The DBMS must support the disabling of network protocols deemed by the organization to be non-secure.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32189	SRG-APP-000020-DB-000194	SV-42506r1_rule		Medium

Description
This requirement is related to remote access, but more specifically to the networking protocols allowing systems to communicate. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Some networking protocols allowing remote access may not meet security requirements to protect data and components. Bluetooth and peer-to-peer networking are examples of less than secure networking protocols. The DoD Ports, Protocols, and Services Management (PPSM) program provides implementation guidance on the use of IP protocols and application and data services traversing the DoD Networks in a manner supporting net-centric operations. Applications implementing or utilizing remote access network protocols need to ensure the application is developed and implemented in accordance with the PPSM requirements. In situations where it has been determined that specific operational requirements outweigh the risks of enabling an insecure network protocol, the organization may pursue a risk acceptance. Using protocols deemed unsecure would compromise the ability of the DBMS to operate in a secure fashion. The database must be able to disable network protocols deemed unsecure.

Description

This requirement is related to remote access, but more specifically to the networking protocols allowing systems to communicate. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Some networking protocols allowing remote access may not meet security requirements to protect data and components. Bluetooth and peer-to-peer networking are examples of less than secure networking protocols. The DoD Ports, Protocols, and Services Management (PPSM) program provides implementation guidance on the use of IP protocols and application and data services traversing the DoD Networks in a manner supporting net-centric operations. Applications implementing or utilizing remote access network protocols need to ensure the application is developed and implemented in accordance with the PPSM requirements. In situations where it has been determined that specific operational requirements outweigh the risks of enabling an insecure network protocol, the organization may pursue a risk acceptance. Using protocols deemed unsecure would compromise the ability of the DBMS to operate in a secure fashion. The database must be able to disable network protocols deemed unsecure.

STIG	Date
Database Security Requirements Guide	2012-07-02

Details

Check Text ( C-40694r3_chk )
Review PPSM Technical Assurance List to acquire an up-to-date list of network protocols deemed unsecure. Review DBMS settings to determine if the database is utilizing any network protocols deemed unsecure. If the DBMS is not using any network protocols deemed unsecure, this is NA. If the database is utilizing protocols specified as unsecure in the PPSM, verify the protocols are explicitly identified in the System Security Plan and that they are in support of specific operational requirements, if they are identified in the SSP or are not supporting specific operational requirements, this is a finding. If unsecure network protocols are not being used but are not disabled in the DBMS’s configuration, this is a finding.

Check Text ( C-40694r3_chk )

Review PPSM Technical Assurance List to acquire an up-to-date list of network protocols deemed unsecure.

Review DBMS settings to determine if the database is utilizing any network protocols deemed unsecure. If the DBMS is not using any network protocols deemed unsecure, this is NA.

If the database is utilizing protocols specified as unsecure in the PPSM, verify the protocols are explicitly identified in the System Security Plan and that they are in support of specific operational requirements, if they are identified in the SSP or are not supporting specific operational requirements, this is a finding.

If unsecure network protocols are not being used but are not disabled in the DBMS’s configuration, this is a finding.

Fix Text (F-36113r1_fix)
Disable any network protocol listed as unsecure in the PPSM documentation.