.\n2. DoS Protection.\n3. Device Protection.\n4. Expand \"Network\".\n5. Click \"Configure settings\".\n6. Set \"Dynamic Signature Detection\" to \"Enabled\".\n7. If applicable, expand \"DNS\".\n8. Click \"Configure settings\".\n9. Set \"Dynamic Signature Detection\" to \"Enabled\".\n10. Click \"Commit Changes to System\".","ccis":["CCI-002385"]},{"vulnId":"V-266158","ruleId":"SV-266158r1024387_rule","severity":"medium","ruleTitle":"The F5 BIG-IP appliance must check the validity of all data inputs except those specifically identified by the organization.","description":"Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior potentially leading to an application or information system compromise. Invalid input is one of the primary methods employed when attempting to compromise an application.\n\nNetwork devices with the functionality to perform application layer inspection may be leveraged to validate data content of network communications. Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software typically follows well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If network elements use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Pre-screening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.\n\nThis requirement applies to gateways and firewalls that perform content inspection or have higher-layer proxy functionality.","checkContent":"From the BIG-IP GUI:\n1. Security.\n2. Application Security.\n3. Parameters.\n4. Parameters List.\n5. Select the appropriate policy from the drop-down menu in the top left.\n6. Verify the appropriate parameters are configured for the application (e.g., character set, length, numerical range, and acceptable values).\n\nIf the BIG-IP appliance is not configured to check the validity of all data inputs except those specifically identified by the organization, this is a finding.","fixText":"From the BIG-IP GUI:\n1. Security.\n2. Application Security.\n3. Parameters.\n4. Parameters List.\n5. Select the appropriate policy from the drop-down menu in the top left.\n6. Configure the appropriate parameters for the application (e.g., character set, length, numerical range, and acceptable values).\n\nRefer to vendor documentation for more information.","ccis":["CCI-001310"]},{"vulnId":"V-266159","ruleId":"SV-266159r1024388_rule","severity":"medium","ruleTitle":"The F5 BIG-IP appliance providing content filtering must automatically update malicious code protection mechanisms.","description":"The malicious software detection functionality on network elements needs to be constantly updated to identify new threats as they are discovered.\n\nAll malicious software detection functions must come with an update mechanism that automatically updates the application and any associated signature definitions. The organization (including any contractor to the organization) is required to promptly install security-relevant malicious code protection updates. Examples of relevant updates include antivirus signatures, detection heuristic rule sets, and/or file reputation data employed to identify and/or block malicious software from executing.\n\nMalicious code includes viruses, worms, Trojan horses, and spyware.\n\nThis requirement is limited to ALGs, web content filters, and packet inspection firewalls that perform malicious code detection as part of their functionality.","checkContent":"If the BIG-IP  does not perform content filtering as part of its traffic management functionality, this is not applicable.\n\nNote: Automatic signature updates can be configured, but depending on site connectivity this may not be possible. In this case manual upload of updates is possible. The below covers automatic update configuration.\n\nAutomatic Update Check:\nFrom the BIG-IP GUI:\n1. System.\n2. Software Management.\n3. Update Check.\n4. Verify that \"Automatic Update Check\" is set to \"Enabled\".\n\nReal-Time Installation of Updates:\n1. System.\n2. Software Management.\n3. Live Update.\n4. Under \"Updates Configuration\" click on each item and check that \"Real-Time\" is selected for the setting \"Installation of Automatically Downloaded Updates\".