MobileIron Sentry must be configured to use DoD PKI as multi-factor authentication (MFA) for interactive logins.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-250988	MOIS-ND-000390	SV-250988r802186_rule		High

Description
Multi-factor authentication (MFA) is when two or more factors are used to confirm the identity of an individual who is requesting access to digital information resources. Valid factors include something the individual knows (e.g., username and password), something the individual has (e.g., a smartcard or token), or something the individual is (e.g., a fingerprint or biometric). Legacy information system environments only use a single factor for authentication, typically a username and password combination. Although two pieces of data are used in a username and password combination, this is still considered single factor because an attacker can obtain access simply by learning what the user knows. Common attacks against single-factor authentication are attacks on user passwords. These attacks include brute force password guessing, password spraying, and password credential stuffing. MFA, along with strong user account hygiene, helps mitigate against the threat of having account passwords discovered by an attacker. Even in the event of a password compromise, with MFA implemented and required for interactive login, the attacker still needs to acquire something the user has or replicate a piece of user’s biometric digital presence. Private industry recognizes and uses a wide variety of MFA solutions. However, DoD public key infrastructure (PKI) is the only prescribed method approved for DoD organizations to implement MFA. For authentication purposes, centralized DoD certificate authorities (CA) issue PKI certificate key pairs (public and private) to individuals using the prescribed x.509 format. The private certificates that have been generated by the issuing CA are downloaded and saved to smartcards which, within DoD, are referred to as common access cards (CAC) or personal identity verification (PIV) cards. This happens at designated DoD badge facilities. The CA maintains a record of the corresponding public keys for use with PKI-enabled environments. Privileged user smartcards, or "alternate tokens", function in the same manner, so this requirement applies to all interactive user sessions (authorized and privileged users). Note: This requirement is used in conjunction with the use of a centralized authentication server (e.g., AAA, RADIUS, LDAP), a separate but equally important requirement. The MFA configuration of this requirement provides identification and the first phase of authentication (the challenge and validated response, thereby confirming the PKI certificate that was presented by the user). The centralized authentication server will provide the second phase of authentication (the digital presence of the PKI ID as a valid user in the requested security domain) and authorization. The centralized authentication server will map validated PKI identities to valid user accounts and determine access levels for authenticated users based on security group membership and role. In cases where the centralized authentication server is not utilized by the network device for user authorization, the network device must map the authenticated identity to the user account for PKI-based authentication.

Description

Multi-factor authentication (MFA) is when two or more factors are used to confirm the identity of an individual who is requesting access to digital information resources. Valid factors include something the individual knows (e.g., username and password), something the individual has (e.g., a smartcard or token), or something the individual is (e.g., a fingerprint or biometric). Legacy information system environments only use a single factor for authentication, typically a username and password combination. Although two pieces of data are used in a username and password combination, this is still considered single factor because an attacker can obtain access simply by learning what the user knows. Common attacks against single-factor authentication are attacks on user passwords. These attacks include brute force password guessing, password spraying, and password credential stuffing. MFA, along with strong user account hygiene, helps mitigate against the threat of having account passwords discovered by an attacker. Even in the event of a password compromise, with MFA implemented and required for interactive login, the attacker still needs to acquire something the user has or replicate a piece of user’s biometric digital presence. Private industry recognizes and uses a wide variety of MFA solutions. However, DoD public key infrastructure (PKI) is the only prescribed method approved for DoD organizations to implement MFA. For authentication purposes, centralized DoD certificate authorities (CA) issue PKI certificate key pairs (public and private) to individuals using the prescribed x.509 format. The private certificates that have been generated by the issuing CA are downloaded and saved to smartcards which, within DoD, are referred to as common access cards (CAC) or personal identity verification (PIV) cards. This happens at designated DoD badge facilities. The CA maintains a record of the corresponding public keys for use with PKI-enabled environments. Privileged user smartcards, or "alternate tokens", function in the same manner, so this requirement applies to all interactive user sessions (authorized and privileged users). Note: This requirement is used in conjunction with the use of a centralized authentication server (e.g., AAA, RADIUS, LDAP), a separate but equally important requirement. The MFA configuration of this requirement provides identification and the first phase of authentication (the challenge and validated response, thereby confirming the PKI certificate that was presented by the user). The centralized authentication server will provide the second phase of authentication (the digital presence of the PKI ID as a valid user in the requested security domain) and authorization. The centralized authentication server will map validated PKI identities to valid user accounts and determine access levels for authenticated users based on security group membership and role. In cases where the centralized authentication server is not utilized by the network device for user authorization, the network device must map the authenticated identity to the user account for PKI-based authentication.

STIG	Date
Ivanti MobileIron Sentry 9.x NDM Security Technical Implementation Guide	2021-09-15

Details

Check Text ( C-54423r802184_chk )
Review the MobileIron Sentry Configuration to ensure Certificate Authentication has been configured. 1. Log in to the MobileIron Sentry System Manager. 2. Go to Security tab >> Advanced >> Sign-in Authentication. 3. Determine if Certificate Authentication is activated and configured. If Certificate Authentication is not activated and configured, this is a finding.

Fix Text (F-54377r802185_fix)
Configure the MobileIron Sentry with DoD PKI-based Certificate Authentication. 1. Log in to the MobileIron Sentry System Manager. 2. Go to Security tab >> Advanced >> Sign-in Authentication. 3. Select the Certificate Authentication checkbox. 4. Select the CAC or PIV checkbox. 5. Map user certificate fields in the Certificate Attribute Mapping section based on the organization's certificates. 6. Upload the Issuing CA Certificate chain. 7. Click "Apply" and "Save" in the top right corner. 8. If using DoD PKI, ensure an EDIPI attribute is assigned to the user in the Security >> Local Users section.

Fix Text (F-54377r802185_fix)

Configure the MobileIron Sentry with DoD PKI-based Certificate Authentication.

1. Log in to the MobileIron Sentry System Manager.
2. Go to Security tab >> Advanced >> Sign-in Authentication.
3. Select the Certificate Authentication checkbox.
4. Select the CAC or PIV checkbox.
5. Map user certificate fields in the Certificate Attribute Mapping section based on the organization's certificates.
6. Upload the Issuing CA Certificate chain.
7. Click "Apply" and "Save" in the top right corner.
8. If using DoD PKI, ensure an EDIPI attribute is assigned to the user in the Security >> Local Users section.