The IDPS must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000176-IDPS-000163	SRG-NET-000176-IDPS-000163	SRG-NET-000176-IDPS-000163_rule		Medium

Description
Network management is the process of monitoring the IDPS and links, configuring the IDPS, and enabling network services. Network management also includes the collection of performance, diagnostics, and other relevant data about each element to ensure availability and that services are being delivered to meet or exceed service level agreements. Whether a network is being managed locally or from a NOC, achieving network management objectives depends on comprehensive and reliable network management solutions. If packets associated with these sessions are not encrypted, the integrity and confidentiality of non-local maintenance and diagnostics is at risk. To provide confidentiality, the data encryption algorithm must meet the following requirements: (i) Data encryption algorithm shall be AES using the appropriate key size (128 or 256-bit key) in one of the following modes: CBC, CCM, CFB, CTR, OFB and XTS. (ii) The implementation must meet FIPS 140-2, FIPS PUB 197, and NIST SP 800-38 A. (iii) The implementation must support the ability to enter a strong passphrase/password that meets FIPS 140-2 standards.

Description

Network management is the process of monitoring the IDPS and links, configuring the IDPS, and enabling network services. Network management also includes the collection of performance, diagnostics, and other relevant data about each element to ensure availability and that services are being delivered to meet or exceed service level agreements. Whether a network is being managed locally or from a NOC, achieving network management objectives depends on comprehensive and reliable network management solutions. If packets associated with these sessions are not encrypted, the integrity and confidentiality of non-local maintenance and diagnostics is at risk. To provide confidentiality, the data encryption algorithm must meet the following requirements: (i) Data encryption algorithm shall be AES using the appropriate key size (128 or 256-bit key) in one of the following modes: CBC, CCM, CFB, CTR, OFB and XTS. (ii) The implementation must meet FIPS 140-2, FIPS PUB 197, and NIST SP 800-38 A. (iii) The implementation must support the ability to enter a strong passphrase/password that meets FIPS 140-2 standards.

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43303_chk )
Verify encryption is automatically used for all data in transit. Verify the device is configured to negotiate a key exchange before full encryption takes place. Verify the device provides full encryption capability (AES or stronger). If the system is not configured to protect information in storage with cryptographic mechanisms, this is a finding.

Fix Text (F-43303_fix)
Configure the IDPS to protect information in storage with cryptographic mechanisms such as TLS/SSL