\n\nIf the BIG-IP appliance is not configured to automatically update malicious code protection mechanisms, this is a finding.","fixText":"Note: Automatic signature updates can be configured, but depending on site connectivity this may not be possible. In this case, manual upload of updates is possible. The below covers automatic update configuration.\n\nAutomatic Update Check:\nFrom the BIG-IP GUI:\n1. System.\n2. Software Management.\n3. Update Check.\n4. Set \"Automatic Update Check\" to \"Enabled\".\n5. Click \"Apply Settings\".\n\nReal-Time Installation of Updates:\n1. System.\n2. Software Management.\n3. Live Update.\n4. Under \"Updates Configuration\" click on each item and click \"Real-Time\" for the setting \"Installation of Automatically Downloaded Updates\".\n5. Click \"Save\" for each item.","ccis":["CCI-001247"]},{"vulnId":"V-266160","ruleId":"SV-266160r1024389_rule","severity":"medium","ruleTitle":"The F5 BIG-IP appliance providing content filtering must detect use of network services that have not been authorized or approved by the information system security manager (ISSM) and information system security officer (ISSO), at a minimum.","description":"Unauthorized or unapproved network services lack organizational verification or validation, and therefore may be unreliable or serve as malicious rogues for valid services.\n\nExamples of network services include service-oriented architectures (SOAs), cloud-based services (e.g., infrastructure as a service, platform as a service, or software as a service), cross-domain, Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing.\n\nTo comply with this requirement, the ALG may be configured to detect services either directly or indirectly (i.e., by detecting traffic associated with a service). This requirement applies to gateways/firewalls that perform content inspection or have higher-layer proxy functionality.","checkContent":"If the BIG-IP appliance does not perform content filtering as part of the traffic management functions, this is not applicable. \n\nIf using the BIG-IP AFM module to perform content filtering:\n\nAFM ACL:\nFrom the BIG-IP GUI:\n1. Security.\n2. Network Firewall.\n3. Policies.\n4. <Policy Name>.\n5. Verify a rule is configured that uses a \"Classification Policy\".\n\nLog Profile:\nFrom the BIG-IP GUI:\n1. Security.\n2. Event Logs.\n3. Logging Profiles.\n4. Edit the global-network profile.\n5. Classification tab.\n6. Verify the Log Publisher is set to the desired setting. (For production environments, F5 recommends using remote logging.)\n\nIf configured rules in the policy do not detect use of network services that have not been authorized or approved by the ISSM and ISSO, at a minimum, this is a finding.","fixText":"AFM ACL:\nFrom the BIG-IP GUI:\n1. Security.\n2. Network Firewall.\n3. Policies.\n4. <Policy Name>.\n5. Configure a rule that uses a \"Classification Policy\".\nNote: To create a Classification Policy, go to Traffic Intelligence >> Policies.\n6. Click \"Commit Changes to System\".\n\nLog Profile:\nFrom the BIG-IP GUI:\n1. Security.\n2. Event Logs.\n3. Logging Profiles.\n4. Edit the global-network profile.\n5. Check \"Enabled\" for \"Classification\".\n6. Classification tab.\n7. Configure the Log Publisher. (For production environments, F5 recommends using remote logging.)\n8. Click \"Update\".","ccis":["CCI-002683"]},{"vulnId":"V-266161","ruleId":"SV-266161r1024391_rule","severity":"medium","ruleTitle":"The F5 BIG-IP appliance providing content filtering must generate a log record when unauthorized network services are detected.","description":"Unauthorized or unapproved network services lack organizational verification or validation, and therefore may be unreliable or serve as malicious rogues for valid services.\n\nExamples of network services include service-oriented architectures (SOAs), cloud-based services (e.g., infrastructure as a service, platform as a service, or software as a service), cross-domain, Voice Over Internet Protocol, instant messaging, auto-execute, and file sharing.","checkContent":"If the BIG-IP appliance does not perform content filtering as part of the traffic management functions, this is not applicable. \n\nIf using the BIG-IP AFM module to perform content filtering:\n\nAFM ACL:\nFrom the BIG-IP GUI:\n1. Security.\n2. Network Firewall.\n3. Policies.\n4. <Policy Name>.