The Edge SWG must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-279251	SRG-APP-000080-NDM-000220	SYME-ND-000190	SV-279251r1170682_rule	2025-12-18	1

Description
Before continuing, the site must follow the configuration steps in SYME-ND-000100. Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. Satisfies: SRG-APP-000080-NDM-000220, SRG-APP-000516-NDM-000336, SRG-APP-000119-NDM-000236, SRG-APP-000120-NDM-000237, SRG-APP-000121-NDM-000238, SRG-APP-000122-NDM-000239, SRG-APP-000123-NDM-000240, SRG-APP-000131-NDM-000243, SRG-APP-000133-NDM-000244, SRG-APP-000156-NDM-000250, SRG-APP-000231-NDM-000271, SRG-APP-000329-NDM-000287, SRG-APP-000408-NDM-000314, SRG-APP-000149-NDM-000247, SRG-APP-000175-NDM-000262, SRG-APP-000177-NDM-000263, SRG-APP-000820-NDM-000170, SRG-APP-000825-NDM-000180

Description

Before continuing, the site must follow the configuration steps in SYME-ND-000100. Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. Satisfies: SRG-APP-000080-NDM-000220, SRG-APP-000516-NDM-000336, SRG-APP-000119-NDM-000236, SRG-APP-000120-NDM-000237, SRG-APP-000121-NDM-000238, SRG-APP-000122-NDM-000239, SRG-APP-000123-NDM-000240, SRG-APP-000131-NDM-000243, SRG-APP-000133-NDM-000244, SRG-APP-000156-NDM-000250, SRG-APP-000231-NDM-000271, SRG-APP-000329-NDM-000287, SRG-APP-000408-NDM-000314, SRG-APP-000149-NDM-000247, SRG-APP-000175-NDM-000262, SRG-APP-000177-NDM-000263, SRG-APP-000820-NDM-000170, SRG-APP-000825-NDM-000180

ℹ️ Check
1. In the Edge SWG Web UI, navigate to the Configuration tab. 2. Go to Services >> Management Services. 3. Click "Edit" next to HTTPS-console. Under the "Service Settings", if "Verify Client" is not checked, this is a finding. Under the "Authentication" section under "Configuration and Realms and Domains", if a Certificate Realm is not configured and set with a valid LDAP authorization realm this is a finding. In the Edge SWG Web UI, navigate to the VPM. If an Admin Access layer is configured for HTTPS-console, verify the group is derived from the CAC/LDAPS admin group; otherwise, this is a finding. For the SSH-console, verify the group is derived from the LDAPS admin group; otherwise, this is a finding. 1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "ssh-console" and then "x509-auth". 4. Enter "view". If "x509 certificate authentication" states "disabled", this is a finding.

ℹ️ Check

1. In the Edge SWG Web UI, navigate to the Configuration tab. 2. Go to Services >> Management Services. 3. Click "Edit" next to HTTPS-console. Under the "Service Settings", if "Verify Client" is not checked, this is a finding. Under the "Authentication" section under "Configuration and Realms and Domains", if a Certificate Realm is not configured and set with a valid LDAP authorization realm this is a finding. In the Edge SWG Web UI, navigate to the VPM. If an Admin Access layer is configured for HTTPS-console, verify the group is derived from the CAC/LDAPS admin group; otherwise, this is a finding. For the SSH-console, verify the group is derived from the LDAPS admin group; otherwise, this is a finding. 1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "ssh-console" and then "x509-auth". 4. Enter "view". If "x509 certificate authentication" states "disabled", this is a finding.

✔️ Fix
1. In the Edge SWG Web UI, navigate to the Configuration tab. 2. Go to "Authentication" and "Console Access". 3. Under "Console Access", click "Add ACL Entry". 4. In the open block, add the IPv4 or IPv6 source address or network under "Source Address", then add the subnet mask or CIDR prefix under "Prefix Length" (e.g., 2001:db8:1:: and 48). 5. Click "Apply" next to the entry. 6. Repeat the above steps by adding all the allowed management prefixes. Note: Ensure the subnet is in one of the allowed IPv4 or IPv6 subnets or the session will be disconnected after clicking "Save". 7. Once completed, click "Save". To add the timeouts: 1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "security management web-timeout 5". 4. Enter "security management cli-timeout 5". To add lockout configurations: 1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Issue the command "security local-user-list create local". 4. Enter "security local-user-list edit local". 5. Enter "max-failed-attempts 3". 6. Enter "lockout-duration 900". 7. Enter "reset-interval 900".

✔️ Fix

1. In the Edge SWG Web UI, navigate to the Configuration tab. 2. Go to "Authentication" and "Console Access". 3. Under "Console Access", click "Add ACL Entry". 4. In the open block, add the IPv4 or IPv6 source address or network under "Source Address", then add the subnet mask or CIDR prefix under "Prefix Length" (e.g., 2001:db8:1:: and 48). 5. Click "Apply" next to the entry. 6. Repeat the above steps by adding all the allowed management prefixes. Note: Ensure the subnet is in one of the allowed IPv4 or IPv6 subnets or the session will be disconnected after clicking "Save". 7. Once completed, click "Save". To add the timeouts: 1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "security management web-timeout 5". 4. Enter "security management cli-timeout 5". To add lockout configurations: 1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Issue the command "security local-user-list create local". 4. Enter "security local-user-list edit local". 5. Enter "max-failed-attempts 3". 6. Enter "lockout-duration 900". 7. Enter "reset-interval 900".