| V-275452 | high | The Riverbed NetIM must enable and configure user audit logging. | Auditing account disabling actions will support account management procedures. When device management accounts are disabled, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.
If the User-Audit Logging role is not assigned to an admin, then all admins can see the log. If the role is defined, then the role is the only one that can see the local audit log.
Satisfies: SRG-APP-000028-NDM-000210, SRG-APP-000381-NDM-000305, SRG-APP-000029-NDM-000211, SRG-APP-000027-NDM-000209, SRG-APP-000091-NDM-000223, SRG-APP-000092-NDM-000224, SRG-APP-000516-NDM-000334, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321, SRG-APP-000505-NDM-000322, SRG-APP-000506-NDM-000323, SRG-APP-000099-NDM-000229, SRG-APP-000098-NDM-000228, SRG-APP-000097-NDM-000227, SRG-APP-000096-NDM-000226, SRG-APP-000095-NDM-000225, SRG-APP-000101-NDM-000231, SRG-APP-000100-NDM-000230, SRG-APP-000177-NDM-000263, SRG-APP-000319-NDM-000283, SRG-APP-000026-NDM-000208, SRG-APP-000343-NDM-000289 |
| V-275454 | high | The Riverbed NetIM must be configured to assign appropriate user roles or access levels to authenticated users. | Successful identification and authentication must not automatically give an entity full access to a network device or security domain. The lack of authorization-based access control could result in the immediate compromise of, and unauthorized access to, sensitive information. All DOD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. |
| V-275461 | high | The Riverbed NetIM must be configured to use an authentication server configured for multifactor authentication (MFA) using DOD PKI for the purpose of authenticating users prior to granting administrative access. | MFA is the requirement that two or more factors be used to confirm the identity of an individual who is requesting access to digital information resources. Valid factors include something the individual knows (e.g., username and password), something the individual has (e.g., a smartcard or token), or something the individual is (e.g., a fingerprint or biometric). Legacy information system environments only use a single factor for authentication, typically a username and password combination. Although two pieces of data are used in a username and password combination, this is still considered single factor because an attacker can obtain access simply by learning what the user knows. Common attacks against single-factor authentication are attacks on user passwords. These attacks include brute force password guessing, password spraying, and password credential stuffing. MFA, along with strong user account hygiene, helps mitigate against the threat of having account passwords discovered by an attacker. Even in the event of a password compromise, with MFA implemented and required for interactive login, the attacker still needs to acquire something the user has or replicate a piece of user's biometric digital presence.
Private industry recognizes and uses a variety of MFA solutions. However, DOD public key infrastructure (PKI) is the only prescribed method approved for DOD organizations to implement MFA. For authentication purposes, centralized DOD certificate authorities (CA) issue PKI certificate key pairs (public and private) to individuals using the prescribed x.509 format. The private certificates generated by the issuing CA are downloaded and saved to smartcards, referred to as common access cards (CAC) or personal identity verification (PIV) cards within the DOD. This happens at designated DOD badge facilities. The CA maintains a record of the corresponding public keys for use with PKI-enabled environments. Privileged user smartcards, or "alternate tokens", function in the same manner, so this requirement applies to all interactive user sessions (authorized and privileged users).
Note: This requirement is used in conjunction with the use of a centralized authentication server (e.g., AAA, RADIUS, LDAP), a separate but equally important requirement. The MFA configuration of this requirement provides identification and the first phase of authentication (the challenge and validated response, thereby confirming the PKI certificate presented by the user). The centralized authentication server will provide the second phase of authentication (the digital presence of the PKI ID as a valid user in the requested security domain) and authorization. The centralized authentication server will map validated PKI identities to valid user accounts and determine access levels for authenticated users based on security group membership and role. In cases where the centralized authentication server is not utilized by the network device for user authorization, the network device must map the authenticated identity to the user account for PKI-based authentication.
Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000820-NDM-000170, SRG-APP-000825-NDM-000180 |
| V-275473 | high | The Riverbed NetIM must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting. | The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can be used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat. |
| V-275453 | medium | The Riverbed NetIM must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. | Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary. |
| V-275455 | medium | NetIM must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the device. | Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via logon interfaces with human users. |
| V-275456 | medium | NetIM must retain the Standard Mandatory DOD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access. | The banner must be acknowledged by the administrator prior to the device allowing the administrator access to the network device. This provides assurance that the administrator has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the administrator, DOD will not be in compliance with system use notifications required by law.
To establish acceptance of the network administration policy, a click-through banner at management session logon is required. The device must prevent further activity until the administrator executes a positive action to manifest agreement.
In the case of CLI access using a terminal client, entering the username and password when the banner is presented is considered an explicit action of acknowledgement. Entering the username, viewing the banner, then entering the password is also acceptable. |
| V-275462 | medium | The Riverbed NetIM must support organizational requirements to back up the NetIM application and security configuration when changes occur. | System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial-of-service condition is possible for all who utilize this critical network component.
This control requires the Riverbed NetIM to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups. |
| V-275465 | medium | The Riverbed NetIM must enforce a minimum 15-character password length. | Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset or set of resources. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. |
| V-275467 | medium | The Riverbed NetIM must be configured to allow user selection of long passwords and passphrases, including spaces and all printable characters for password-based authentication. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof. |
| V-275481 | medium | The Riverbed NetIM must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. |
| V-275482 | medium | The Riverbed NetIM must off-load audit records onto a different system or media than the system being audited. | Information stored in one location on a disk may be vulnerable to accidental or incidental deletion or alteration.
The ability to off-load those files is a common process used while managing information systems. |
| V-275488 | medium | The Riverbed NetIM must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC). | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.
The IP Detection Service tracks IP addresses (IPs) in the network and allows a user to query an IP address to determine the switch port to which a network device is connected. SNMP access to devices and a read-only community string (or equivalent SNMP v3 credentials) are required for the IP Detection Service to function. Community strings/credentials stored on NetIM are encrypted. |
| V-275457 | low | The Riverbed NetIM must generate an alert of all audit failure events. | To ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable.
The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors. |
| V-275466 | low | The Riverbed NetIM must be configured to require immediate selection of a new password upon account recovery for password-based authentication. | Specify a temporary password to improve security. A temporary password can be enabled only if Account Control is enabled. If a temporary password is set, then the password set by Admin/Sys Admin for the new user shall expire on the first log in of the new user. A password expired page will appear for new users after the first login. |