STIGs Search Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 6 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

IBM DataPower ALG Security Technical Implementation Guide

Version

V1R1

Release Date

Jan 21, 2016

SCAP Benchmark ID

IBM_DataPower_ALG_STIG

Total Checks

65

Tags

other

CAT I: 1CAT II: 62CAT III: 2

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (65)

V-64979MEDIUMThe DataPower Gateway must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.V-65191MEDIUMThe DataPower Gateway must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.V-65193MEDIUMThe DataPower Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.V-65195MEDIUMThe DataPower Gateway providing user access control intermediary services must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network.V-65197MEDIUMThe DataPower Gateway providing user access control intermediary services must retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.V-65199MEDIUMThe DataPower Gateway providing user access control intermediary services for publicly accessible applications must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.V-65201MEDIUMThe DataPower Gateway providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.V-65203MEDIUMThe DataPower Gateway that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.V-65205MEDIUMThe DataPower Gateway that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.V-65207MEDIUMThe DataPower Gateway providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.V-65209MEDIUMThe DataPower Gateway must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs.V-65211MEDIUMThe DataPower Gateway must protect audit information from unauthorized read access.V-65213MEDIUMThe DataPower Gateway must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.V-65215MEDIUMThe DataPower Gateway providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).V-65217MEDIUMThe DataPower Gateway providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.V-65219MEDIUMThe DataPower Gateway providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s).V-65221MEDIUMThe DataPower Gateway providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts.V-65223MEDIUMThe DataPower Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.V-65225MEDIUMThe DataPower Gateway that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.V-65227MEDIUMThe DataPower Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account.V-65229MEDIUMThe DataPower Gateway providing user authentication intermediary services must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).V-65231MEDIUMThe DataPower Gateway providing content filtering must not have a front side handler configured facing an internal network.V-65233MEDIUMThe DataPower Gateway must protect the authenticity of communications sessions.V-65235MEDIUMThe DataPower Gateway must invalidate session identifiers upon user logout or other session termination.V-65237MEDIUMThe DataPower Gateway must recognize only system-generated session identifiers.V-65239MEDIUMIn the event of a system failure of the DataPower Gateway function, the DataPower Gateway must save diagnostic information, log system messages, and load the most current security policies, rules, and signatures when restarted.V-65241MEDIUMThe DataPower Gateway must have ICMP responses disabled on all interfaces facing untrusted networks.V-65243MEDIUMTo protect against data mining, the DataPower Gateway providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.V-65245MEDIUMTo protect against data mining, the DataPower Gateway providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.V-65247MEDIUMTo protect against data mining, the DataPower Gateway providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.V-65249MEDIUMTo protect against data mining, the DataPower Gateway providing content filtering must detect code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.V-65251MEDIUMTo protect against data mining, the DataPower Gateway providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.V-65253MEDIUMTo protect against data mining, the DataPower Gateway providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code.V-65255MEDIUMThe DataPower Gateway providing user access control intermediary services must provide the capability for authorized users to select a user session to capture or view.V-65257MEDIUMThe DataPower Gateway must be configured to support centralized management and configuration.V-65259MEDIUMThe DataPower Gateway must off-load audit records onto a centralized log server.V-65261MEDIUMThe DataPower Gateway must provide an immediate real-time alert to, at a minimum, the SCA and ISSO, of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server.V-65263MEDIUMThe DataPower Gateway must prohibit the use of cached authenticators after an organization-defined time period.V-65265MEDIUMThe DataPower Gateway providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.V-65267MEDIUMThe DataPower Gateway providing user authentication intermediary services must conform to FICAM-issued profiles.V-65269MEDIUMThe DataPower Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.V-65271HIGHThe DataPower Gateway providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds).V-65273MEDIUMThe DataPower Gateway must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.V-65275MEDIUMThe DataPower Gateway providing content filtering must protect against known types of Denial of Service (DoS) attacks by employing signatures.V-65277MEDIUMThe DataPower Gateway providing content filtering must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing pattern recognition pre-processors.V-65279MEDIUMThe DataPower Gateway must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.V-65281MEDIUMThe DataPower Gateway must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.V-65283LOWThe DataPower Gateway providing content filtering must be configured to integrate with a system-wide intrusion detection system.V-65285MEDIUMThe DataPower Gateway providing content filtering must generate a log record when unauthorized network services are detected.V-65287MEDIUMThe DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when unauthorized network services are detected.V-65289MEDIUMThe DataPower Gateway providing content filtering must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.V-65291MEDIUMThe DataPower Gateway providing content filtering must continuously monitor outbound communications traffic crossing internal security boundaries for unusual/unauthorized activities or conditions.V-65293MEDIUMThe DataPower Gateway providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur.V-65295MEDIUMThe DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected.V-65297MEDIUMThe DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when root level intrusion events which provide unauthorized privileged access are detected.V-65299MEDIUMThe DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when user level intrusions which provide non-privileged access are detected.V-65301MEDIUMThe DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when denial of service incidents are detected.V-65303MEDIUMThe DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security of DoD systems is detected.V-65305MEDIUMThe DataPower Gateway providing user access control intermediary services must provide the capability for authorized users to capture, record, and log all content related to a selected user session.V-65307MEDIUMThe DataPower Gateway must check the validity of all data inputs except those specifically identified by the organization.V-65309MEDIUMThe DataPower Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.V-65311MEDIUMThe DataPower Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.V-65313MEDIUMThe DataPower Gateway providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.V-65315LOWThe DataPower Gateway must off-load audit records onto a centralized log server in real time.V-65317MEDIUMThe DataPower Gateway must not use 0.0.0.0 as a listening IP address for any service.