Applications managing devices must authenticate devices before establishing remote network connections using bidirectional authentication between devices that are cryptographic.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35307	SRG-APP-000159-AS-000109	SV-46594r1_rule		Medium

Description
Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device, as deemed appropriate by the organization. The required strength of the device authentication mechanism is determined by the security categorization of the information system. Remote network connection is any connection with a device communicating through an external network (e.g., the Internet). Bidirectional authentication provides a means for both connecting parties to mutually authenticate one another, and cryptographic authentication provides a secure means of authenticating without the use of clear text passwords. The lack of a cryptographic method that can be employed when mutually authenticating introduces an integrity and confidentiality risk to the system.

Description

Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device, as deemed appropriate by the organization. The required strength of the device authentication mechanism is determined by the security categorization of the information system. Remote network connection is any connection with a device communicating through an external network (e.g., the Internet). Bidirectional authentication provides a means for both connecting parties to mutually authenticate one another, and cryptographic authentication provides a secure means of authenticating without the use of clear text passwords. The lack of a cryptographic method that can be employed when mutually authenticating introduces an integrity and confidentiality risk to the system.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43676r1_chk )
Review AS documentation and configuration to determine if the AS utilizes cryptographic methods for mutually authenticating remote devices. If the AS does not utilize cryptographic methods, this is a finding.

Fix Text (F-39853r1_fix)
Configure the AS to use cryptographic methods such as SSL when mutually authenticating.