\n5. Verify a rule is configured that uses a \"Classification Policy\".\n\nLog Profile:\nFrom the BIG-IP GUI:\n1. Security.\n2. Event Logs.\n3. Logging Profiles.\n4. Edit the global-network profile.\n5. Classification tab.\n6. Verify the Log Publisher is set to the desired setting. (For production environments, F5 recommends using remote logging.)\n\nIf configured rules in the policy do not detect use of network services that have not been authorized or approved by the ISSM and ISSO, at a minimum, this is a finding.","fixText":"AFM ACL:\nFrom the BIG-IP GUI:\n1. Security.\n2. Network Firewall.\n3. Policies.\n4. <Policy Name>.\n5. Configure a rule that uses a \"Classification Policy\".\nNote: To create a Classification Policy, go to Traffic Intelligence >> Policies.\n6. Click \"Commit Changes to System\".\n\nLog Profile:\nFrom the BIG-IP GUI:\n1. Security.\n2. Event Logs.\n3. Logging Profiles.\n4. Edit the global-network profile.\n5. Check \"Enabled\" for \"Classification\".\n6. Classification tab.\n7. Configure the Log Publisher. (For production environments, F5 recommends using remote logging.)\n8. Click \"Update\".","ccis":["CCI-002684"]},{"vulnId":"V-266162","ruleId":"SV-266162r1024392_rule","severity":"low","ruleTitle":"When the Access Profile Type is LTM+APM and it is not using any connectivity resources (such as Network Access, Portal Access, etc.) in the VPE, the F5 BIG-IP appliance must be configured to enable the HTTP Only flag.","description":"To guard against cookie hijacking, only the BIG-IP APM controller and client must be able to view the full session ID. Setting the APM HTTP Only flag ensures that a third party will not have access to the active session cookies.\n\nThis option is only applicable to the LTM+APM access profile type. Other access profile types require access to various session cookies to fully function. Sites must conduct operational testing prior to enabling this setting. For implementations with connectivity resources (such as Network Access, Portal Access, etc.), do not set BIG-IP APM cookies with the HTTP Only flag.","checkContent":"If the Access Profile Type is not LTM+APM and it uses connectivity resources (such as Network Access, Portal Access, etc.) in the VPE, then this is not a finding.\n\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click the access profile name.\n5. SSO/Auth Domains.\n6. Under Cookie Options, verify HTTP Only is enabled.\n\nIf the F5 BIG-IP appliance does not enable the HTTP Only flag, this is a finding.","fixText":"When the Access Profile Type is LTM+APM and it is not using any connectivity resources (such as Network Access, Portal Access, etc.) in the VPE, set the HTTP Only flag.\n\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click the access profile name.\n5. SSO/Auth Domains.\n6. Under Cookie Options, Check the box next to HTTP Only.\n7. Click \"Update\".\n8. Click \"Apply Access Policy\".","ccis":["CCI-001664"]},{"vulnId":"V-266163","ruleId":"SV-266163r1024393_rule","severity":"low","ruleTitle":"The F5 BIG-IP appliance must be configured to enable the secure cookie flag.","description":"To guard against cookie hijacking, only the BIG-IP APM controller and client must be able to view the full session ID. Session cookies are set only after the SSL handshake between the BIG-IP APM system and the user has completed, ensuring that the session cookies are protected from interception with SSL encryption.\n\nTo ensure that the client browser will not send session cookies unencrypted, the HTTP header that the BIG-IP APM uses when sending the session cookie is set with the secure option (default). This option is only applicable to the LTM+APM access profile type.","checkContent":"From the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click the access profile name.\n5. SSO/Auth Domains tab.\n6. Under Cookie Options, verify \"Secure\" is enabled.\n\nIf the F5 BIG-IP appliance APM Policy does not enable the Secure cookies flag, this is a finding.","fixText":"Configure each Access Profile to enable the Secure Cookies flag.\n\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click the access profile name.\n5. SSO/Auth Domains tab.\n6. Under Cookie Options, check \"Secure\".\n7. Click \"Update\".