Application Layer Gateway Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The ALG must protect audit tools from unauthorized modification.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on au...Rule Medium Severity -
SRG-NET-000103
Group -
SRG-NET-000131
Group -
The ALG must not have unnecessary services and functions enabled.
Information systems are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The org...Rule Medium Severity -
SRG-NET-000131
Group -
The ALG must be configured to remove or disable unrelated or unneeded application proxy services.
Unrelated or unneeded proxy services increase the attack vector and add excessive complexity to the securing of the ALG. Multiple application proxies can be installed on many ALGs. However, proxy t...Rule Medium Severity -
SRG-NET-000132
Group -
The ALG must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable...Rule Medium Severity -
SRG-NET-000138
Group -
The ALG providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users...Rule Medium Severity -
SRG-NET-000138
Group -
SRG-NET-000138
Group -
The ALG providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s).
User authentication can be used as part of the policy filtering rule sets. Some URLs or network resources can be restricted to authenticated users only. Users are prompted by the application or bro...Rule Medium Severity -
SRG-NET-000140
Group -
The ALG providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts.
To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor auth...Rule Medium Severity -
SRG-NET-000147
Group -
SRG-NET-000164
Group -
SRG-NET-000166
Group -
The ALG providing PKI-based user authentication intermediary services must map authenticated identities to the user account.
Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account must be bou...Rule Medium Severity -
SRG-NET-000169
Group -
The ALG providing user authentication intermediary services must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. ...Rule Medium Severity -
SRG-NET-000192
Group -
SRG-NET-000202
Group -
SRG-NET-000213
Group -
The ALG must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port th...Rule Medium Severity -
SRG-NET-000228
Group -
The ALG must detect, at a minimum, mobile code that is unsigned or exhibiting unusual behavior, has not undergone a risk assessment, or is prohibited for use based on a risk assessment.
Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution ...Rule Medium Severity -
SRG-NET-000230
Group -
The ALG must protect the authenticity of communications sessions.
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. This requirement focuses on communications pro...Rule Medium Severity -
SRG-NET-000231
Group -
SRG-NET-000233
Group -
SRG-NET-000234
Group -
SRG-NET-000235
Group -
SRG-NET-000236
Group -
In the event of a system failure of the ALG function, the ALG must save diagnostic information, log system messages, and load the most current security policies, rules, and signatures when restarted.
Failure in a secure state can address safety or security in accordance with the mission needs of the organization. Failure to a secure state helps prevent a loss of confidentiality, integrity, or a...Rule Medium Severity -
SRG-NET-000246
Group -
SRG-NET-000248
Group -
SRG-NET-000249
Group -
The ALG providing content filtering must block malicious code upon detection.
Taking an appropriate action based on local organizational incident handling procedures minimizes the impact of this code on the network. This requirement is limited to ALGs web content filters an...Rule Medium Severity -
SRG-NET-000249
Group -
SRG-NET-000249
Group -
The ALG providing content filtering must send an immediate (within seconds) alert to the system administrator, at a minimum, in response to malicious code detection.
Without an alert, security personnel may be unaware of an impending failure of the audit capability; then the ability to perform forensic analysis and detect rate-based and other anomalies will be ...Rule Medium Severity -
SRG-NET-000251
Group -
SRG-NET-000273
Group -
The ALG must generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries.
Providing too much information in error messages risks compromising the data and security of the application and system. Organizations carefully consider the structure/content of error messages. T...Rule Medium Severity -
SRG-NET-000280
Group -
SRG-NET-000280
Group -
The ALG that is part of a CDS must block the transfer of data with malformed security attribute metadata structures.
Enforcing allowed information flows based on metadata enables simpler and more effective flow control. Metadata is information used to describe the characteristics of data. Metadata can include str...Rule Medium Severity -
SRG-NET-000282
Group -
SRG-NET-000283
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.