UCF STIG Viewer Logo

Symantec ProxySG providing intermediary services for HTTP must inspect inbound HTTP traffic for protocol compliance and protocol anomalies.


Overview

Finding ID Version Rule ID IA Controls Severity
V-94267 SYMP-AG-000260 SV-104221r1_rule Medium
Description
Application protocol anomaly detection examines application layer protocols such as HTTP to identify attacks based on observed deviations in the normal RFC behavior of a protocol or service. This type of monitoring allows for the detection of known and unknown exploits that exploit weaknesses of commonly used protocols. Since protocol anomaly analysis examines the application payload for patterns or anomalies, an HTTP proxy must be included in the ALG. This ALG will be configured to inspect inbound and outbound HTTP communications traffic to detect protocol anomalies such as malformed message and command insertion attacks. All inbound and outbound traffic, including HTTPS, must be inspected. However, the intention of this policy is not to mandate HTTPS inspection by the ALG. Typically, HTTPS traffic is inspected either at the source or destination and/or is directed for inspection by an organization-defined network termination point.
STIG Date
Symantec ProxySG ALG Security Technical Implementation Guide 2020-03-27

Details

Check Text ( C-93453r1_chk )
Check 1 (This is an uncommon configuration. If it is found, it has been deliberately done by the Proxy administrator and cannot/should not be removed without consultation with/advice from the administrator.)
1. Browse to Configuration >> Policy >> Policy Files and click the button to view the installed policy.
2. Using "-F", perform a search for the exact terms "detect_protocol(no)".

If this phrase appears in the policy file, this is a finding.

Discuss with the ProxySG administrator to determine why this was configured and whether an exception must be approved.

Check 2
1. Browse to Configuration >> Services >> Proxy Services, select each HTTP proxy service to be reviewed, and click "Edit Service".
2. Verify that the "Detect Protocol" checkbox is selected.

If Symantec ProxySG providing intermediary services for HTTP does not inspect inbound HTTP traffic for protocol compliance and protocol anomalies, this is a finding.
Fix Text (F-100383r1_fix)
Configure the ProxySG to perform inbound and outbound HTTP traffic protocol compliance inspection/enforcement.

Fix 1 (This is an uncommon configuration. If it is found, it has been deliberately done by the Proxy administrator and cannot/should not be removed without consultation with/advice from the administrator.)
1. Browse to Configuration >> Policy >> Policy Files and click the button to view the installed policy.
2. Using "-F", perform a search for the exact terms "detect_protocol(no)".
3. If this phrase appears in the policy, work with the ProxySG administrator to determine why this was configured, whether it can be disabled and if so, how to disable it.

Fix 2
1. Browse to Configuration >> Services >> Proxy Services, select each HTTP proxy service to be reviewed, and click "Edit Service".
2. Select the "Detect Protocol" checkbox and click "OK".
3. Once all services have been modified, click "Apply".