The application server must employ approved cryptographic mechanisms when transmitting sensitive data.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35438	SRG-APP-000264-AS-000167	SV-46725r1_rule		Medium

Description
Preventing the disclosure of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. If data in transit is unencrypted, it is vulnerable to disclosure. If approved cryptographic algorithms are not used, encryption strength cannot be assured. The application server must utilize approved encryption when transmitting sensitive data.

Description

Preventing the disclosure of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. If data in transit is unencrypted, it is vulnerable to disclosure. If approved cryptographic algorithms are not used, encryption strength cannot be assured. The application server must utilize approved encryption when transmitting sensitive data.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43792r1_chk )
Review AS configuration, and encryption certificates to validate that the server supports AES encryption for data in transit. Confirm that at least AES 128 bit encryption is used. If the AS does not provide AES encryption for sensitive data in transit, this is a finding

Fix Text (F-39982r1_fix)
Configure the AS to use AES 128 or AES 256 encryption for data in transit.