The CA API Gateway must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-71447	CAGW-GW-000700	SV-86071r1_rule		Medium

Description
Unrestricted traffic may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. Access control policies and access control lists implemented on devices that control the flow of network traffic (e.g., application-level firewalls and Web content filters), ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the Internet or CDS) must be kept separate. CA API Gateway must use services, policy, and iptable configurations to enforce flows only to/from authorized sources and destinations.

Description

Unrestricted traffic may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. Access control policies and access control lists implemented on devices that control the flow of network traffic (e.g., application-level firewalls and Web content filters), ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the Internet or CDS) must be kept separate. CA API Gateway must use services, policy, and iptable configurations to enforce flows only to/from authorized sources and destinations.

STIG	Date
CA API Gateway ALG Security Technical Implementation Guide	2017-04-07

Details

Check Text ( C-71837r1_chk )
Open the CA API Gateway - Policy Manager, select "Tasks" from the main menu, and chose "Manage Listen Ports". Click the "Manage Firewall Rules" button and verify the proper Firewall Rules have been configured in accordance with organizational requirements for routing communications between authorized sources and destinations. Additionally, double-click each of the Registered Services and verify their policies have the proper logic to route the communications traffic to and from authorized sources and destinations. If either the firewall rules or the policy logic is not configured properly, this is a finding.

Check Text ( C-71837r1_chk )

Open the CA API Gateway - Policy Manager, select "Tasks" from the main menu, and chose "Manage Listen Ports".

Click the "Manage Firewall Rules" button and verify the proper Firewall Rules have been configured in accordance with organizational requirements for routing communications between authorized sources and destinations.

Additionally, double-click each of the Registered Services and verify their policies have the proper logic to route the communications traffic to and from authorized sources and destinations.

If either the firewall rules or the policy logic is not configured properly, this is a finding.

Fix Text (F-77765r1_fix)
Open the CA API Gateway - Policy Manager, select "Tasks" from the main menu, and chose "Manage Listen Ports". Click the "Manage Firewall Rules" button and add the proper Firewall Rules in accordance with organizational requirements for routing communications between authorized sources and destinations. Additionally, double-click each of the Registered Services and add the proper logic to route the communications traffic to and from authorized sources and destinations within their policies in accordance with organizational requirements.

Fix Text (F-77765r1_fix)

Open the CA API Gateway - Policy Manager, select "Tasks" from the main menu, and chose "Manage Listen Ports".

Click the "Manage Firewall Rules" button and add the proper Firewall Rules in accordance with organizational requirements for routing communications between authorized sources and destinations.

Additionally, double-click each of the Registered Services and add the proper logic to route the communications traffic to and from authorized sources and destinations within their policies in accordance with organizational requirements.