V-238504

Discussion

Because Wan Optimization is optimally installed in the architecture at the perimeter, installation of unnecessary functions and services on the same host increases the risk by implementing these functions before the network inspection functions and excessive open ports on the firewall for these functions and services to operation. Loading functions that are outside the scope and unrelated to the WAN optimization function is unauthorized and may create an attack vector. Related services include content filtering, traffic analysis, decryption, caching, and traffic inspection tools (e.g., firewall, IDS), unrelated services include email, DNS, web server. When the solution is implemented using a Steelhead CX hardware appliance implementation consisting of the RiOS installed on the SteelHead, administrators are not able to install any software that is not part of a Riverbed upgrade. RiOS enforces this by performing a validity check when an upgrade is attempted. However, the RiOS application suite is available in a virtual appliance version which can be installed on an organization-provided host. This type of implementation adds risk because more ports may need to be opened in the firewall if placed in the recommended logical position in the architecture after the router and before the firewall and IDS. The traffic should then be routed for inspection after traversing the wan optimizer.

Check Content

If RiOS is installed on the SteelHead appliance, this is a finding.

Inspect the services and applications that are installed on the host with the RiOS application suite.
Ask the site representative if a security review using the applicable STIG has been performed on the operating system and applications that are co-hosted. 

If unrelated or unnecessary services are installed on the same host as the RiOS, this is a finding.

If a security review using the applicable STIG has not been performed on the operating system and applications co-hosted on with the RiOS, this is a finding.