\n8. Click \"Apply Access Policy\".","ccis":["CCI-001664"]},{"vulnId":"V-266164","ruleId":"SV-266164r1024395_rule","severity":"low","ruleTitle":"The F5 BIG-IP appliance must be configured to disable the persistent cookie flag.","description":"For BIG-IP APM deployments with connectivity resources (such as Network Access, Portal Access, etc.), BIG-IP APM cookies cannot be set as Persistent. This is by design since cookies are stored locally on the client's hard disk, and thus could be exposed to unauthorized external access. For some deployments of the BIG-IP APM system, cookie persistence may be required. When selecting cookie persistence, persistence is hard coded at 60 seconds.","checkContent":"If the Access Profile is used for applications that require cookie persistence, then this is not a finding.\n\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click the access profile name.\n5. SSO/Auth Domains tab.\n6. Under Cookie Options, verify \"Persistent\" is disabled.\n\nIf the F5 Big IP appliance APM Policy has the Persistent cookies flag enabled, this is a finding.","fixText":"Note: Testing must be performed prior to implementation to prevent operational impact. This setting may break access to certain applications that require cookie persistence.\n\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click the access profile name.\n5. SSO/Auth Domains tab.\n6. Under Cookie Options, uncheck \"Persistent\".\n7. Click \"Update\".\n8. Click \"Apply Access Policy\".","ccis":["CCI-001664"]},{"vulnId":"V-266165","ruleId":"SV-266165r1024396_rule","severity":"high","ruleTitle":"The F5 BIG-IP appliance must configure certificate path validation to ensure revoked user credentials are prohibited from establishing an allowed session.","description":"A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate.\n\nCertification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.","checkContent":"If the BIG-IP appliance does not provide intermediary services for TLS, or application protocols that use TLS (e.g., DNSSEC or HTTPS), this is not applicable.\n\nAccess Policy:\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click \"Edit\" under \"Per-Session Policy\" for the Access Profile.\n5. Verify an \"OCSP Auth\" object is configured in the Access Profile for \"User\" type or a CRLDP object is configured.\n\nIf the BIG-IP appliance is not configured to use OCSP or CRLDP to ensure revoked user credentials are prohibited from establishing an allowed session, this is a finding.","fixText":"Access Policy:\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click \"Edit\" under \"Per-Session Policy\" for the Access Profile.\n5. Add an \"OCSP Auth\" with certificate type of \"User\" and/or a \"CRLDP Auth\" object in the Access Profile.\nNote: To create an OCSP Responder, go to Access >> Authentication >> OCSP Responder.\nNote: To create a CRLDP Server object, go to Access >> Authentication >> CRLDP.\n6. Add an \"OCSP Auth\" object in the Access Profile and select an OCSP Responder.\n7. Click \"Update\".","ccis":["CCI-000185"]},{"vulnId":"V-266166","ruleId":"SV-266166r1111861_rule","severity":"medium","ruleTitle":"The F5 BIG-IP appliance must not use the On-demand Cert Auth VPE agent as part of the APM Policy Profiles.","description":"By requiring mutual authentication before any communication, it becomes significantly challenging for attackers to impersonate a client or server and exploit vulnerabilities. Furthermore, the encryption of all data transmitted between the client and server ensures that even if an attacker intercepts the data, it remains unintelligible without the correct keys.\n\nTo ensure the use of the mTLS for session authentication, do not use the On-Demand Cert Auth VPE agent. Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. However, if On-Demand is configured, the client SSL profile skips the initial SSL handshake, an On-Demand Cert Auth action can re-negotiate the SSL connection from an access policy by sending a certificate request to the user. This prompts a certificate screen to open. Setting ODCA to \"require\" the client cert means the client cannot get any farther in the APM VPE without providing a valid certificate. \"Request\" would ask the client for a certificate, but the client could still continue if they did not provide one. Thus, the Client Certificate must be set to \"require\" in the client SSL profile since just removing ODCA from the VPE alone will result in the client never getting prompted for a certificate.