The IDPS must provide the capability for a privileged administrator to configure the organizationally defined security policy filters to support different security policies.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000022-IDPS-000046	SRG-NET-000022-IDPS-000046	SRG-NET-000022-IDPS-000046_rule		Medium

Description
The IDPS must be configured to restrict management access according to the privilege level the user has been granted. Authorization to add, modify, or delete security policies must require the highest privilege level which can be implemented by simply assigning privilege levels to administrators or via a AAA solution. The implementation of a AAA solution affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the IDPS in conjunction with an authentication server, the administrators can easily add, modify, or delete accounts as well as add or remove command authorizations and privilege levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered groups that contain their associated or required privilege level. If system administrators cannot be configured with different security policy filters, then need-to-know cannot be enforced.

Description

The IDPS must be configured to restrict management access according to the privilege level the user has been granted. Authorization to add, modify, or delete security policies must require the highest privilege level which can be implemented by simply assigning privilege levels to administrators or via a AAA solution. The implementation of a AAA solution affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the IDPS in conjunction with an authentication server, the administrators can easily add, modify, or delete accounts as well as add or remove command authorizations and privilege levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered groups that contain their associated or required privilege level. If system administrators cannot be configured with different security policy filters, then need-to-know cannot be enforced.

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43164_chk )
Verify the IDPS management console provides the system administrators the ability to configure security policy filters (e.g., creating groups with different authorizations and privileges). Verify the system has the capability to assign security levels to groups and individual users as needed. If the IDPS does not enforce the highest privilege level administrative access to enable or disable security policy filters, this is a finding.

Check Text ( C-43164_chk )

Verify the IDPS management console provides the system administrators the ability to configure security policy filters (e.g., creating groups with different authorizations and privileges).
Verify the system has the capability to assign security levels to groups and individual users as needed.

If the IDPS does not enforce the highest privilege level administrative access to enable or disable security policy filters, this is a finding.

Fix Text (F-43164_fix)
Create security policy filters by creating security groups or use pre-existing groups). Assign privileges to each group based on varying need-for-access. Assign system administrators as group members to each group based on level of access required.