Forescout must use DOD-approved PKI rather than proprietary or self-signed device certificates.
An XCCDF Rule
Description
<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs. Forescout generates a key-pair and a Certificate Signing Request (CSR). The CSR is sent to the approved certificate authority (CA), who signs it and returns it as a certificate. That certificate is then installed. The process to obtain a device PKI certificate requires the generation of a CSR, submission of the CSR to a CA, approval of the request by an RA, and retrieval of the issued certificate from the CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-230959r1026165_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
Replace the self-signed certificate with a CA-signed certificates for greater security. To obtain a CA-signed certificate:
Generate a certificate signing request (CSR) to obtain a CA-signed certificate for the nodes in your deployment.
1. Navigate to Tools >> Options >> Certificates >> System Certificates.
2. On the right of the screen click "Generate CSR".
3. Enter the values for generating a CSR.