The A10 Networks ADC must only allow the use of secure protocols that implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications for nonlocal maintenance sessions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-68095	AADC-NM-000144	SV-82585r1_rule		Medium

Description
This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to manipulation, potentially allowing alteration and hijacking of maintenance sessions.

STIG	Date
A10 Networks ADC NDM Security Technical Implementation Guide	2016-04-15

Details

Check Text ( C-68655r1_chk )
Review the device configuration. The following command shows the types of management access allowed on each of the interfaces: show management [ipv4 \| ipv6] The following command shows IPv4 management access information: show management ipv4 If either Telnet or HTTP is listed as "on" for any interface, this is a finding. The following command shows IPv6 management access information: show management ipv6 If either Telnet or HTTP is listed as "on" for any interface, this is a finding. Verify that HTTP for management is disabled. show web-service If HTTP is enabled, this is a finding. HTTPS is allowed for management and is enabled by default.

Check Text ( C-68655r1_chk )

Review the device configuration.

The following command shows the types of management access allowed on each of the interfaces:
show management [ipv4 | ipv6]

The following command shows IPv4 management access information:
show management ipv4

If either Telnet or HTTP is listed as "on" for any interface, this is a finding.

The following command shows IPv6 management access information:
show management ipv6

If either Telnet or HTTP is listed as "on" for any interface, this is a finding.

Verify that HTTP for management is disabled.
show web-service

If HTTP is enabled, this is a finding.

HTTPS is allowed for management and is enabled by default.

Fix Text (F-74209r1_fix)
The following commands enable management access to the device and the use of SSH, HTTPS, Syslog, and SNMP: enable-management service ssh https syslog snmp snmp-trap Disable HTTP on the management interface: no enable-management service http management Note: Do not configure any management protocols on any of the other interfaces. Disable the web server (HTTP for management): no web-service server

Fix Text (F-74209r1_fix)

The following commands enable management access to the device and the use of SSH, HTTPS, Syslog, and SNMP:
enable-management
service ssh https syslog snmp snmp-trap

Disable HTTP on the management interface:
no enable-management service http management
Note: Do not configure any management protocols on any of the other interfaces.

Disable the web server (HTTP for management):
no web-service server