The ALG must generate unique session identifiers using a FIPS 140-2 approved random number generator.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000234-ALG-000116 | SRG-NET-000234-ALG-000116 | SRG-NET-000234-ALG-000116_rule | Medium |
| Description |
|---|
| Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. Network elements (depending on function) utilize sessions and session identifiers to control application behavior and user access. If an attacker can guess the session identifier, or can inject or manually insert session information, the valid user's application session can be compromised. This requirement focuses on communications protection for the application session rather than for the network packet. |
| STIG | Date |
|---|---|
| Application Layer Gateway Security Requirements Guide | 2014-06-27 |
Details
| Check Text ( C-SRG-NET-000234-ALG-000116_chk ) |
|---|
| Verify the ALG generates unique session identifiers using a FIPS 140-2 approved random number generator. If the ALG does not generate unique session identifiers using a FIPS 140-2 approved random number generator, this is a finding. |
| Fix Text (F-SRG-NET-000234-ALG-000116_fix) |
|---|
| Configure ALG to generate unique session identifiers using a FIPS 140-2 approved random number generator. |