UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must protect non-local maintenance sessions through the use of multifactor authentication which is tightly bound to the user.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000174-FW-000108 SRG-NET-000174-FW-000108 SRG-NET-000174-FW-000108_rule Medium
Description
The firewall implementation must protect non-local maintenance sessions through the use of a strong authenticator which is tightly bound to the user. Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network; either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of non-local maintenance and diagnostic sessions reflect the network access requirements. Without authentication anyone with logical access can access the firewall, allowing intruders to compromise resources within the network infrastructure. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. An example of a strong authenticator is PKI, where certificates are stored on a token which is protected by a password, passphrase, or biometric. Authentication of all administrator accounts for all privilege levels must be accomplished using two or more factors that include the following: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).
STIG Date
Firewall Security Requirements Guide 2012-12-10

Details

Check Text ( C-SRG-NET-000174-FW-000108_chk )
If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the firewall application itself, this is not a finding.

Verify non-local access to accounts authorized to perform maintenance and diagnostic activities on the firewall requires authenticated access.
Verify the authentication used is a multifactor authentication method (e.g., PKI, SecureID, or DoD Alternate Token).

If multifactor authentication is not used for non-local maintenance sessions, this is a finding.
Fix Text (F-SRG-NET-000174-FW-000108_fix)
Configure the firewall implementation to require login to an authentication server which uses multifactor authentication for non-local maintenance sessions.