\n\nWithin the Virtual Policy Editor (VPE) of the relevant Access Profile, do not use the On-Demand Cert Auth VPE agent. Configure only the Client Certification Inspection VPE Agent. This adjustment directs the BIG-IP to scrutinize the Client Certificate during the mTLS handshake process and extract the certificate's details into APM session variables.","checkContent":"From the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click \"Edit\" under \"Per-Session Policy\" for the Access Profile.\n5. Verify the On-Demand Cert Auth agent is not configured in any part of the profile.\n\nIf the On-Demand Cert Auth agent is used in any Access Policy Profile, this is a finding.","fixText":"From the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click \"Edit\" under \"Per-Session Policy\" for the Access Profile.\n5. Remove any \"On-Demand Cert Auth\" agents in the profile.\n6. Add a \"Client Cert Inspection\" object in place of the previous \"On Demand Cert Auth\" agent.\n7. Click \"Apply Access Policy\".\n\nNote: Since use of this setting represent a risk to the DOD requirement for mutual authentication (see vulnerability discussion), if applications that use this function are mission essential, then AO approval is required, and use must be documented.","ccis":["CCI-001184"]},{"vulnId":"V-266167","ruleId":"SV-266167r1024399_rule","severity":"medium","ruleTitle":"The F5 BIG-IP appliance must be configured to restrict a consistent inbound IP for the entire management session.","description":"This security measure helps limit the effects of denial-of-service attacks by employing antisession hijacking security safeguards. Session hijacking, also called cookie hijacking, is the exploitation of a valid computer session to gain unauthorized access to an application. The attacker steals (or hijacks) the cookies from a valid user and attempts to use them for authentication.","checkContent":"From the BIG-IP GUI:\n1. System.\n2. Preferences.\n3. Under Security Settings, verify \"Require A Consistent Inbound IP For The Entire Web Session\" box is checked.\n\nFrom the BIG-IP Console:\n\ntmsh list sys httpd auth-pam-validate-ip\n\nNote: This returns a value of \"on\".\n\nIf the BIG-IP appliance is not configured to require a consistent inbound IP for the entire session for management sessions, this is a finding.","fixText":"From the BIG-IP GUI:\n1. System.\n2. Preferences.\n3. Under Security Settings, check \"Require A Consistent Inbound IP For The Entire Web Session\".\n4. Click \"Update\".\n\nFrom the BIG-IP Console:\n\ntmsh modify sys httpd auth-pam-validate-ip on\ntmsh save sys config","ccis":["CCI-001184"]},{"vulnId":"V-266168","ruleId":"SV-266168r1024400_rule","severity":"low","ruleTitle":"The F5 BIG-IP appliance must be configured to limit authenticated client sessions to initial session source IP.","description":"The \"Restrict to Single Client IP” is a safeguard against session hijacking or cookie theft. Even if an attacker manages to steal a session cookie, the cookie cannot be used from a different source IP address that the address used to initiate the session. This security measure is set within the APM Access Profiles.\n\nThis setting has been recommended by F5 as a defense-in-depth measure. However, in some networks, this may result in false positives or rejection of legitimate connections. Users behind a shared proxy address may be denied access. Thus, sites must test this setting within their network prior to implementing to determine if there are operational impacts that prevent the use of this setting. If so, the site must document the impacts and get approval from the authorizing official (AO) if this required setting will not be implemented.","checkContent":"If the site has documented an adverse operational impact and has AO approval, this is not a finding.\n\nFrom the BIG-IP GUI:\n1. System.\n2. Access.\n3. Profiles/Policies.\n4. Access Profiles.\n5. Click the access profile name.\n6. Under Settings, verify \"Restrict to Single Client IP\" is checked.