Symantec ProxySG providing reverse proxy encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-94309	SYMP-AG-000480	SV-104263r1_rule		Medium

Description
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the Federal government since this provides assurance they have been tested and validated. This requirement applies only to ALGs that provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC).

Description

Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the Federal government since this provides assurance they have been tested and validated. This requirement applies only to ALGs that provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC).

STIG	Date
Symantec ProxySG ALG Security Technical Implementation Guide	2020-03-27

Details

Check Text ( C-93495r1_chk )
Verify that TLS reverse proxy intermediary services are configured to comply with NIST FIPS-validated cryptography. 1. Verify with the ProxySG administrator that reverse proxy services are configured. 2. Log on to the Web Management Console. 3. Click Configuration >> Services >> Proxy Services. 4. For each reverse proxy service identified by the administrator, click "Edit Service" and Verify that only NIST FIPS-validated SSL protocols are enabled. 5. Log on to the ProxySG SSH CLI. 6. Type "enable" and enter the enable password. 7. Type "configure" and press "Enter". 8. Type "proxy-services" and press "Enter". 9. For each reverse proxy service identified by the administrator, type "edit 10. Type "view" and verify that only NIST FIPS-validated cipher suites are listed. See the Blue Coat Reverse Proxy WebGuide for more information. If Symantec ProxySG providing reverse proxy encryption intermediary services does not use NIST FIPS-validated cryptography to implement encryption services, this is a finding.

Check Text ( C-93495r1_chk )

Verify that TLS reverse proxy intermediary services are configured to comply with NIST FIPS-validated cryptography.

1. Verify with the ProxySG administrator that reverse proxy services are configured.
2. Log on to the Web Management Console.
3. Click Configuration >> Services >> Proxy Services.
4. For each reverse proxy service identified by the administrator, click "Edit Service" and Verify that only NIST FIPS-validated SSL protocols are enabled.
5. Log on to the ProxySG SSH CLI.
6. Type "enable" and enter the enable password.
7. Type "configure" and press "Enter".
8. Type "proxy-services" and press "Enter".
9. For each reverse proxy service identified by the administrator, type "edit 10. Type "view" and verify that only NIST FIPS-validated cipher suites are listed.

See the Blue Coat Reverse Proxy WebGuide for more information.

If Symantec ProxySG providing reverse proxy encryption intermediary services does not use NIST FIPS-validated cryptography to implement encryption services, this is a finding.

Fix Text (F-100425r1_fix)
Configure TLS reverse proxy intermediary services to comply with NIST FIPS-validated cryptography. 1. Verify with the ProxySG administrator that reverse proxy services are configured. 2. Log on to the Web Management Console. 3. Click Configuration >> Services >> Proxy Services. 4. For each reverse proxy service configured, click "Edit Service" and select only NIST FIPS-validated SSL protocols. Click "Apply". 5. Log on to the ProxySG SSH CLI. 6. Type "enable" and enter the enable password. 7. Type "configure" and press "Enter". 8. Type "proxy-services" and press "Enter". 9. For each reverse proxy service identified by the administrator, type "edit 10. Type "attribute" followed by a list of the desired NIST FIPS-validated cipher suites. See the Blue Coat Reverse Proxy WebGuide for more information.

Fix Text (F-100425r1_fix)

Configure TLS reverse proxy intermediary services to comply with NIST FIPS-validated cryptography.

1. Verify with the ProxySG administrator that reverse proxy services are configured.
2. Log on to the Web Management Console.
3. Click Configuration >> Services >> Proxy Services.
4. For each reverse proxy service configured, click "Edit Service" and select only NIST FIPS-validated SSL protocols. Click "Apply".
5. Log on to the ProxySG SSH CLI.
6. Type "enable" and enter the enable password.
7. Type "configure" and press "Enter".
8. Type "proxy-services" and press "Enter".
9. For each reverse proxy service identified by the administrator, type "edit 10. Type "attribute" followed by a list of the desired NIST FIPS-validated cipher suites.

See the Blue Coat Reverse Proxy WebGuide for more information.