•  Welcome
  • Audience
  • Document conventions
  • Contacting Riverbed
•  Overview of STIGs
  • What Are STIGs?
  • Understanding Vulnerability Severity Category Code Definitions
  • Obtaining the SteelHead STIG
  • Security Assessment Considerations
  •  Overview of the SteelHead
    • SteelHead Deployments
  • Additional SteelHead Security Best Practices
  •  Connecting to the Management Console and the Command Line Interface
    • Connecting to the Management Console
    • Connecting to the CLI
•  Network Device Management Rules
  •  Account Management
    • Ensuring Automated Support for Account Management
    • Ensuring Local Shared and Group Account Credentials Are Terminated
    • Ensuring that the Monitor and Shark Accounts Are Disabled
    • Ensuring the Correct Privilege Level for Administrators
  •  System Auditing (Logging)
    • Generating Log Events When Accounts Are Created
    • Generating Log Events When Accounts Are Modified
    • Generating Log Events When Accounts Are Disabled
    • Generating Log Events When Accounts Are Removed
    • Generating Log Events When Privileged Commands Are Executed
    • Generating Log Events of Privileged Commands
    • Protecting Audit Information
    • Protecting Audit Information from Unauthorized Modification
    • Protecting Audit Information from Unauthorized Deletion
    • Protecting Audit Tools from Unauthorized Access
    • Protecting Audit Tools from Unauthorized Deletion
    • Generating Audit Records
    • Ensuring Auditable Events Are Configured by the ISSM
  •  Alerts and Events
    • Generating SNMP Alerts When Local Accounts Are Created
    • Generating SNMP Alerts When Accounts Are Modified
    • Generating SNMP Alerts When Accounts Are Disabled
    • Generating SNMP Alerts When Accounts Are Removed
    • Generating Email Alerts
    • Ensuring SNMP Alerts Are Generated if Logging Fails
  •  System Administration
    • Ensuring Limited Login Attempts
    • Ensuring Limited Login Attempts for Web-Based Management
    • Ensuring the System Locks After Three Unsuccessful Login Attempts
    • Ensuring the Login Message Displays the DoD Notice
    • Limiting Concurrent Sessions for Each Administrator
    • Ensuring Administrator Sessions Are Terminated
    • Ensuring Time Stamps Are Mapped to Coordinated Universal Time
    • Ensuring System Clocks are Secure
    • Ensuring Logging of System Changes
    • Ensuring Secure Passwords
    • Ensuring the System Backs Up Configuration Files
    • Ensuring the System Implements Replay-Resistant Authentication
    • Ensuring the System Authenticates Endpoint Devices
    • Ensuring Centrally Managed Authentication Settings
    • Ensuring Authentication Settings Are Applied
    • Ensuring Authentication Settings Are Centrally Verified
    • Ensuring the System Prohibits Use of Nonsecure Functions
    • Ensuring the System Authenticates SNMP Servers Before Establishing a Connection
    • Ensuring the System Authenticates NTP Servers
    • Ensuring the Correct Password Length
    • Ensuring Passwords Have an Uppercase Character
    • Ensuring Passwords Have a Lowercase Character
    • Ensuring Passwords Have a Numeric Character
    • Ensuring Passwords Have a Special Character
    • Ensuring at Least 15 Password Characters Are Changed
    • Ensuring Passwords Enforce 60-Day Maximum Lifetime
    • Prohibiting Password Reuse for Five Generations
    • Ensure the System is Using FIPS 140-2 Cryptographic Modules
    • Ensuring Maintenance Functions Are Restricted
    • Ensuring Nonlocal Maintenance Is Restricted
    • Ensuring Applications Implement Cryptographic Mechanisms
    • Ensuring the System Terminates Network Connections
    • Ensuring the System Obtains Approved Public Key Certificates
    • Ensuring the System Generates Unique Session Identifiers
    • Ensuring the System Protects Against Denial of Service Attacks
    • Ensuring the System Generates Alerts to Security Personnel
    • Ensuring Applications Only Reveal Error Messages to Authorized Personnel
•  Application Layer Gateway Rules
  •  Firewall and IDPS Compliance
    • Ensuring the Firewall and Intrusion Detection and Prevention Systems (IDPS) Are in Compliance
  •  SMB and Encrypted MAPI
    • Ensuring Signed SMB and Encrypted MAPI Protect the Integrity of the DATA
  •  SSL and CRL Security
    • Ensuring Private Keys Stay in the Data Center
    • Ensuring Secure Pairing Trust Relationships for SSL
    • Ensuring RFC 5280-Compliant Certification Path Validation
  •  TLS Versions and FIPS Approved Key Management
    • Ensuring NIST FIPS-Validated Cryptography to Protect the Confidentiality of TLS
    • Ensuring FIPS-Approved Management of Private and Secret Cryptographic Keys
    • Configuring TLS Settings for National Institute of Standards and Technology Special Publication (NIST SP) 800-52
    • NIST FIPS-Validated Cryptography to Protect the Integrity of Remote Access Sessions
  •  Device and Host Security
    • Ensuring Unnecessary Services Are Not Enabled on the Host
    • Ensuring Unnecessary Services and Functions Are Not Enabled
    • Ensuring Protocols, Ports, and Service Management, Category Assurance Levels (PPSM) Category Assurance Levels (CAL) Compliance
• Index

SteelHead™ Security Technical Implementation Guides (STIGs)

Index