\n\nIf the BIG-IP appliance is not configured to limit authenticated client sessions to initial session source IP, this is a finding.","fixText":"Note: Setting must be tested. If there are operational impacts that prevent the use of this setting, document the impacts, and obtain approval from the AO if this requirement will not be implemented. \n\nFrom the BIG-IP GUI:\n1. System.\n2. Access.\n3. Profiles/Policies.\n4. Access Profiles.\n5. Click the access profile name.\n6. Under Settings, check \"Restrict to Single Client IP\".\nNote: If the box is grayed out, check the box all the way to the right of the setting first and then check the box.\n7. Click \"Update\".\n8. Click \"Apply Access Policy\".","ccis":["CCI-001184"]},{"vulnId":"V-266170","ruleId":"SV-266170r1029558_rule","severity":"high","ruleTitle":"The F5 BIG-IP appliance must be configured to use cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nNIST cryptographic algorithms are approved by NSA to protect NSS. Based on an analysis of the impact of quantum computing, cryptographic algorithms specified by CNSSP-15 and approved for use in products in the CSfC program have been changed to more stringent protocols and configured with increased bit sizes and other secure characteristics to protect against quantum computing threats. The Commercial National Security Algorithm Suite (CNSA Suite) replaces Suite B.","checkContent":"From the BIG-IP GUI:\n1. Local Traffic.\n2. Profiles.\n3. SSL.\n4. Client.\n5. Click the name of the SSL Profile.\n6. For \"Ciphers\", ensure only AES-256 or other cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network are configured in compliance with CSNA/CNSSP-15.\n\nIf the BIG-IP appliance is not configured to use cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network, this is a finding.","fixText":"From the BIG-IP GUI:\n1. Local Traffic.\n2. Profiles.\n3. SSL.\n4. Client.\n5. Click the name of the SSL Profile.\n6. For \"Ciphers\", configure only AES-256 or other cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network in compliance with CSNA/CNSSP-15.\n7. Click \"Update\".","ccis":["CCI-002450"]},{"vulnId":"V-266171","ruleId":"SV-266171r1024403_rule","severity":"medium","ruleTitle":"The F5 BIG-IP must be configured to identify and authenticate all endpoint devices or peers before establishing a connection.","description":"Without identifying and authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.","checkContent":"If the BIG-IP appliance does not provide remote access intermediary services, this is not applicable.\n\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click \"Edit...\" in the \"Per-Session Policy\" column for the Access Profile.\n5. Verify the Access Profile is configured to uniquely identify network devices.\n\nIf the BIG-IP appliance is not configured to identify and authenticate all endpoint devices or peers before establishing a connection, this is a finding.","fixText":"From the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click \"Edit...\" in the \"Per-Session Policy\" column for the Access Profile.\n5. Configure the Access Profile to uniquely identify and authenticate network devices.\n6. Click \"Apply Access Policy\".","ccis":["CCI-000366","CCI-000778","CCI-001958"]},{"vulnId":"V-266172","ruleId":"SV-266172r1024404_rule","severity":"medium","ruleTitle":"The F5 BIG-IP appliance providing remote access intermediary services must disable split-tunneling for remote clients' VPNs.","description":"Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information.\n\nA VPN hardware or software client with split tunneling enabled provides an unsecured backdoor to the enclave from the internet. With split tunneling enabled, a remote client has access to the internet while at the same time has established a secured path to the enclave via an IPsec tunnel. A remote client connected to the internet that has been compromised by an attacker on the internet, provides an attack base to the enclave’s private network via the IPsec tunnel. Hence, it is imperative that the VPN gateway enforces a no split-tunneling policy to all remote clients.","checkContent":"If the BIG-IP appliance does not provide remote access intermediary services, this is not applicable.\n\nAccess Profile:\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click the name of the Access Profile.