The firewall implementation must enforce multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the firewall being accessed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000144-FW-000088	SRG-NET-000144-FW-000088	SRG-NET-000144-FW-000088_rule		Medium

Description
Single factor authentication poses unnecessary risk to the information system since most single factor authentication methods use only a userid and password. Passwords are, in most cases, easily hacked with the right tools. Multifactor authentication utilizes multiple levels of identification and authorization criteria and provides a much stronger level of security than single factor. As privileged users have access to most of the files on the platform, using a single factor authentication approach provides an easy avenue of attack for a malicious user. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

Description

Single factor authentication poses unnecessary risk to the information system since most single factor authentication methods use only a userid and password. Passwords are, in most cases, easily hacked with the right tools. Multifactor authentication utilizes multiple levels of identification and authorization criteria and provides a much stronger level of security than single factor. As privileged users have access to most of the files on the platform, using a single factor authentication approach provides an easy avenue of attack for a malicious user. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000144-FW-000088_chk )
If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the firewall application itself, this is not a finding. Verify the configuration for the firewall requires access by a DoD-approved multifactor authentication mechanism (e.g., PKI, SecureID, or DoD Alternate Token). If multifactor authentication, where one of the factors is provided by a device separate from the firewall being accessed, is not used for network access to privileged accounts, this is a finding.

Check Text ( C-SRG-NET-000144-FW-000088_chk )

If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the firewall application itself, this is not a finding.

Verify the configuration for the firewall requires access by a DoD-approved multifactor authentication mechanism (e.g., PKI, SecureID, or DoD Alternate Token).

If multifactor authentication, where one of the factors is provided by a device separate from the firewall being accessed, is not used for network access to privileged accounts, this is a finding.

Fix Text (F-SRG-NET-000144-FW-000088_fix)
Configure the firewall implementation to require multifactor authentication, where one of the factors is separate from the information system gaining access, when accessing privileged accounts via the network.