The IDPS must employ FIPS-validated or NSA-approved cryptography to implement digital signatures.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34620	SRG-NET-000308-IDPS-00209	SV-45494r1_rule		Medium

Description
Use of weak or untested certificates undermines the purposes of utilizing encryption to protect data. The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS-140 validation and NSA approval provides assurance that the relevant cryptography has been implemented correctly. FIPS validation is also a strict requirement for use of cryptography in the Federal Government. Similarly, NSA approval of cryptography for classified data and applications is a strict requirement. Traffic between the management console, sensor, and/or other network elements must be protected by cryptographic mechanisms. Digital signatures must be used to validate the authenticity of information, firmware, or health checks. Digital signatures must be implemented using either of the following: (i) FIPS-validated (e.g., DoD PKI) cryptographic module. (ii) NSA-approved cryptographic module.

Description

Use of weak or untested certificates undermines the purposes of utilizing encryption to protect data. The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS-140 validation and NSA approval provides assurance that the relevant cryptography has been implemented correctly. FIPS validation is also a strict requirement for use of cryptography in the Federal Government. Similarly, NSA approval of cryptography for classified data and applications is a strict requirement. Traffic between the management console, sensor, and/or other network elements must be protected by cryptographic mechanisms. Digital signatures must be used to validate the authenticity of information, firmware, or health checks. Digital signatures must be implemented using either of the following: (i) FIPS-validated (e.g., DoD PKI) cryptographic module. (ii) NSA-approved cryptographic module.

STIG	Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide	2012-11-19

Details

Check Text ( C-42842r1_chk )
Verify digital signatures used by the IDPS to validate the authenticity of information using either of the following: (i) a cryptographic module from the NIST Cryptographic Algorithm Validation Program (CAVP) product lists to determine if FIPS 140-validated cryptography is used (e.g., DoD PKI); or (ii) an NSA-approved cryptographic module. If NSA-approved or FIPS-validated cryptography is not used to implement digital signatures, this is a finding.

Check Text ( C-42842r1_chk )

Verify digital signatures used by the IDPS to validate the authenticity of information using either of the following:
(i) a cryptographic module from the NIST Cryptographic Algorithm Validation Program (CAVP) product lists to determine if FIPS 140-validated cryptography is used (e.g., DoD PKI); or
(ii) an NSA-approved cryptographic module.

If NSA-approved or FIPS-validated cryptography is not used to implement digital signatures, this is a finding.

Fix Text (F-38890r1_fix)
Install digital signatures that comply with FIPS or NSA certificate requirements.