The ALG that proxies remote access traffic must monitor remote access methods.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000061-ALG-000009	SRG-NET-000061-ALG-000009	SRG-NET-000061-ALG-000009_rule		Medium

Description
Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities. Remote access methods include, for example, proxied remote encrypted traffic (e.g., web content and webmail). Remote access using cryptographic protocols, such as SSL and HTTPS, must ensure that the organization's security policy is not by-passed for either inbound or outbound traffic. With inbound SSL inspection, the traffic must be inspected prior to being allowed on the enclave's web servers hosting SSL or HTTPS applications. With outbound traffic inspection, traffic must be inspected prior to being forwarded to destinations outside of the enclave, such as external email traffic. Monitoring remote access ensures that unauthorized access to the enclave's resources and data will not go undetected. There are two primary ways to comply with this requirement. An application proxy or protocol termination point (e.g., SSL appliance) may be configured to decrypt the packets and redirect to the IPS or content filter for inspection. Another method is to install and configure policy filters on the application gateway device itself. Note that the forwarded traffic is the original encrypted packet.

Description

Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities. Remote access methods include, for example, proxied remote encrypted traffic (e.g., web content and webmail). Remote access using cryptographic protocols, such as SSL and HTTPS, must ensure that the organization's security policy is not by-passed for either inbound or outbound traffic. With inbound SSL inspection, the traffic must be inspected prior to being allowed on the enclave's web servers hosting SSL or HTTPS applications. With outbound traffic inspection, traffic must be inspected prior to being forwarded to destinations outside of the enclave, such as external email traffic. Monitoring remote access ensures that unauthorized access to the enclave's resources and data will not go undetected. There are two primary ways to comply with this requirement. An application proxy or protocol termination point (e.g., SSL appliance) may be configured to decrypt the packets and redirect to the IPS or content filter for inspection. Another method is to install and configure policy filters on the application gateway device itself. Note that the forwarded traffic is the original encrypted packet.

STIG	Date
Application Layer Gateway Security Requirements Guide	2014-06-27

Details

Check Text ( C-SRG-NET-000061-ALG-000009_chk )
If the ALG does not proxy remote access traffic (e.g., web content filter, SSL or OWA) this is not a finding. Examine the configuration of the proxy server or ALG. Verify the gateway is configured to decrypt and inspect traffic before forwarding to inbound or outbound destinations. Verify that the original packet is either forwarded or disallowed and that the process does not alter the original packet that is forwarded to the destination application. If the ALG that proxies encrypted traffic does not monitor and control remote access connections, this is a finding.

Check Text ( C-SRG-NET-000061-ALG-000009_chk )

If the ALG does not proxy remote access traffic (e.g., web content filter, SSL or OWA) this is not a finding.

Examine the configuration of the proxy server or ALG.
Verify the gateway is configured to decrypt and inspect traffic before forwarding to inbound or outbound destinations.
Verify that the original packet is either forwarded or disallowed and that the process does not alter the original packet that is forwarded to the destination application.

If the ALG that proxies encrypted traffic does not monitor and control remote access connections, this is a finding.

Fix Text (F-SRG-NET-000061-ALG-000009_fix)
Configure the ALG to monitor remote access connections.