UCF STIG Viewer Logo

IBM DataPower ALG Security Technical Implementation Guide


Overview

Date Finding Count (65)
2016-01-21 CAT I (High): 1 CAT II (Med): 62 CAT III (Low): 2
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-65271 High The DataPower Gateway providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds).
V-64979 Medium The DataPower Gateway must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
V-65267 Medium The DataPower Gateway providing user authentication intermediary services must conform to FICAM-issued profiles.
V-65223 Medium The DataPower Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-65211 Medium The DataPower Gateway must protect audit information from unauthorized read access.
V-65263 Medium The DataPower Gateway must prohibit the use of cached authenticators after an organization-defined time period.
V-65301 Medium The DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when denial of service incidents are detected.
V-65261 Medium The DataPower Gateway must provide an immediate real-time alert to, at a minimum, the SCA and ISSO, of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server.
V-65303 Medium The DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security of DoD systems is detected.
V-65249 Medium To protect against data mining, the DataPower Gateway providing content filtering must detect code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
V-65221 Medium The DataPower Gateway providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts.
V-65265 Medium The DataPower Gateway providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
V-65307 Medium The DataPower Gateway must check the validity of all data inputs except those specifically identified by the organization.
V-65245 Medium To protect against data mining, the DataPower Gateway providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.
V-65309 Medium The DataPower Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
V-65247 Medium To protect against data mining, the DataPower Gateway providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
V-65241 Medium The DataPower Gateway must have ICMP responses disabled on all interfaces facing untrusted networks.
V-65269 Medium The DataPower Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
V-65243 Medium To protect against data mining, the DataPower Gateway providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
V-65209 Medium The DataPower Gateway must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs.
V-65229 Medium The DataPower Gateway providing user authentication intermediary services must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-65201 Medium The DataPower Gateway providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
V-65203 Medium The DataPower Gateway that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
V-65205 Medium The DataPower Gateway that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
V-65207 Medium The DataPower Gateway providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
V-65281 Medium The DataPower Gateway must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
V-65285 Medium The DataPower Gateway providing content filtering must generate a log record when unauthorized network services are detected.
V-65287 Medium The DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when unauthorized network services are detected.
V-65289 Medium The DataPower Gateway providing content filtering must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.
V-65275 Medium The DataPower Gateway providing content filtering must protect against known types of Denial of Service (DoS) attacks by employing signatures.
V-65219 Medium The DataPower Gateway providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s).
V-65291 Medium The DataPower Gateway providing content filtering must continuously monitor outbound communications traffic crossing internal security boundaries for unusual/unauthorized activities or conditions.
V-65253 Medium To protect against data mining, the DataPower Gateway providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code.
V-65225 Medium The DataPower Gateway that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
V-65313 Medium The DataPower Gateway providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
V-65217 Medium The DataPower Gateway providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.
V-65311 Medium The DataPower Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
V-65215 Medium The DataPower Gateway providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-65199 Medium The DataPower Gateway providing user access control intermediary services for publicly accessible applications must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.
V-65213 Medium The DataPower Gateway must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-65277 Medium The DataPower Gateway providing content filtering must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing pattern recognition pre-processors.
V-65195 Medium The DataPower Gateway providing user access control intermediary services must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network.
V-65279 Medium The DataPower Gateway must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.
V-65197 Medium The DataPower Gateway providing user access control intermediary services must retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
V-65251 Medium To protect against data mining, the DataPower Gateway providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.
V-65191 Medium The DataPower Gateway must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
V-65257 Medium The DataPower Gateway must be configured to support centralized management and configuration.
V-65193 Medium The DataPower Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
V-65255 Medium The DataPower Gateway providing user access control intermediary services must provide the capability for authorized users to select a user session to capture or view.
V-65239 Medium In the event of a system failure of the DataPower Gateway function, the DataPower Gateway must save diagnostic information, log system messages, and load the most current security policies, rules, and signatures when restarted.
V-65317 Medium The DataPower Gateway must not use 0.0.0.0 as a listening IP address for any service.
V-65235 Medium The DataPower Gateway must invalidate session identifiers upon user logout or other session termination.
V-65237 Medium The DataPower Gateway must recognize only system-generated session identifiers.
V-65231 Medium The DataPower Gateway providing content filtering must not have a front side handler configured facing an internal network.
V-65233 Medium The DataPower Gateway must protect the authenticity of communications sessions.
V-65227 Medium The DataPower Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account.
V-65259 Medium The DataPower Gateway must off-load audit records onto a centralized log server.
V-65273 Medium The DataPower Gateway must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.
V-65299 Medium The DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when user level intrusions which provide non-privileged access are detected.
V-65297 Medium The DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when root level intrusion events which provide unauthorized privileged access are detected.
V-65295 Medium The DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected.
V-65293 Medium The DataPower Gateway providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur.
V-65305 Medium The DataPower Gateway providing user access control intermediary services must provide the capability for authorized users to capture, record, and log all content related to a selected user session.
V-65283 Low The DataPower Gateway providing content filtering must be configured to integrate with a system-wide intrusion detection system.
V-65315 Low The DataPower Gateway must off-load audit records onto a centralized log server in real time.