The firewall implementation must protect non-local maintenance sessions through the use of a strong authenticator which is tightly bound to the user. Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network; either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection.
Authentication techniques used in the establishment of non-local maintenance and diagnostic sessions reflect the network access requirements. Without authentication anyone with logical access can access the firewall, allowing intruders to compromise resources within the network infrastructure. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. An example of a strong authenticator is PKI, where certificates are stored on a token which is protected by a password, passphrase, or biometric.
Authentication of all administrator accounts for all privilege levels must be accomplished using two or more factors that include the following:
(i) something you know (e.g., password/PIN);
(ii) something you have (e.g., cryptographic identification device, token); or
(iii) something you are (e.g., biometric). |