A10 Networks ADC NDM Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000148-NDM-000246
Group -
SRG-APP-000411-NDM-000330
Group -
The A10 Networks ADC must only allow the use of secure protocols that implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications for nonlocal maintenance sessions.
This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryp...Rule Medium Severity -
SRG-APP-000038-NDM-000213
Group -
The A10 Networks ADC must restrict management connections to the management network.
Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment could acquire the device account and password information. With this intercepted info...Rule Medium Severity -
SRG-APP-000516-NDM-000344
Group -
The A10 Networks ADC must use DoD-approved PKI rather than proprietary or self-signed device certificates.
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure...Rule Medium Severity -
SRG-APP-000516-NDM-000333
Group -
The A10 Networks ADC must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and IAW CJCSM 6510.01B.
By immediately displaying an alarm message, potential security violations can be identified more quickly even when administrators are not logged into the network device. An example of a mechanism t...Rule Medium Severity -
SRG-APP-000516-NDM-000338
Group -
SRG-APP-000001-NDM-000200
Group -
The A10 Networks ADC must limit the number of concurrent sessions to one (1) for each administrator account and/or administrator account type.
Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administr...Rule Medium Severity -
The A10 Networks ADC must enforce the limit of three consecutive invalid logon attempts.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. The A10 Networks ADC must be confi...Rule Medium Severity -
The A10 Networks ADC must allow only the ISSM (or individuals or roles appointed by the ISSM) Root, Read Write, or Read Only privileges.
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audi...Rule Medium Severity -
The A10 Networks ADC must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an ...Rule Low Severity -
The A10 Networks ADC must disable management protocol access to all interfaces except the management interface.
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable...Rule Medium Severity -
The A10 Networks ADC must terminate management sessions after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port th...Rule High Severity -
The A10 Networks ADC must generate alerts to the administrators and ISSO when accounts are disabled.
When application accounts are disabled, administrator accessibility is affected. Accounts are utilized for identifying individual device administrators or for identifying the device processes thems...Rule Medium Severity -
The A10 Networks ADC must send Emergency messages to the Console, Syslog, and Monitor.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impe...Rule Low Severity -
The A10 Networks ADC must compare internal information system clocks at least every 24 hours with an authoritative time server.
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...Rule Low Severity -
The A10 Networks ADC must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Tim...Rule Medium Severity -
Operators of the A10 Networks ADC must not use the Telnet client built into the device.
If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to manipulation, potentially allowing alteration and hijacking of...Rule Medium Severity -
The A10 Networks ADC must not use the default enable password.
To assure accountability and prevent unauthenticated access, organizational administrators must be uniquely identified and authenticated for all network management accesses to prevent potential mis...Rule High Severity -
The A10 Networks ADC must employ centrally managed authentication server(s).
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrato...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.