The firewall implementation must protect non-local maintenance sessions through the use of multifactor authentication which is tightly bound to the user.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000174-FW-000108	SRG-NET-000174-FW-000108	SRG-NET-000174-FW-000108_rule		Medium

Description
The firewall implementation must protect non-local maintenance sessions through the use of a strong authenticator which is tightly bound to the user. Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network; either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of non-local maintenance and diagnostic sessions reflect the network access requirements. Without authentication anyone with logical access can access the firewall, allowing intruders to compromise resources within the network infrastructure. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. An example of a strong authenticator is PKI, where certificates are stored on a token which is protected by a password, passphrase, or biometric. Authentication of all administrator accounts for all privilege levels must be accomplished using two or more factors that include the following: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

Description

The firewall implementation must protect non-local maintenance sessions through the use of a strong authenticator which is tightly bound to the user. Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network; either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of non-local maintenance and diagnostic sessions reflect the network access requirements. Without authentication anyone with logical access can access the firewall, allowing intruders to compromise resources within the network infrastructure. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. An example of a strong authenticator is PKI, where certificates are stored on a token which is protected by a password, passphrase, or biometric. Authentication of all administrator accounts for all privilege levels must be accomplished using two or more factors that include the following: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000174-FW-000108_chk )
If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the firewall application itself, this is not a finding. Verify non-local access to accounts authorized to perform maintenance and diagnostic activities on the firewall requires authenticated access. Verify the authentication used is a multifactor authentication method (e.g., PKI, SecureID, or DoD Alternate Token). If multifactor authentication is not used for non-local maintenance sessions, this is a finding.

Check Text ( C-SRG-NET-000174-FW-000108_chk )

If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the firewall application itself, this is not a finding.

Verify non-local access to accounts authorized to perform maintenance and diagnostic activities on the firewall requires authenticated access.
Verify the authentication used is a multifactor authentication method (e.g., PKI, SecureID, or DoD Alternate Token).

If multifactor authentication is not used for non-local maintenance sessions, this is a finding.

Fix Text (F-SRG-NET-000174-FW-000108_fix)
Configure the firewall implementation to require login to an authentication server which uses multifactor authentication for non-local maintenance sessions.