UCF STIG Viewer Logo

Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide


Overview

Date Finding Count (33)
2017-09-15 CAT I (High): 7 CAT II (Med): 24 CAT III (Low): 2
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-76427 High Kona Site Defender providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
V-76401 High Kona Site Defender that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
V-76433 High Kona Site Defender providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
V-76431 High Kona Site Defender providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
V-76393 High Kona Site Defender must immediately apply updates to the Kona Rule Set to block designated traffic of interest in response to new or emerging threats.
V-76391 High Kona Site Defender must immediately use updates made to policy enforcement mechanisms to enforce that all traffic flows over HTTPS port 443.
V-76453 High Kona Site Defender must reveal error messages only to the ISSO, ISSM, and SCA.
V-76425 Medium Kona Site Defender that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.
V-76421 Medium Kona Site Defender providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis.
V-76423 Medium Kona Site Defender providing content filtering must protect against known types of denial-of-service (DoS) attacks by employing signatures.
V-76419 Medium Kona Site Defender must not strip origin-defined HTTP session headers.
V-76429 Medium Kona Site Defender providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
V-76445 Medium Kona Site Defender providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur.
V-76447 Medium Kona Site Defender providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected.
V-76409 Medium To protect against data mining, Kona Site Defender providing content filtering must detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
V-76443 Medium Kona Site Defender providing content filtering must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.
V-76403 Medium To protect against data mining, Kona Site Defender providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
V-76407 Medium To protect against data mining, Kona Site Defender providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
V-76405 Medium To protect against data mining, Kona Site Defender providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.
V-76437 Medium Kona Site Defender providing content filtering must block malicious code upon detection.
V-76399 Medium Kona Site Defender must immediately use updates made to policy enforcement mechanisms to allow traffic from organizationally defined IP addresses (i.e., IP whitelist).
V-76435 Medium Kona Site Defender providing content filtering must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.
V-76397 Medium Kona Site Defender must immediately use updates made to policy enforcement mechanisms to block traffic from organizationally defined IP addresses (i.e., IP blacklist).
V-76395 Medium Kona Site Defender must immediately use updates made to policy enforcement mechanisms to block traffic from organizationally defined geographic regions.
V-76439 Medium Kona Site Defender providing content filtering must send an immediate (within seconds) alert to the system administrator, at a minimum, in response to malicious code detection.
V-76455 Medium Kona Site Defender must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.
V-76451 Medium Kona Site Defender must check the validity of all data inputs except those specifically identified by the organization.
V-76411 Medium To protect against data mining, Kona Site Defender providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
V-76413 Medium To protect against data mining, Kona Site Defender providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code.
V-76415 Medium Kona Site Defender must off-load audit records onto a centralized log server.
V-76449 Medium Kona Site Defender providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when denial-of-service (DoS) incidents are detected.
V-76441 Low Kona Site Defender providing content filtering must be configured to integrate with a system-wide intrusion detection system.
V-76417 Low Kona Site Defender must off-load audit records onto a centralized log server in real time.