\n5. Click the Access Policy tab and note the name(s) of the Network Access listed.\n\nNetwork Access List:\nFrom the BIG-IP GUI:\n1. Access.\n2. Connectivity/VPN.\n3. Network Access (VPN).\n4. Network Access Lists.\n5. Click on the Name of the Network Access List.\n6. Network Settings tab.\n7. Verify \"Force all traffic through tunnel\" is selected under Client Settings >> Traffic Options.\n\nIf the BIG-IP appliance is not configured to disable split-tunneling for remote client VPNs, this is a finding.","fixText":"Obtain the Network Access name in the Access Profile:\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click the name of the Access Profile.\n5. Click the Access Policy tab and note the name(s) of the Network Access listed.\n\nConfigure the Network Access List:\nFrom the BIG-IP GUI:\n1. Access.\n2. Connectivity/VPN.\n3. Network Access (VPN).\n4. Network Access Lists.\n5. Click on the Name of the Network Access List.\n6. Network Settings tab.\n7. Select \"Force all traffic through tunnel\" under Client Settings >> Traffic Options.\n8. Click \"Update\".","ccis":["CCI-000366","CCI-002397"]},{"vulnId":"V-266173","ruleId":"SV-266173r1024854_rule","severity":"medium","ruleTitle":"The F5 BIG-IP appliance providing remote access intermediary services must be configured to route sessions to an IDPS for inspection.","description":"Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management difficult at best.\n\nRemote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, from a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).","checkContent":"If the BIG-IP appliance does not provide remote access intermediary services, this is not applicable. \n\nVerify one of these two options are configured:\n1. The network architecture routes traffic inline from the BIG-IP through an IDPS.\n2. A Protocol Inspection Profile is configured on the Virtual Server.\n\nFrom the BIG-IP GUI:\n1. Local Traffic.\n2. Virtual Servers.\n3. Virtual Server List.\n4. Click on the name of the Virtual Server.\n5. Security >> Policies tab.\n6. Verify \"Protocol Inspection Profile\" is set to \"Enabled\" and the \"Profile\" drop-down is set to the appropriate value.\n\nIf the BIG-IP appliance is not configured to route sessions to an IDPS for inspection, this is a finding.","fixText":"Configure one of these two options:\n1. Configure the network architecture to route traffic inline from the BIG-IP through an IDPS.\n2. Configure a Protocol Inspection Profile on the Virtual Server.\n\nFrom the BIG-IP GUI:\n1. Local Traffic.\n2. Virtual Servers.\n3. Virtual Server List.\n4. Click on the name of the Virtual Server.\n5. Security >> Policies tab.\n6. Set \"Protocol Inspection Profile\" to \"Enabled\".\n7. Set the \"Profile\" drop-down to the appropriate value.\nNote: To create a Protocol Inspection Profile, go to Security >> Protocol Security >> Inspection Profiles.\n8. Click \"Update\".","ccis":["CCI-000366","CCI-001097"]},{"vulnId":"V-266174","ruleId":"SV-266174r1024406_rule","severity":"medium","ruleTitle":"The VPN Gateway must use Always On VPN connections for remote computing.","description":"Allowing remote users to manually toggle a VPN connection can create critical security risks. With Always On VPN, if a secured connection to the gateway is lost, hybrid-working users will simply be disconnected from the internet until the issue is solved.\n\n\"Always On\" is a term that describes a VPN connection that is secure and always on after the initial connection is established. An Always On VPN deployment establishes a VPN connection with the client without the need for user interaction (e.g., user credentials). The remote client must not be able to access the Internet without first established a VPN session with a DOD site.\n\nNote that device compliance checks are still required prior to connecting to DOD resources. Although out of scope for this requirement, the connection process must ensure that remote devices meet security standards before accessing DOD resources. Devices that fail to meet compliance requirements can be denied access, reducing the risk of compromised endpoints.","checkContent":"Verify at least one of these methods is configured.