UCF STIG Viewer Logo

Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide


Overview

Date Finding Count (32)
2021-09-16 CAT I (High): 0 CAT II (Med): 21 CAT III (Low): 11
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-251009 Medium The Sentry must enforce approved authorizations for controlling the flow of information within the network based on attribute-based inspection of the source, destination, and headers, of the communications traffic.
V-251008 Medium The Sentry must enforce approved authorizations for logical access to information and system resources by enabling identity-based, role-based, and/or attribute-based security policies. These controls are enabled in MobileIron UEM (MobileIron Core) and applied by the Sentry for conditional access enforcement.
V-251025 Medium The Sentry providing mobile device authentication intermediary services must use multifactor authentication for network access to non-privileged accounts.
V-251024 Medium The Sentry providing mobile device authentication intermediary services must restrict mobile device authentication traffic to specific authentication server(s).
V-251027 Medium The Sentry that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
V-251026 Medium The Sentry providing mobile device authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-251029 Medium The Sentry must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for mobile device sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity.
V-251028 Medium The Sentry providing PKI-based mobile device authentication intermediary services must map authenticated identities to the mobile device account.
V-251023 Medium The Sentry providing mobile device access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate mobile device account access authorizations and privileges.
V-251022 Medium The Sentry must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-251031 Medium The Sentry providing mobile device authentication intermediary services must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
V-251036 Medium The Sentry providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
V-251011 Medium The Sentry providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
V-251012 Medium If Sentry stores secret or private keys, it must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
V-251013 Medium The Sentry that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
V-251038 Medium The Sentry providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
V-251010 Medium The Sentry must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
V-251037 Medium The Sentry providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
V-251034 Medium The Sentry must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.
V-251014 Medium The Sentry providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
V-251032 Medium The Sentry providing mobile device authentication intermediary services using PKI-based mobile device authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
V-251021 Low The Sentry must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs.
V-251020 Low The Sentry must generate audit records containing information to establish the identity of any individual or process associated with the event.
V-251018 Low The Sentry must produce audit records containing information to establish the source of the events.
V-251019 Low The Sentry must produce audit records containing information to establish the outcome of the events.
V-251039 Low The Sentry must offload audit records onto a centralized log server in real time.
V-251035 Low The Sentry must reveal error messages only to the ISSO, ISSM, and SCA.
V-251033 Low The Sentry must implement load balancing to limit the effects of known and unknown types of Denial-of-Service (DoS) attacks.
V-251016 Low The Sentry must produce audit records containing information to establish when (date and time) the events occurred.
V-251015 Low The Sentry must produce audit records containing information to establish what type of events occurred.
V-251030 Low The Sentry must offload audit records onto a centralized log server.
V-251017 Low The Sentry must produce audit records containing information to establish where the events occurred.