The IDPS must enforce authorized access to the corresponding private key for PKI-based authentication.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000165-IDPS-000153 | SRG-NET-000165-IDPS-000153 | SRG-NET-000165-IDPS-000153_rule | Medium |
| Description |
|---|
| The principle factor of PKI implementation is the private key used to encrypt or digitally sign information. If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. |
| STIG | Date |
|---|---|
| IDPS Security Requirements Guide (SRG) | 2012-03-08 |
Details
| Check Text ( C-43292_chk ) |
|---|
| Inspect the user function of the device to view the PKI configuration. Verify any setting for configuring and controlling authorized access to private keys are enabled. If the PKI configuration does not use a valid DoD CA for certificate validation, this is a finding. |
| Fix Text (F-43292_fix) |
|---|
| Enable setting on the IDPS that control the authorized access to the user's private key. |