UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must use organizationally defined replay-resistant authentication mechanisms for network access to privileged accounts.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000146-FW-000089 SRG-NET-000146-FW-000089 SRG-NET-000146-FW-000089_rule Medium
Description
All authentication credentials must be maintained on an authentication server. Messages between the authenticator and the firewall validating user credentials must not be vulnerable to a replay attack possibly enabling an unauthorized user to gain access to any firewall. A replay attack is a network attack in which a valid session or series of IP packets is intercepted by a malicious user who later transmits the packets to gain access to the target device.
STIG Date
Firewall Security Requirements Guide 2012-12-10

Details

Check Text ( C-SRG-NET-000146-FW-000089_chk )
If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the firewall application itself, this is not a finding.

Verify the configuration for the firewall requires access by a DoD-approved replay-resistant authentication method, such as DoD PKI, SecureID, or DoD Alternate Token.

If DoD PKI, SecureID, or DoD Alternate Token is not used for authentication, this is a finding.
Fix Text (F-SRG-NET-000146-FW-000089_fix)
Configure local accounts to use DoD-approved, replay resistant authentication mechanisms for access to the firewall. Approved methods are DoD PKI, SecureID, or DoD Alternate Token.