Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-16148 | SUN0180 | SV-17137r1_rule | ECSC-1 | Medium |
Description |
---|
It is possible to spoof a Sun Ray server or a Sun Ray client and pose as either. This leads to the man-in-the-middle attack, in which an impostor claims to be the Sun Ray server for the clients and pretends to be a client for the server. It then goes about intercepting all the messages and having access to all the secure data. Client and server authentication can resolve this type of attack. Server-side authentication is only supported, through the pre-configured public-private key pairs in Sun Ray Server Software and firmware. The Digital Signature Algorithm (DSA) is used to verify that clients are communicating with a valid Sun Ray server. This authentication scheme is not completely foolproof, but it mitigates man-in-the-middle attacks and makes it harder for attackers to spoof Sun Ray Server Software. |
STIG | Date |
---|---|
Sun Ray 4 STIG | 2015-04-02 |
Check Text ( C-17190r1_chk ) |
---|
Within the Sun Ray Administration console, perform the following: 1. Select the Advanced Tab. 2. Select the Security Tab. 3. Verify that “Server Authentication” is checked. If it is not checked, this is a finding. |
Fix Text (F-16252r1_fix) |
---|
Enable Server Authentication for the Sun Ray server. |