The network device must protect non-local maintenance sessions through the use of multifactor authentication which is tightly bound to the user.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000174-NDM-000133	SRG-NET-000174-NDM-000133	SRG-NET-000174-NDM-000133_rule		Medium

Description
The network device must protect non-local maintenance sessions through the use of a strong authenticator which is tightly bound to the user. Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network; either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of non-local maintenance and diagnostic sessions reflect the network access requirements. Without authentication anyone with logical access can access the network device, allowing intruders to compromise resources within the network infrastructure. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. An example of a strong authenticator is PKI, where certificates are stored on a token which is protected by a password, passphrase, or biometric. Authentication of all administrator accounts for all privilege levels must be accomplished using two or more factors that include the following: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

Description

The network device must protect non-local maintenance sessions through the use of a strong authenticator which is tightly bound to the user. Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network; either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of non-local maintenance and diagnostic sessions reflect the network access requirements. Without authentication anyone with logical access can access the network device, allowing intruders to compromise resources within the network infrastructure. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. An example of a strong authenticator is PKI, where certificates are stored on a token which is protected by a password, passphrase, or biometric. Authentication of all administrator accounts for all privilege levels must be accomplished using two or more factors that include the following: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

STIG	Date
Network Device Management Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000174-NDM-000133_chk )
If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the network device application itself, this is not a finding. Verify non-local access to accounts authorized to perform maintenance and diagnostic activities on the network device requires authenticated access. Verify the authentication used is a multifactor authentication method (e.g., PKI or DoD Alternate Token). If multifactor authentication is not used for non-local maintenance sessions, this is a finding.

Check Text ( C-SRG-NET-000174-NDM-000133_chk )

If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the network device application itself, this is not a finding.

Verify non-local access to accounts authorized to perform maintenance and diagnostic activities on the network device requires authenticated access.
Verify the authentication used is a multifactor authentication method (e.g., PKI or DoD Alternate Token).

If multifactor authentication is not used for non-local maintenance sessions, this is a finding.

Fix Text (F-SRG-NET-000174-NDM-000133_fix)
Configure the network device to require login to an authentication server which uses multifactor authentication for non-local maintenance sessions.