Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-37177 | SRG-NET-000146-FW-000083 | SV-48938r1_rule | Medium |
Description |
---|
All authentication credentials must be maintained on an authentication server. Messages between the authenticator and the firewall validating user credentials must not be vulnerable to a replay attack possibly enabling an unauthorized user to gain access to any firewall. A replay attack is a network attack in which a valid session or series of IP packets is intercepted by a malicious user who later transmits the packets to gain access to the target device. |
STIG | Date |
---|---|
Firewall Security Requirements Guide | 2013-04-24 |
Check Text ( C-45501r1_chk ) |
---|
If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the firewall application itself, this is not a finding. Verify the configuration for the firewall requires access by a DoD-approved replay-resistant authentication method, such as DoD PKI or DoD Alternate Token. If DoD PKI or DoD Alternate Token is not used for authentication, this is a finding. |
Fix Text (F-42114r1_fix) |
---|
Configure local accounts to use DoD-approved, replay resistant authentication mechanisms for access to the firewall. Approved methods are DoD PKI or DoD Alternate Token. |