Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-65235 | WSDP-AG-000050 | SV-79725r1_rule | Medium |
Description |
---|
Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs. Session IDs are tokens generated by web applications to uniquely identify an application user's session. Unique session identifiers or IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session IDs help to reduce predictability of said identifiers. When a user logs out, or when any other session termination event occurs, the network element must terminate the user session to minimize the potential for an attacker to hijack that particular user session. ALGs act as an intermediary for application; therefore, session control is part of the function provided. This requirement focuses on communications protection at the application session, versus network packet level. |
STIG | Date |
---|---|
IBM DataPower ALG Security Technical Implementation Guide | 2016-01-21 |
Check Text ( C-65863r1_chk ) |
---|
From the web interface for DataPower device management, verify that the DataPower Gateway Cryptographic Mode is Set to FIPS 140-2 Level 1; Status >> Crypto >> Cryptographic Mode Status. Then, verify that the session identifiers (TIDs) in the System Log are random; Status >> View Logs >> Systems Logs. If the device is not set to FIPS 140-2 Level 1, this is a finding. |
Fix Text (F-71175r1_fix) |
---|
From the DataPower command line, enter "use-fips on" to configure DataPower to generate unique session identifiers using a FIPS 140-2 approved random number generator. From the web interface, use "Set Cryptographic Mode" (Administration >> Miscellaneous >> Crypto Tools, Set Cryptographic Mode tab) to set the appliance to "FIPS 140-2 Level 1" mode. This will achieve NIST SP800-131a compliance. |