II - Mission Support Public
Rules and Groups employed by this XCCDF Profile
-
SRG-NET-000230-ALG-000113
Group -
The F5 BIG-IP appliance must be configured to limit authenticated client sessions to initial session source IP.
The "Restrict to Single Client IP” is a safeguard against session hijacking or cookie theft. Even if an attacker manages to steal a session cookie, the cookie cannot be used from a different source...Rule Low Severity -
F5BI-AP-300158
Group -
The F5 BIG-IP appliance must be configured to set a Maximum Session Timeout value of eight hours or less.
The Maximum Session Timeout setting configures a limit on the maximum amount of time a user's session is active without needing to reauthenticate. If the value is set to zero, the user's session is...Rule Medium Severity -
SRG-NET-000510-ALG-000111
Group -
The F5 BIG-IP appliance must be configured to use cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards ...Rule High Severity -
SRG-NET-000512-ALG-000062
Group -
The F5 BIG-IP must be configured to identify and authenticate all endpoint devices or peers before establishing a connection.
Without identifying and authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.Rule Medium Severity -
SRG-NET-000512-ALG-000062
Group -
The F5 BIG-IP appliance providing remote access intermediary services must disable split-tunneling for remote clients' VPNs.
Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. A VPN hardware or software c...Rule Medium Severity -
SRG-NET-000512-ALG-000062
Group -
The F5 BIG-IP appliance providing remote access intermediary services must be configured to route sessions to an IDPS for inspection.
Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management dif...Rule Medium Severity -
SRG-NET-000512-ALG-000062
Group -
The VPN Gateway must use Always On VPN connections for remote computing.
Allowing remote users to manually toggle a VPN connection can create critical security risks. With Always On VPN, if a secured connection to the gateway is lost, hybrid-working users will simply be...Rule Medium Severity -
SRG-NET-000053-ALG-000001
Group -
The F5 BIG-IP appliance must be configured to set the "Max In Progress Sessions per Client IP" value to 10 or an organizational-defined number.
The "Max In Progress Sessions Per Client IP" setting in an APM Access Profile is a security configuration that limits the number of simultaneous sessions that can be initiated from a single IP addr...Rule Low Severity -
SRG-NET-000053-ALG-000001
Group -
The F5 BIG-IP appliance providing user access control intermediary services must limit the number of concurrent sessions to one or an organization-defined number for each access profile.
The "Max In Progress Sessions Per Client IP" setting in an APM Access Profile is a security configuration that limits the number of simultaneous sessions that can be initiated from a single IP addr...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.