The application server must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-57509	SRG-APP-000395-AS-000109	SV-71785r2_rule		Medium

Description
Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. Device authentication is performed when the application server is providing web services capabilities and data protection requirements mandate the need to establish the identity of the connecting device before the connection is established. Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.

Description

Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. Device authentication is performed when the application server is providing web services capabilities and data protection requirements mandate the need to establish the identity of the connecting device before the connection is established. Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.

STIG	Date
Application Server Security Requirements Guide	2019-01-07

Details

Check Text ( C-58217r1_chk )
If data protection requirements do not mandate the need to establish the identity of the connecting device before the connection is established, this requirement is NA. Review application server documentation and configuration to determine if the application server authenticates all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. If the application server does not meet this requirement, this is a finding.

Check Text ( C-58217r1_chk )

If data protection requirements do not mandate the need to establish the identity of the connecting device before the connection is established, this requirement is NA.

Review application server documentation and configuration to determine if the application server authenticates all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

If the application server does not meet this requirement, this is a finding.

Fix Text (F-62577r1_fix)
If data protection requirements do not mandate the need to establish the identity of the connecting device before the connection is established, this requirement is NA. Configure the application server to authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.