Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-233332 | FORE-NC-000270 | SV-233332r811414_rule | Medium |
Description |
---|
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. |
STIG | Date |
---|---|
Forescout Network Access Control Security Technical Implementation Guide | 2024-06-10 |
Check Text ( C-36527r811413_chk ) |
---|
If DoD is not at C2C Step 1 or higher, this is not a finding. Verify Forescout is configured to a list of DoD-approved certificate types and CAs. Verify the TLS session is configured to automatically terminate any session if the client does not have a suitable certificate. For TLS connections, if Forescout is not configured to use TLS 1.2 at a minimum, this is a finding. |
Fix Text (F-36492r803481_fix) |
---|
Configure the SecureConnector to ensure the minimum supported TLS version is set to TLS 1.2. Log on to the Forescout UI. 1. Select Tools >> Options >> Certificates. 2. Check the Ongoing TLS Sessions section, view the Re-verify TLS Sessions. 3. Change the Re-verify TLS Sessions to Every 1 Day or in accordance with the site's SSP, then click "Apply". 4. Next, select the HPS Inspection Engine >> SecureConnector. 5. In the Client-Server Connection, ensure the Minimum Supported TLS Version is set to TLS version 1.2. |