The DataPower Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.

An XCCDF Rule

Description

<VulnDiscussion>A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A non-privileged account is any account with the authorizations of a non-privileged user. Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Security relevant roles include key management, account management, network and system administration, database administration, and web administration. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one time use) or challenges (e.g., TLS). Additional techniques include time-synchronous or challenge-response one-time authenticators. This requirement applies to ALGs that provide user authentication intermediary services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-79713r1_rule
Severity: Medium
References: CCI-001942
Updated: about 1 year ago

To define mutual TLS connections when the DataPower device is the requesting client, use the DataPower WebGUI at Objects >> Crypto Configuration.
 
Click SSL Client Profile >> Click Add to create a new one if one does not already exist.

Provide a name >> Deselect all Protocols except TLS version 1.1 and 1.2 >> Deselect Use SNI >> Choose an active Identification Credential from the list. This determines the local keys.
If no ID Creds exist, click “+” to create one. You will need access to the key files you want to use.

Choose an active Validation credentials object from the list.  

If no Val Creds exist, click “+” to create one. You will need access to the server certs you want to validate.

Click Apply >> Click Save Configuration.

Use this new SSL Client Profile when configuring a service, such as a Multi-Protocol Gateway or Web Service Proxy, to connect to other servers. If the remote server will not agree to TLS v1.2 or v1.1 and does not provide a certificate that is validated, the connection will not be established. 

To define mutual TLS connections when the DataPower device is the server, use the DataPower WebGUI at Objects >> Crypto Configuration.
 
Click SSL Server Profile >> Click Add to create a new one if one does not already exist.

Provide a name >> Deselect all Protocols except TLS version 1.1 and 1.2 >> Choose an active Identification Credential from the list. This determines the local keys.

If no ID Creds exist, click “+” to create one. You will need access to the key files you want to use.

Set Request client authentication to On >> Choose an active Validation credentials object from the list.

If no Val Creds exist, click “+” to create one. You will need access to the server certs you want to validate.

Click Apply >> Click Save Configuration.

Use this new SSL Server Profile when configuring an HTTPS Front Side Handler, which is in turn used by a service, such as a Multi-Protocol Gateway or Web Service Proxy to accept incoming requests. If the remote client will not agree to TLS v1.2 or v1.1 and does not provide a certificate that is validated, the connection will not be established. 

Replay filter(s). Use the WebGUI to define a replay filter processing action. From the DataPower WebGUI, click on then add a service type (e.g., Web Service Proxy). Add a policy (in this case, a Multi-Protocol gateway Policy). Create a processing rule. Add a Filter action. Specify "Replay Filter" as the method.

Network interface isolation: By default, the DataPower Gateway provides interface isolation: the appliance refuses to accept a packet on an interface other than the one bound to the destination address of the packet. Use the WebGUI at Network >> Interface >> Network Settings to configure a network interface.

The DataPower Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.

Description

Remediation - Manual Procedure