For password protection, the IDPS must use mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000168-IDPS-000156	SRG-NET-000168-IDPS-000156	SRG-NET-000168-IDPS-000156_rule		Medium

Description
the IDPS not protected with strong passwords provide the opportunity for anyone to crack the password thus gaining access to the system and the network. All passwords must be kept and known only by the account user who created the password. Malicious users can gain knowledge of passwords during authentication process by sniffing local traffic between the IDPS and the authentication server. It is imperative the authentication process implements cryptographic modules adhering to the higher standards approved by the federal government.

Description

the IDPS not protected with strong passwords provide the opportunity for anyone to crack the password thus gaining access to the system and the network. All passwords must be kept and known only by the account user who created the password. Malicious users can gain knowledge of passwords during authentication process by sniffing local traffic between the IDPS and the authentication server. It is imperative the authentication process implements cryptographic modules adhering to the higher standards approved by the federal government.

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43295_chk )
View the password configuration. Verify system is configured to encrypt passwords in storage and in transit using a FIPS validated module. If passwords do not use a FIPS-validated encryption module, this is a finding.

Fix Text (F-43295_fix)
Configure passwords using a FIPS-validated encryption module.