UCF STIG Viewer Logo

Symantec ProxySG ALG Security Technical Implementation Guide


Overview

Date Finding Count (66)
2020-03-27 CAT I (High): 9 CAT II (Med): 57 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-94281 High Symantec ProxySG must be configured with a pre-established trust relationship and mechanisms with appropriate authorities that validate user account access authorizations and privileges.
V-94279 High Symantec ProxySG must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-94275 High Symantec ProxySG must be configured to prohibit or restrict the use of network services as defined in the PPSM CAL and vulnerability assessments.
V-94283 High Symantec ProxySG providing user authentication intermediary services must restrict user authentication traffic to specific authentication servers.
V-94221 High Symantec ProxySG providing forward proxy intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
V-94227 High Symantec ProxySG must implement security policies that enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
V-94229 High Symantec ProxySG must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
V-94301 High Symantec ProxySG must terminate all network connections associated with a communications session at the end of the session or terminate user sessions (nonprivileged session) after 15 minutes of inactivity.
V-94311 High Symantec ProxySG must use Transport Layer Security (TLS) to protect the authenticity of communications sessions.
V-94293 Medium Symantec ProxySG must prohibit the use of cached authenticators after 300 seconds at a minimum.
V-94291 Medium Symantec ProxySG providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
V-94303 Medium Symantec ProxySG providing forward proxy encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
V-94343 Medium Symantec ProxySG providing content filtering must continuously monitor outbound communications traffic crossing internal security boundaries for unusual/unauthorized activities or conditions.
V-94305 Medium Symantec ProxySG providing reverse proxy encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
V-94271 Medium Symantec ProxySG must not have unnecessary services and functions enabled.
V-94273 Medium Symantec ProxySG must be configured to remove or disable unrelated or unneeded application proxy services.
V-94319 Medium Symantec ProxySG must implement load balancing to limit the effects of known and unknown types of denial-of-service (DoS) attacks.
V-94307 Medium Symantec ProxySG providing reverse proxy encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
V-94333 Medium Symantec ProxySG providing content filtering must be configured to integrate with a system-wide intrusion detection system.
V-94335 Medium Symantec ProxySG providing content filtering must detect use of network services that have not been authorized or approved by the ISSM and ISSO, at a minimum.
V-94297 Medium Symantec ProxySG providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
V-94257 Medium Symantec ProxySG must use a centralized log server.
V-94329 Medium Symantec ProxySG must identify and log internal users associated with denied outgoing communications traffic posing a threat to external information systems.
V-94321 Medium Symantec ProxySG must block outbound traffic containing known and unknown denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
V-94255 Medium Symantec ProxySG must generate audit records containing information to establish the identity of any individual or process associated with the event.
V-94223 Medium Symantec ProxySG providing reverse proxy intermediary services for TLS must be configured to version 1.1 or higher with an approved cipher suite.
V-94241 Medium Symantec ProxySG providing user access control intermediary services must generate audit records showing starting and ending time for user access to the system.
V-94233 Medium Symantec ProxySG must immediately use updates made to policy enforcement mechanisms such as policies and rules.
V-94225 Medium Symantec ProxySG storing secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
V-94341 Medium Reverse proxy Symantec ProxySG providing content filtering must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.
V-94243 Medium Symantec ProxySG providing user access control intermediary services must generate audit records when successful/unsuccessful attempts to access web resources occur.
V-94235 Medium Symantec ProxySG providing user access control intermediary services must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network.
V-94285 Medium Symantec ProxySG providing user authentication intermediary services must implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.
V-94315 Medium Symantec ProxySG must fail to a secure state upon failure of initialization, shutdown, or abort actions.
V-94277 Medium Symantec ProxySG providing user authentication intermediary services must require users to reauthenticate every 900 seconds when organization-defined circumstances or situations require reauthentication.
V-94313 Medium If reverse proxy is used for validating and restricting certs from external entities, and this function is required by the SSP, Symantec ProxySG providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
V-94337 Medium Symantec ProxySG providing content filtering must generate a log record when access attempts to unauthorized websites and/or services are detected.
V-94267 Medium Symantec ProxySG providing intermediary services for HTTP must inspect inbound HTTP traffic for protocol compliance and protocol anomalies.
V-94245 Medium Symantec ProxySG must produce audit records containing information to establish what type of events occurred.
V-94265 Medium Symantec ProxySG providing intermediary services for FTP must inspect outbound FTP communications traffic for protocol compliance and protocol anomalies.
V-94251 Medium Symantec ProxySG must produce audit records containing information to establish the source of the events.
V-94263 Medium The reverse proxy Symantec ProxySG providing intermediary services for FTP must inspect inbound FTP communications traffic for protocol compliance and protocol anomalies.
V-94247 Medium Symantec ProxySG must produce audit records containing information to establish when (date and time) the events occurred.
V-94309 Medium Symantec ProxySG providing reverse proxy encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
V-94325 Medium Symantec ProxySG must fail securely in the event of an operational failure.
V-94345 Medium Symantec ProxySG providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur.
V-94249 Medium Symantec ProxySG must produce audit records containing information to establish where the events occurred.
V-94261 Medium Symantec ProxySG must provide an alert to, at a minimum, the SCA and ISSO of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server.
V-94239 Medium Symantec ProxySG providing user access control intermediary services must generate audit records when successful/unsuccessful logon attempts occur.
V-94331 Medium Symantec ProxySG must tailor the Exceptions messages to generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries.
V-94347 Medium Symantec ProxySG providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when denial-of-service (DoS) incidents are detected.
V-94317 Medium Symantec ProxySG providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis.
V-94339 Medium Symantec ProxySG providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when access attempts to unauthorized websites and/or services are detected.
V-94269 Medium Symantec ProxySG providing intermediary services for HTTP must inspect outbound HTTP traffic for protocol compliance and protocol anomalies.
V-94299 Medium Symantec ProxySG providing user authentication intermediary services must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles.
V-94295 Medium Symantec ProxySG, when configured for reverse proxy/WAF services and providing PKI-based user authentication intermediary services, must map the client certificate to the authentication server store.
V-94231 Medium Symantec ProxySG must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
V-94219 Medium Symantec ProxySG providing intermediary services for remote access communications traffic must ensure outbound traffic is monitored for compliance with remote access security policies.
V-94289 Medium Symantec ProxySG providing user authentication intermediary services must use multifactor authentication for network access to nonprivileged accounts.
V-94253 Medium Symantec ProxySG must produce audit records containing information to establish the outcome of the events.
V-94237 Medium Symantec ProxySG providing user access control intermediary services for publicly accessible applications must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.
V-94327 Medium Symantec ProxySG must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
V-94287 Medium Symantec ProxySG providing user authentication intermediary services must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
V-94323 Medium Symantec ProxySG must allow incoming communications only from organization-defined authorized sources routed to organization-defined authorized destinations.
V-94217 Medium If Symantec ProxySG filters externally initiated traffic, reverse proxy services must be configured.
V-94259 Medium Symantec ProxySG must be configured to send the access logs to the centralized log server continuously.