Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
F5 BIG-IP TMOS ALG Security Technical Implementation Guide
SRG-NET-000230-ALG-000113
SRG-NET-000230-ALG-000113
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
SRG-NET-000230-ALG-000113
1 Rule
<GroupDescription></GroupDescription>
The F5 BIG-IP appliance must be configured to limit authenticated client sessions to initial session source IP.
Low Severity
<VulnDiscussion>The "Restrict to Single Client IP” is a safeguard against session hijacking or cookie theft. Even if an attacker manages to steal a session cookie, the cookie cannot be used from a different source IP address that the address used to initiate the session. This security measure is set within the APM Access Profiles. This setting has been recommended by F5 as a defense-in-depth measure. However, in some networks, this may result in false positives or rejection of legitimate connections. Users behind a shared proxy address may be denied access. Thus, sites must test this setting within their network prior to implementing to determine if there are operational impacts that prevent the use of this setting. If so, the site must document the impacts and get approval from the authorizing official (AO) if this required setting will not be implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>