Rule ID
SV-279251r1192886_rule
Version
V1R2
Before continuing, the site must follow the configuration steps in SYME-ND-000100. Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. Satisfies: SRG-APP-000080-NDM-000220, SRG-APP-000516-NDM-000336, SRG-APP-000119-NDM-000236, SRG-APP-000120-NDM-000237, SRG-APP-000121-NDM-000238, SRG-APP-000122-NDM-000239, SRG-APP-000123-NDM-000240, SRG-APP-000131-NDM-000243, SRG-APP-000133-NDM-000244, SRG-APP-000156-NDM-000250, SRG-APP-000231-NDM-000271, SRG-APP-000329-NDM-000287, SRG-APP-000408-NDM-000314, SRG-APP-000149-NDM-000247, SRG-APP-000175-NDM-000262, SRG-APP-000177-NDM-000263, SRG-APP-000820-NDM-000170, SRG-APP-000825-NDM-000180
1. In the Edge SWG Web UI, navigate to the Configuration tab. 2. Go to Services >> Management Services. 3. Click "Edit" next to HTTPS-console. Under the "Service Settings", if "Verify Client" is not checked, this is a finding. Under the "Authentication" section under "Configuration and Realms and Domains", if a Certificate Realm is not configured and set with a valid LDAP authorization realm this is a finding. In the Edge SWG Web UI, navigate to the VPM. If an Admin Access layer is configured for HTTPS-console, verify the group is derived from the CAC/LDAPS admin group; otherwise, this is a finding. For the SSH-console, verify the group is derived from the LDAPS admin group; otherwise, this is a finding. 1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "ssh-console" and then "x509-auth". 4. Enter "view". If "x509 certificate authentication" states "disabled", this is a finding.
In the Edge SWG Web UI, navigate to the Configuration tab. 1. Under the "Authentication" section under "Configuration and Realms and Domains", click "Add Realm and LDAP". 2. Add a name. 3. Under "Primary Server", enter the fully qualified domain name (FDQN) of the LDAPS primary domain controller (e.g., dc1.dod.mil), then enter the port number, e.g., 636. 4. Click "Enable SSL". 5. Select the SSL device profile created in SYME-ND-000800. 6. Under "User attribute Type": userPrincipalName. 7. Click "Add DN". 8. Enter the path of the domain (e.g., dc=dod,dc=mil). 9. Click "Show" under "Advanced Settings". 10. Click "Use the same refresh time for all" and set the refresh time to 10 seconds. 11. Set the Inactivity Timeout to 600 seconds. 12. Select "Local" for Group Comparison. 13. Under Alternate Server, type the secondary LDAPS domain controller (e.g., dc2.dod.mil), then enter the port number, e.g., 636. 14. Under "Search", click "only Authorized" and add the search user and password (i.e., the LDAPS service account) in DN format (e.g., CN=broadcom_svc,OU=BROADCOM,DC=dod,DC=mil) 15. Under "Groups" select "user" for membership type and attribute as member of. 16. Under "Object Classes" ensure "container" is selected. 17. Click the "test Configuration" to ensure all configuration has been entered correctly. In the Edge SWG Web UI, navigate to the Configuration tab. 1. Under the Authentication section under "Configuration and Realms and Domains", click "Add Realm and Certificate". 2. Make the name: "CAC" 3. Under username enter: $(SubjectAltName.OtherName) 4. Under full username enter: $(SubjectAltName.OtherName.1) 5. Ensure "Authorization Realm" is checked and the previous LDAPS realm is selected. 6. Under "Authorization Username", select "Determined by Search". 7. Ensure the LDAPS search realm is selected. 8. Enter the following in the search filter: (userPrincipalName=$(cs-username)) and ensure the user attribute "Use FQDN" is selected. 9. Click "Show" advanced settings. 10. Ensure "Use persistent cookies" and "Verify the IP address in the cookie" are not checked. In the Edge SWG Web UI, navigate to the Configuration tab. 1. Under "Services", click "Proxy Services". 2. Click "Add Service". 3. Name the service "CAC-MC-Notify". 4. Under "Proxy type", select "HTTPS Reverse Proxy". 5. Under "Key Ring and CCL", use those created under SYME-ND-000800. 6. Ensure SSL version is TLS 1.2 or 1.3 only. 7. Under "Listeners", add the management IPv4 address intercepting on port 444. 8. Under "Listeners", add the management IPv6 address intercepting on port 444. In the Edge SWG Web UI, navigate to the VPM. 1. Go to the Symantec web portal to download the CPL text file called "AdminLoginBanner.txt", which will be used at https://knowledge.broadcom.com/external/article/388134. 2. Click "Add Layer". 3. Select "CPL". 4. Download the exact CPL file hosted on the Symantec website. 5. Click "Apply Policy" and ensure it loaded correctly. Go back to the main portion of the VPM. 1. Click "Add Layer". 2. Scroll down and select "Admin Access", then click "Add". 3. Locate the Admin Access Layer (1) that was added and click "Add rule". 4. Inside of the rule, under "Source", left-click and select "Set". 5. Click "Add new Object". 6. Select "Group". 7. Under "Group" type in the full LDAPS full Distinguished Name (DN) for the admin group. e.g., CN=broadcom.admins.gsg,OU=BROADCOM,OU=Vendors,DC=dod,DC=local 8. Under the "Authentication Realm", select the "CAC Certificate Realm". 9. Click "Apply", then click "Set". 10. In the same rule, left-click in the "Service" field and click "Set". 11. Select Service Name: HTTPS-console and click "Set". 12. In the same rule, left-click in the "Action" field and click "Set". 13. Select the action "Allow Read/Write Access" and click "Set". 14. Repeat these steps to add various read-only or read-write groups for the HTTPS-console. 15. For the SSH-Console click "Add rule". 16. Inside of the rule, under "Source", left-click and select "Set". 17. Click "Add new Object". 18. Select "Group". 19. Under the "Group" field type in the full LDAPS full Distinguished Name (DN) for the admin group. e.g., CN=broadcom.admins.gsg,OU=BROADCOM,OU=Vendors,DC=dod,DC=local 20. Under the "Authentication Realm", select the "LDAPS" realm; do not select the CAC certificate realm. 21. Click "Apply", then click "Set". 22. In the same rule, left-click in the "Service" field and click "Set". 23. Select "Service Name: SSH-console" and click "Set". 24. In the same rule, left-click in the "Action" field and click "Set". 25. Select the action "Allow Read/Write Access" and click "Set". 26. Repeat these steps to add various read-only or read-write groups for the SSH-console. 27. Click "Apply Policy" and ensure it loaded correctly. In the Edge SWG Web UI, navigate to the Configuration tab. 1. Under "Services", click "Management Services". 2. Click to edit the HTTPS-Console. 3. Ensure the keyring and CCL are those created in SYME-ND-000800. 4. Check "Verify Client" and select "Apply then save". 5. Close, then re-open the browser, then go to the URL associated with the login banner, https://proxy.dod.mil:444. 6. Once the login banner is presented, click "Accept". 7. Select the CAC certificate. Provide the PIN. The user must be authenticated. Note: If it is unsuccessful, it is possible the LDAPS credential is not valid, the group does not match, or there is an OCSP revocation issue.