\n\nAlways Connected Mode:\nFrom the BIG-IP GUI:\n1. Access.\n2. Connectivity/VPN.\n3. Connectivity.\n4. Profiles.\n5. Click the name of the profile.\n6. At the bottom, click Customize Package >> Windows.\n7. Click \"BIG-IP Edge Client\" on the left.\n8. Verify \"Enable Always connected mode\" is enabled.\n\nMachine Tunnels:\nFrom the BIG-IP GUI:\n1. Access.\n2. Connectivity/VPN.\n3. Connectivity.\n4. Profiles.\n5. Click the name of the profile.\n6. At the bottom, click Customize Package >> Windows.\n7. Verify \"Machine Tunnel Service\" is checked.\n\nIf the BIG-IP VPN Gateway is not configured to use an Always On VPN connection for remote computing, this is a finding.","fixText":"Configure at least one of these methods.\nAlways Connected Mode:\n\nFrom the BIG-IP GUI:\n1. Access.\n2. Connectivity/VPN.\n3. Connectivity.\n4. Profiles.\n5. Click the name of the profile.\n6. At the bottom, click Customize Package >> Windows.\n7. Click \"BIG-IP Edge Client\" on the left.\n8. Check the box next to \"Enable Always connected mode\".\nNote: Always connected mode requires at least one host be listed in the Server list of the Connectivity Profile. Edit the Connectivity Profile to add an entry, if necessary.\n9. Click \"Download\" to save the settings and download the installer.\n\nMachine Tunnels:\nFrom the BIG-IP GUI:\n1. Access.\n2. Connectivity/VPN.\n3. Connectivity.\n4. Profiles.\n5. Click the name of the profile.\n6. At the bottom, click Customize Package >> Windows.\n7. Check \"Machine Tunnel Service\".\n8. Optionally, click \"Machine Tunnel Service\" on the left and check \"Enable NLA for Machine Tunnel\".\nNote: To configure DNS Suffixes for NLA, edit the Connectivity Profile >> Win/Mac Edge Client > Location DNS List.\n9. Click \"Download\" to save the settings and download the installer.","ccis":["CCI-000366","CCI-001184"]},{"vulnId":"V-266175","ruleId":"SV-266175r1024855_rule","severity":"low","ruleTitle":"The F5 BIG-IP appliance must be configured to set the \"Max In Progress Sessions per Client IP\" value to 10 or an organizational-defined number.","description":"The \"Max In Progress Sessions Per Client IP\" setting in an APM Access Profile is a security configuration that limits the number of simultaneous sessions that can be initiated from a single IP address. This is particularly helpful in preventing a session flood, where a hacker might attempt to overwhelm the system by initiating many sessions from a single source. By capping the number of sessions per IP, this setting can help maintain the system's stability and integrity while also providing a layer of protection against such potential attacks.\n\nThis setting has been recommended by F5 as a defense-in-depth measure. However, in some networks, narrowing the number of in progress sessions may in adverse impacts on legitimate connections. Thus, sites must test this setting within their network prior to implementing to determine the minimum acceptable number. This should not remain at the very high default value and should not be excessively high. Document the organizational value.","checkContent":"Note: Setting must be tested to determine if a number greater than 10 is operationally necessary. Ten is the minimum but may have operational impacts. Set to the minimum that is possible without adverse impacts, document the setting and the operational testing.\n\nFrom the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click the access profile name.\n5. In the \"Settings\" section, verify \"Max In Progress Sessions per Client IP\" is set to 10 or an organization-defined number.\n\nIf the F5 BIG-IP APM access policy is not configured to set a \"Max In Progress Sessions per Client IP\" value to 10 or an organization-defined number, this is a finding.","fixText":"From the BIG-IP GUI:\n1. Access.\n2. Profiles/Policies.\n3. Access Profiles.\n4. Click the access profile name.\n5. In the \"Settings\" section, set \"Max In Progress Sessions per Client IP\" to 10 or an organization-defined number.\nNote: If the setting is grayed out, check the box to the right of the setting and then update it. If the setting is not set to 10, verify the operational reason is documented and approved by the AO.\n6. Click \"Update\".\n7. Click \"Apply Access Policy\".","ccis":["CCI-000054"]}]}