IBM DataPower Network Device Management Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000516-NDM-000342
Group -
The DataPower Gateway must employ automated mechanisms to assist in the tracking of security incidents.
Despite the investment in perimeter defense technologies, enclaves are still faced with detecting, analyzing, and remediating network breaches and exploits that have made it past the network device...Rule Medium Severity -
SRG-APP-000516-NDM-000344
Group -
The DataPower Gateway must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure...Rule Medium Severity -
SRG-APP-000038-NDM-000213
Group -
The DataPower Gateway must enforce approved authorizations for controlling the flow of management information within DataPower based on information flow control policies.
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved autho...Rule Medium Severity -
The DataPower Gateway must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
The banner must be acknowledged by the administrator prior to allowing the administrator access to the network device. This provides assurance that the administrator has seen the message and accept...Rule Medium Severity -
The DataPower Gateway must protect audit information from any type of unauthorized read access.
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. If audit data were to become compromis...Rule Medium Severity -
The DataPower Gateway must protect audit tools from unauthorized access.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on au...Rule Medium Severity -
The DataPower Gateway must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
Changes to any software components can have significant effects on the overall security of the network device. Verifying software components have been digitally signed using a certificate that is r...Rule Medium Severity -
The DataPower Gateway must limit privileges to change the software resident within software libraries.
Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed ...Rule Medium Severity -
The DataPower Gateway must have SSH and web management bound to the management interface and Telnet disabled.
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable...Rule Medium Severity -
If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one lower-case character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one special character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
The DataPower Gateway must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port th...Rule High Severity -
The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are modified.
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply...Rule Medium Severity -
The DataPower Gateway must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
Automatic session termination addresses the termination of administrator-initiated logical sessions in contrast to the termination of network connections that are associated with communications ses...Rule Medium Severity -
The DataPower Gateway must automatically audit account enabling actions.
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply...Rule Medium Severity -
The DataPower Gateway must generate an immediate alert for account enabling actions.
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply...Rule Medium Severity -
If the DataPower Gateway uses discretionary access control, the DataPower Gateway must enforce organization-defined discretionary access control policies over defined subjects and objects.
Discretionary Access Control (DAC) is based on the notion that individual network administrators are "owners" of objects and therefore have discretion over who should be authorized to access the ob...Rule Medium Severity -
If the DataPower Gateway uses role-based access control, the DataPower Gateway must enforce role-based access control policies over defined subjects and objects.
Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organ...Rule Medium Severity -
The DataPower Gateway must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real-time.
If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important ...Rule Medium Severity -
The DataPower Gateway must compare internal information system clocks at least every 24 hours with an authoritative time server.
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...Rule Low Severity -
The DataPower Gateway must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.
Unauthorized changes to the baseline configuration could make the device vulnerable to various attacks or allow unauthorized access to the device. Changes to device configurations can have unintend...Rule Medium Severity -
The DataPower Gateway must enforce access restrictions associated with changes to device configuration.
Failure to provide logical access restrictions associated with changes to device configuration may have significant effects on the overall security of the system. When dealing with access restric...Rule Medium Severity -
The DataPower Gateway must use SNMPv3.
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the...Rule High Severity -
The DataPower Gateway must employ automated mechanisms to centrally apply authentication settings.
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrato...Rule Medium Severity -
The DataPower Gateway must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.
System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execu...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.