UCF STIG Viewer Logo

A10 Networks ADC NDM Security Technical Implementation Guide


Overview

Date Finding Count (37)
2016-04-15 CAT I (High): 5 CAT II (Med): 24 CAT III (Low): 8
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-68093 High The A10 Networks ADC must not use the default enable password.
V-68051 High The A10 Networks ADC must not use the default admin account.
V-68057 High The A10 Networks ADC must terminate management sessions after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
V-68061 High The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are created.
V-68089 High The A10 Networks ADC must not use SNMP Versions 1 or 2.
V-68101 Medium The A10 Networks ADC must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and IAW CJCSM 6510.01B.
V-68073 Medium The A10 Networks ADC must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
V-68071 Medium The A10 Networks ADC must notify System Administrators (SAs) and Information System Security Officers (ISSMs) when accounts are created, or enabled when previously disabled.
V-68099 Medium The A10 Networks ADC must use DoD-approved PKI rather than proprietary or self-signed device certificates.
V-68097 Medium The A10 Networks ADC must restrict management connections to the management network.
V-68095 Medium The A10 Networks ADC must only allow the use of secure protocols that implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications for nonlocal maintenance sessions.
V-68103 Medium The A10 Networks ADC must employ centrally managed authentication server(s).
V-68031 Medium The A10 Networks ADC must limit the number of concurrent sessions to one (1) for each administrator account and/or administrator account type.
V-68033 Medium The A10 Networks ADC must enforce the limit of three consecutive invalid logon attempts.
V-68069 Medium When anyone who has access to the emergency administration account no longer requires access to it or leaves the organization, the password for the emergency administration account must be changed.
V-68037 Medium The A10 Networks ADC must allow only the ISSM (or individuals or roles appointed by the ISSM) Root, Read Write, or Read Only privileges.
V-68055 Medium The A10 Networks ADC must prohibit the use of unencrypted protocols for network access to privileged accounts.
V-68091 Medium The A10 Networks ADC must off-load audit records onto a different system or media than the system being audited.
V-68059 Medium The A10 Networks ADC must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
V-68063 Medium The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are modified.
V-68067 Medium The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are removed.
V-68065 Medium The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are disabled.
V-68085 Medium The A10 Networks ADC must authenticate Network Time Protocol sources.
V-68087 Medium Operators of the A10 Networks ADC must not use the Telnet client built into the device.
V-68081 Medium The A10 Networks ADC must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
V-68083 Medium The A10 Networks ADC must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-68049 Medium The A10 Networks ADC must not have any shared accounts (other than the emergency administration account).
V-68047 Medium The A10 Networks ADC must disable management protocol access to all interfaces except the management interface.
V-68053 Medium The A10 Networks ADC must implement replay-resistant authentication mechanisms for network access to privileged accounts.
V-68075 Low The A10 Networks ADC must send Emergency messages to the Console, Syslog, and Monitor.
V-68077 Low The A10 Networks ADC must compare internal information system clocks at least every 24 hours with an authoritative time server.
V-68035 Low The A10 Networks ADC must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
V-68039 Low The A10 Networks ADC must produce audit log records containing information (FQDN, unique hostname, management or loopback IP address) to establish the source of events.
V-68079 Low The A10 Networks ADC must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
V-68041 Low The A10 Networks ADC must have command auditing enabled.
V-68043 Low The A10 Networks ADC must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
V-68045 Low The A10 Networks ADC must back up audit records at least every seven days onto a different system or system component than the system or component being audited.