Communications using the auxiliary port(s) must be configured to use cryptography to protect the confidentiality of the remote access session.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000062-IDPS-000012	SRG-NET-000062-IDPS-000012	SRG-NET-000062-IDPS-000012_rule		High

Description
IDS and IPS devices may have auxiliary port(s) which can be configured for local or non-local (remote) access to management functions and diagnostics. Use of the modem for remote system management is strongly discouraged because this transmission bypasses the network security infrastructure and depends on authentication provided by the device itself. However, there may be cases where this type of access is mission essential. Modems may be attached to auxiliary ports only if communications are secured using cryptography. To provide confidentiality, the data encryption algorithm must meet the following requirements: (i) Data encryption algorithm shall be AES using the appropriate key size (128 or 256-bit key) in one of the following modes: CBC, CCM, CFB, CTR, OFB and XTS. (ii) The implementation must meet FIPS 140-2, FIPS PUB 197, and NIST SP 800-38 A. (iii) Must support the ability to enter a strong passphrase/password that meets FIPS 140-2 standards. Unless restrictions are put in place, a user connecting to the LAN via remote access can access/perform everything he/she could access/perform as those connected internally.

Description

IDS and IPS devices may have auxiliary port(s) which can be configured for local or non-local (remote) access to management functions and diagnostics. Use of the modem for remote system management is strongly discouraged because this transmission bypasses the network security infrastructure and depends on authentication provided by the device itself. However, there may be cases where this type of access is mission essential. Modems may be attached to auxiliary ports only if communications are secured using cryptography. To provide confidentiality, the data encryption algorithm must meet the following requirements: (i) Data encryption algorithm shall be AES using the appropriate key size (128 or 256-bit key) in one of the following modes: CBC, CCM, CFB, CTR, OFB and XTS. (ii) The implementation must meet FIPS 140-2, FIPS PUB 197, and NIST SP 800-38 A. (iii) Must support the ability to enter a strong passphrase/password that meets FIPS 140-2 standards. Unless restrictions are put in place, a user connecting to the LAN via remote access can access/perform everything he/she could access/perform as those connected internally.

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43124_chk )
Open the modem management application. Inspect the modem configuration to ensure encryption is automatically used for all data in transit. Verify the modem is configured to negotiate a key exchange before full encryption takes place. Verify the modem provides full encryption capability (AES or stronger). If modem is not configured to use AES or stronger encryption with (128 or 256-bit key) in one of the following modes: CBC, CCM, CFB, CTR, OFB and XTS, this is a finding.

Check Text ( C-43124_chk )

Open the modem management application.
Inspect the modem configuration to ensure encryption is automatically used for all data in transit.
Verify the modem is configured to negotiate a key exchange before full encryption takes place.
Verify the modem provides full encryption capability (AES or stronger).

If modem is not configured to use AES or stronger encryption with (128 or 256-bit key) in one of the following modes: CBC, CCM, CFB, CTR, OFB and XTS, this is a finding.

Fix Text (F-43124_fix)
Open the modem management application and navigate to the encryption configuration screen. Configure the modem so encryption is automatically used for all data in transit. Configure the modem to negotiate a key exchange with (128 or 256-bit key) in one of the following modes: CBC, CCM, CFB, CTR, OFB and XTS,