A DBMS providing remote access capabilities must utilize approved cryptography to protect the integrity of remote access sessions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32184	SRG-APP-000015-DB-000196	SV-42501r1_rule		Medium

Description
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over the public Internet, the Public Switched Telephone Network (PSTN) or sometimes both. Since neither of these internetworking mechanisms are private nor secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and potentially modified. Cryptography provides a means to secure the remote connection to prevent unauthorized changes to the data traversing the remote access connection thereby providing a degree of integrity. The encryption strength of mechanism is selected based on the security categorization of the information that is traversing the remote connection. Databases that accept remote connections must use approved cryptography to protect data being passed via an unsecure network. If approved cryptography is not used, data can be intercepted and potentially modified.

Description

Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over the public Internet, the Public Switched Telephone Network (PSTN) or sometimes both. Since neither of these internetworking mechanisms are private nor secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and potentially modified. Cryptography provides a means to secure the remote connection to prevent unauthorized changes to the data traversing the remote access connection thereby providing a degree of integrity. The encryption strength of mechanism is selected based on the security categorization of the information that is traversing the remote connection. Databases that accept remote connections must use approved cryptography to protect data being passed via an unsecure network. If approved cryptography is not used, data can be intercepted and potentially modified.

STIG	Date
Database Security Requirements Guide	2012-07-02

Details

Check Text ( C-40689r4_chk )
Review system documentation to determine whether the system handles classified information. If the system handles classified information, the severity of this check should be upgraded to a Category I. Review database settings to determine if database is configured to accept remote connections. If the database is not configured to accept remote connections, this is NA. Check database settings to determine whether the data for remote connections is being encrypted with organization defined cryptography. If data for remote connections is not being encrypted with approved cryptography, this is a finding.

Check Text ( C-40689r4_chk )

Review system documentation to determine whether the system handles classified information. If the system handles classified information, the severity of this check should be upgraded to a Category I.

Review database settings to determine if database is configured to accept remote connections. If the database is not configured to accept remote connections, this is NA.

Check database settings to determine whether the data for remote connections is being encrypted with organization defined cryptography. If data for remote connections is not being encrypted with approved cryptography, this is a finding.

Fix Text (F-36108r1_fix)
Configure database to use organization defined cryptography to encrypt data passing over remote connections.