Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
F5 BIG-IP Access Policy Manager Security Technical Implementation Guide
SRG-NET-000355-ALG-000117
SRG-NET-000355-ALG-000117
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
SRG-NET-000355-ALG-000117
1 Rule
<GroupDescription></GroupDescription>
The F5 BIG-IP appliance APM Access Policies that grant access to web application resources must allow only client certificates that have the User Persona Name (UPN) value in the User Persona Client Certificates.
Low Severity
<VulnDiscussion>To enhance the security, it is advisable to append additional checks and APM Deny/Fallback branches to APM Access Profiles in scenarios where a UPN cannot be extracted. To guarantee the exclusive use of User Persona DISA Certificates for accessing Web Applications, it is recommended to carry out additional APM Access Policy checks against the Client Certificate. DISA incorporates a User Principal Name (UPN) in their User Persona Client Certificates. However, this key/value pair is not present in the DISA server certificates. Based on DOD session authentication policy, the LTM+APM configuration will include Client Certificate Authentication, OCSP Revocation Check, a Variable Assignment to extract the UserPrincipalName, followed by an LDAP query. This query verifies the existence of a corresponding Active Directory User object for the provided UserPrincipalName. Subsequently, the identified sAMAccountName is set as an APM Session variable for use by the SSO Profile. Once an APM LTM+APM session is granted, the User-Agent is permitted to transmit data to the Server-Side of the proxy, which will invoke the SSO Profile if applicable. To ensure that only DISA Client Certificates from CACs can access the Web Application, an additional branch was added to the Variable Assignment. The scripts were adjusted to verify the existence of the UserPrincipalName. If it does not exist, the value of the UserPrincipalName APM session variable is set to "UPN Collection Error", which would be directed to an APM Policy Deny. NPE Certificates issued by DISA incorporate both the TLS WWW Client Authentication (OID.1.3.6.1.5.5.7.3.2) and TLS WWW Server Authentication (OID.1.3.6.1.5.5.7.3.1) key usage policies.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>