The F5 BIG-IP appliance must be configured to limit authenticated client sessions to initial session source IP.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-260055	F5BI-AP-000236	SV-260055r947390_rule		Low

Description
The "Restrict to Single Client IP" is a safeguard against session hijacking or cookie theft. Even if an attacker manages to steal a session cookie, the cookie cannot be used from a different source IP address that the address used to initiate the session. This security measure is set within the APM Access Pro?les. Sites should test this setting within their network prior to implementing. Users behind a shared proxy address may be denied access. Optionally, the F5 BIG-IP APM can be installed and used to produce access reports to find recurring IP sources within the user community.

Description

The "Restrict to Single Client IP" is a safeguard against session hijacking or cookie theft. Even if an attacker manages to steal a session cookie, the cookie cannot be used from a different source IP address that the address used to initiate the session. This security measure is set within the APM Access Pro?les. Sites should test this setting within their network prior to implementing. Users behind a shared proxy address may be denied access. Optionally, the F5 BIG-IP APM can be installed and used to produce access reports to find recurring IP sources within the user community.

STIG	Date
F5 BIG-IP Access Policy Manager Security Technical Implementation Guide	2024-01-26

Details

Check Text ( C-63786r947388_chk )
If the site has documented that this setting has been tested operationally and is operationally harmful because of false positives, this is not a finding. From the BIG-IP GUI: 1. System. 2. Access. 3. Profiles/Policies. 4. Access Profiles. 5. Click the Access profile name. 6. Under "Settings", verify "Restrict to Single Client IP" is checked. If the BIG-IP appliance is not configured to limit authenticated client sessions to initial session source IP, this is a finding.

Check Text ( C-63786r947388_chk )

If the site has documented that this setting has been tested operationally and is operationally harmful because of false positives, this is not a finding.

From the BIG-IP GUI:
1. System.
2. Access.
3. Profiles/Policies.
4. Access Profiles.
5. Click the Access profile name.
6. Under "Settings", verify "Restrict to Single Client IP" is checked.

If the BIG-IP appliance is not configured to limit authenticated client sessions to initial session source IP, this is a finding.

Fix Text (F-63692r947389_fix)
Note: Implementation is OPTIONAL. Setting should be tested to ensure that a denial of service (DoS) does not result. From the BIG-IP GUI: 1. System. 2. Access. 3. Profiles/Policies. 4. Access Profiles. 5. Click the Access profile name. 6. Under "Settings", check "Restrict to Single Client IP". Note: If the box is grayed out, check the box all the way to the right of the setting first and then check the box. 7. Click "Update". 8. Click "Apply Access Policy".

Fix Text (F-63692r947389_fix)

Note: Implementation is OPTIONAL. Setting should be tested to ensure that a denial of service (DoS) does not result.

From the BIG-IP GUI:
1. System.
2. Access.
3. Profiles/Policies.
4. Access Profiles.
5. Click the Access profile name.
6. Under "Settings", check "Restrict to Single Client IP".
Note: If the box is grayed out, check the box all the way to the right of the setting first and then check the box.
7. Click "Update".
8. Click "Apply Access Policy".