Forescout must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and Forescout for the purposes of client posture assessment.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-233332 | FORE-NC-000270 | SV-233332r611394_rule | Medium |
| Description |
|---|
| Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. |
| STIG | Date |
|---|---|
| Forescout Network Access Control Security Technical Implementation Guide | 2020-12-11 |
Details
| Check Text ( C-36527r605699_chk ) |
|---|
| Verify Forescout is configured to a list of DoD-approved certificate types and CAs. Verify the TLS session is configured to automatically terminate any session if the client does not have a suitable certificate. For TLS connections, if Forescout is not configured to use TLS 1.2 at a minimum, this is a finding. |
| Fix Text (F-36492r605700_fix) |
|---|
| Log on to the Forescout UI. 1. Select Tools >> Options >> Certificates. 2. Check that in the Ongoing TLS Sessions section, view the Re-verify TLS Sessions. 3. Change the Re-verify TLS Sessions to Every 1 Day or in accordance with the site's SSP, then click "Apply". 4. Next select the HPS Inspection Engine >> SecureConnector. 5. In the Client-Server Connection, ensure the Minimum Supported TLS Version is set to TLS version 1.2. |