Skip to content

If TLS optimization is used, the Riverbed Optimization System (RiOS) providing Signed SMB and/or Encrypted MAPI must ensure the integrity and confidentiality of data transmitted over the WAN.

An XCCDF Rule

Description

<VulnDiscussion>Protecting the end-to-end security of TLS is required to ensure integrity and confidentiality of the data in transit. Signed SMB and encrypted MAPI traffic use techniques to protect against unauthorized man-in-the-middle devices from making modifications to their exchanged data. Additionally, encrypted MAPI traffic and encrypted SMB3 traffic ensure data confidentiality by transmitting data with protection across the network. To securely optimize this traffic, a properly configured client and server-side SteelHead appliance with the SteelHead WAN optimization platform must: - decrypt and remove signatures on received LAN side data from the client or server. - perform bandwidth and application layer optimization. - use the secure inner channel feature to maintain data integrity and confidentiality of data transmitted over the WAN. - convert the received optimized data back to its native form. - encrypt and apply signatures for LAN side transmission of data to the client or server. To query the Windows domain controller for the necessary cryptographic information to optimize this traffic, the server-side SteelHead appliance must join a Windows domain. The SteelHead appliance can require other configurations, both on the SteelHead appliance, and in the Windows domain. This cryptographic information is only useful for the lifetime of an individual connection or session. The information is obtained at the beginning of a connection, and transferred to the client-side SteelHead appliance as needed, using the secure inner channel feature. You must configure the secure inner channel to ensure maximum security. Only the server-side SteelHead appliance is required to join the domain, and it does so using a machine account in the same way that a Windows device joins the domain using a machine account. The SteelHead appliance joins the domain this way to obtain a client user session key (CUSK) or server user session key (SUSK), which allows the SteelHead appliance to sign and/or decrypt MAPI on behalf of the Windows user that is establishing the relevant session. The server-side SteelHead appliance must join a domain that is either: - the user domain. The domain must have a trust with the domains that include the application servers (file server, Exchange server, and so on) you want to optimize. - A domain with a bi-directional trust with the user domain. The domain might include some or all of the Windows application servers (file server, Exchange server) for SteelHead appliance optimization. Production deployments can have multiple combinations of client and server Windows operating system versions, and can include different configuration settings for signed SMB and encrypted MAPI. NTLM is not approved for use for DoD implementations. Therefore it is possible that the security authentication between clients and servers can use Kerberos, or a combination of the two.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-77277r1_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

On the Server-Side SteelHead appliance Navigate to the device Management Console.

Navigate to Configure >> Optimization >> Windows Domain Auth
Under Kerberos select "Add a New User"
Enter the "Active Directory Domain Name".
Enter the UserID in "Domain Login:".