UCF STIG Viewer Logo

CA API Gateway ALG Security Technical Implementation Guide


Overview

Date Finding Count (81)
2017-04-07 CAT I (High): 0 CAT II (Med): 79 CAT III (Low): 2
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Public)

Finding ID Severity Title
V-71371 Medium The CA API Gateway must invalidate session identifiers upon user logout or other session termination.
V-71315 Medium The CA API Gateway that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
V-71375 Medium The CA API Gateway providing content filtering must integrate with an ICAP-enabled Intrusion Detection System that updates malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.
V-71377 Medium The CA API Gateway providing content filtering must be configured to perform real-time scans of files from external sources at network entry/exit points as they are downloaded and prior to being opened or executed.
V-71367 Medium The CA API Gateway must detect, at a minimum, mobile code that is unsigned or exhibiting unusual behavior, has not undergone a risk assessment, or is prohibited for use based on a risk assessment.
V-71353 Medium The CA API Gateway providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s).
V-71351 Medium The CA API Gateway providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) that validate user account access authorizations and privileges.
V-71357 Medium The CA API Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-71355 Medium The ALG providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts.
V-71461 Medium The ALG providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security of DoD systems is detected.
V-71359 Medium The CA API Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account.
V-71339 Medium The CA API Gateway must protect audit information from unauthorized deletion.
V-71443 Medium The CA API Gateway providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.
V-71335 Medium The CA API Gateway must generate audit records containing information to establish the identity of any individual or process associated with the event.
V-71441 Medium The CA API Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
V-71373 Medium The CA API Gateway must generate unique session identifiers using a FIPS 140-2 approved random number generator.
V-71447 Medium The CA API Gateway must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.
V-71333 Medium The CA API Gateway must produce audit records containing information to establish the outcome of the events.
V-71299 Medium The CA API Gateway providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
V-71337 Medium The CA API Gateway must protect audit information from unauthorized read access.
V-71449 Medium The CA API Gateway must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
V-71429 Medium The CA API Gateway providing user authentication intermediary services must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
V-71399 Medium To protect against data mining, the CA API Gateway providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
V-71293 Medium The CA API Gateway providing user access control intermediary services for publicly accessible applications must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.
V-71397 Medium To protect against data mining, the CA API Gateway providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.
V-71291 Medium The CA API Gateway providing user access control intermediary services must retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
V-71395 Medium To protect against data mining, the CA API Gateway providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
V-71393 Medium The CA API Gateway providing intermediary services for remote access communications traffic must control remote access methods.
V-71295 Medium The CA API Gateway providing user access control intermediary services must limit users to two concurrent sessions.
V-71391 Medium The CA API Gateway providing content filtering must prevent the download of prohibited mobile code.
V-71325 Medium The CA API Gateway providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
V-71307 Medium The CA API Gateway that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
V-71379 Medium The CA API Gateway providing content filtering must block malicious code upon detection.
V-71487 Medium The CA API Gateway providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
V-71445 Medium The CA API Gateway must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.
V-71467 Medium The CA API Gateway must reveal error messages only to the ISSO, ISSM, and SCA.
V-71347 Medium The CA API Gateway must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.
V-71481 Medium The CA API Gateway providing user access control intermediary services must automatically terminate a user session when organization-defined conditions or trigger events that require a session disconnect occur.
V-71363 Medium The CA API Gateway providing content filtering must block outbound traffic containing known and unknown Denial of Service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
V-71361 Medium The CA API Gateway providing user authentication intermediary services must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-71349 Medium The CA API Gateway providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-71423 Medium To protect against data mining, the CA API Gateway providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
V-71365 Medium The CA API Gateway must terminate all network connections associated with a Policy Manager session at the end of the session or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity within the Policy Manager, and for user sessions simply viewing the contents of Policy Manager or viewing Audit Logs for tracking purposes (non-privileged session), the session must be terminated after 15 minutes of inactivity.
V-71345 Medium The CA API Gateway must be configured to remove or disable unrelated or unneeded application proxy services.
V-71369 Medium The CA API Gateway must protect the authenticity of communications sessions.
V-71489 Medium The CA API Gateway must off-load audit records onto a centralized log server in real time.
V-71341 Medium The CA API Gateway must protect audit tools from unauthorized access.
V-71427 Medium The CA API Gateway must off-load audit records onto a centralized log server.
V-71343 Medium The CA API Gateway must not have unnecessary services and functions enabled.
V-71473 Medium The CA API Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
V-71471 Medium The CA API Gateway providing user access control intermediary services must generate audit records showing starting and ending time for user access to the system.
V-71475 Medium The CA API Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
V-71455 Medium The CA API Gateway providing content filtering must generate a notification on the console when root-level intrusion events that attempt to provide unauthorized privileged access are detected.
V-71287 Medium The CA API Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
V-71479 Medium The CA API Gateway that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.
V-71451 Medium The CA API Gateway providing content filtering must be configured to integrate with a system-wide intrusion detection system.
V-71453 Medium The CA API Gateway providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur.
V-71483 Medium The CA API Gateway providing user access control intermediary services must provide a logoff capability for user-initiated communications sessions.
V-71381 Medium The CA API Gateway providing content filtering must delete or quarantine malicious code in response to malicious code detection.
V-71289 Medium The CA API Gateway providing user access control intermediary services must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network.
V-71383 Medium The CA API Gateway providing content filtering must send an immediate (within seconds) alert to the system administrator, at a minimum, in response to malicious code detection.
V-71485 Medium The CA API Gateway providing user access control intermediary services must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions.
V-71385 Medium The CA API Gateway providing content filtering must automatically update malicious code protection mechanisms.
V-71387 Medium The CA API Gateway must generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries.
V-71439 Medium The CA API Gateway providing user authentication intermediary services must conform to Federal Identity, Credential, and Access Management (FICAM) issued profiles.
V-71437 Medium The CA API Gateway providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
V-71329 Medium The CA API Gateway must produce audit records containing information to establish the source of the events.
V-71283 Medium The CA API Gateway must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
V-71433 Medium The CA API Gateway providing user authentication intermediary services must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
V-71285 Medium The CA API Gateway must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
V-71431 Medium The CA API Gateway providing user authentication intermediary services must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
V-71421 Medium To protect against data mining, the CA API Gateway providing content filtering must detect code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
V-71389 Medium The CA API Gateway providing content filtering must block or restrict detected prohibited mobile code.
V-71463 Medium The CA API Gateway providing user authentication intermediary services must transmit only encrypted representations of passwords.
V-71425 Medium To protect against data mining, the CA API Gateway providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code.
V-71469 Medium The CA API Gateway providing user access control intermediary services must generate audit records when successful/unsuccessful logon attempts occur.
V-71477 Medium The CA API Gateway that provides intermediary services for FTP must inspect inbound and outbound FTP communications traffic for protocol compliance and protocol anomalies.
V-71435 Medium The CA API Gateway must prohibit the use of cached authenticators after an organization-defined time period.
V-71465 Medium The CA API Gateway must check the validity of all data inputs except those specifically identified by the organization.
V-71457 Low The CA API Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when user-level intrusions that provide non-privileged access are detected.
V-71459 Low The CA API Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when Denial of Service (DoS) incidents are detected.