The IDPS must validate certificates used for PKI-based authentication by constructing a certification path with status information to an accepted trust anchor.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-34681 | SRG-NET-000164-IDPS-00122 | SV-45559r1_rule | Medium |
| Description |
|---|
| A trust anchor is an authoritative entity represented via a public key. Within a chain of trust, the top entity to be trusted is the ""root certificate"" or ""trust anchors"" such as a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. This control applies to accounts configured or controlled by the IDPS itself. |
| STIG | Date |
|---|---|
| Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide | 2012-11-19 |
Details
| Check Text ( C-42909r1_chk ) |
|---|
| If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the IDPS application itself, this is not a finding. Inspect the user function of the device to view the PKI configuration. Verify the DoD CA has been configured in the certificate validation setting. If the PKI configuration does not use a valid DoD CA for certificate validation, this is a finding. |
| Fix Text (F-38956r1_fix) |
|---|
| Set the PKI certificate validation to point to a valid DoD CA. |