A DBMS providing remote access capabilities must utilize organization defined cryptography to protect the confidentiality of data passing over remote access sessions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32183	SRG-APP-000014-DB-000036	SV-42500r1_rule		Medium

Description
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over either the public Internet or the Public Switched Telephone Network (PSTN). Since neither of these internetworking mechanisms are private nor secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Cryptography provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information traversing the remote connection. Databases that accept remote connections must use approved cryptography to prevent disclosure of data being passed via an unsecure network. If approved cryptography is not used, data can be intercepted or compromised.

Description

Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over either the public Internet or the Public Switched Telephone Network (PSTN). Since neither of these internetworking mechanisms are private nor secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Cryptography provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information traversing the remote connection. Databases that accept remote connections must use approved cryptography to prevent disclosure of data being passed via an unsecure network. If approved cryptography is not used, data can be intercepted or compromised.

STIG	Date
Database Security Requirements Guide	2012-07-02

Details

Check Text ( C-40688r5_chk )
Review system documentation to determine whether the system handles classified information. If the system handles classified information, the severity of this check should be upgraded to a Category I. Review database settings to determine if database is configured to accept remote connections. If the database is not configured to accept remote connections, this is NA. Check database settings to determine whether the data for remote connections is being encrypted with organization defined cryptography. If data for remote connections is not being encrypted with organization defined cryptography, this is a finding.

Check Text ( C-40688r5_chk )

Review system documentation to determine whether the system handles classified information. If the system handles classified information, the severity of this check should be upgraded to a Category I.

Review database settings to determine if database is configured to accept remote connections. If the database is not configured to accept remote connections, this is NA.

Check database settings to determine whether the data for remote connections is being encrypted with organization defined cryptography. If data for remote connections is not being encrypted with organization defined cryptography, this is a finding.

Fix Text (F-36107r1_fix)
Configure database to encrypt data passing over remote connections.