Overview of STIGs
This chapter provides an overview of the Security Technical Implementation Guides (STIGs). It includes these sections:
What Are STIGs?
Riverbed, working with the Department of Defense (DoD) and the Defense Information’s Security Agency (DISA) has developed the Riverbed SteelHead STIG. A STIG is the configuration guide for deploying Riverbed products into a DoD environment so that they qualify as an Information Assurance (IA) or IA-enabled device (that is, the operating system, network appliance, application, software, and so on). The STIG outlines the recommended procedures, configuration steps, and administrative activities, that should be followed to secure the SteelHead.
The SteelHead WAN optimization solution consists of the Riverbed Optimization System (RiOS) software and the SteelHead hardware or virtual appliance. The primary difference between the hardware appliances in the series is the number of WAN ports available and bandwidth capabilities. The RiOS software can also be hosted on a customer-provided host and implemented using a virtual appliance.
While the SteelHead v8.6 Network Device Management (NDM) STIG can be used to secure the management functions of all SteelHead products that use RiOS 8.x.x, the scope of the application layer gateway (ALG) STIG includes only SteelHead CX implementations.
For detailed information about the DoD Instruction (DoDI) 8500.01, see the SteelHead STIG on the DoD Cyber Exchange website at
http://public.cyber.mil/stigs.
Understanding Vulnerability Severity Category Code Definitions
Severity Category Codes (referred to as CAT) are a measure of vulnerabilities used to assess a facility or system security posture. Each security policy specified in this document is assigned a Severity Category Code of CAT I, II, or III.
Severity | DISA Category Code Guidelines |
CAT I | Any vulnerability that will directly and immediately result in loss of confidentiality, availability, and integrity when exploited. |
CAT II | Any vulnerability that has a potential to result in loss of confidentiality, availability, and integrity when exploited. |
CAT III | Any vulnerability that degrades measures to protect against loss of confidentiality, availability, and integrity when exploited. |
Obtaining the SteelHead STIG
You can obtain the SteelHead STIG from the DoD Cyber Exchange website at
https://public.cyber.mil/stigs. This website contains the latest copies of the STIGs, Security Requirement Guides (SRG), and other related security information.
Security Assessment Considerations
Two STIGs are packaged together to ensure both the network backplane and the WAN optimization functions are secured. The SteelHead 8.6 NDM STIG contains requirements which address the management and backplane functions of RiOS. RiOS is installed on all of the Riverbed SteelHead products. While the SteelHead v8.6 Network Device Management (NDM) STIG can be used to secure the management functions of all SteelHead products that use RiOS 8.x.x, the scope of the application layer gateway (ALG) STIG includes only SteelHead CX implementations.
For assessments using the SteelHead virtual appliance, an assessment of the host using the applicable operating system STIG (for example, Windows or Linux) must be performed. Also, an assessment of applications cohosted on the host is also required.
Overview of the SteelHead
WAN optimization is an important part of the enterprise network strategy. With the increasing move to enterprise and cloud services, applications are being migrated to data centers or the Cloud, which moves them farther away from users. The need for access by remote and mobile users also drives the increasing need to prevent the WAN from being a performance bottleneck.
The SteelHead provides WAN optimization at OSI Layers 1, 4, and 7 to perform three major functions: perform data, transport, and application streamlining. RiOS combines data reduction and compression to perform data streamlining, reducing bandwidth. Transport and application streamlining minimize protocol and application communication redundancy by reducing packet round trips.
The SteelHead WAN optimization solution can also be configured to provide path optimization and Quality of Service (QoS). An organization can optimize some or the entire available network communications path, depending on the architecture implemented. Organizations can assign each optimized application a QoS class and can granularly assign each application class to a path. This configuration can be leveraged to create primary and secondary paths to each application based on the priority or other characteristics of the traffic. This path selection system also ensures bandwidth failover of the primary communications pathway.
SteelHead Deployments
Optimally, the SteelHead must be architecturally placed at the perimeter of the network in front of the perimeter router and in-line. Thus, traffic must be directed for firewall and Intrusion Detection and Prevention System (IDPS) inspection for inbound and outbound traffic in compliance with DoD policy. Additionally, from an operational perspective, this architecture avoids the need to open many ports and services in the firewall to accommodate TCP options 76 and 78 and ports 7800, 7810, and 7870. Some other configurations might involve even more ports and services.
When the solution is implemented using a SteelHead hardware appliance consisting of RiOS installed on the SteelHead, administrators are not able to install any software that is not part of a Riverbed upgrade. RiOS enforces this feature by performing a validity check when an upgrade is attempted.
However, the RiOS application suite is available in a virtual appliance version, which can be installed on an organization-provided host. This type of implementation adds risk because more ports might need to be opened in the firewall if placed in the recommended logical position in the architecture after the router and before the firewall and IDPS. The traffic should then be routed for inspection after traversing the WAN optimizer.
Additional SteelHead Security Best Practices
As a supplement to this guide, consult Securing SteelHeads in the SteelHead Deployment Guide 9.1 or later. This guide provides additional guidance regarding security best practices for SteelHead deployments.
Connecting to the Management Console and the Command Line Interface
Throughout this guide you will perform procedures to ensure security compliance using the SteelHead Management Console and the command line interface (CLI). This guide assumes that you are familiar with installing and configuring the SteelHead appliance.
For detailed information about installing and running the initial configuration wizard, see the
SteelHead Installation Guide for SteelHead at
https://support.riverbed.com/content/support/software/steelhead/cx-appliance.html.
For detailed information about configuring the SteelHead, see the
SteelHead User Guide at
https://support.riverbed.com/content/support/software/steelhead/cx-appliance.html.
Connecting to the Management Console
To connect to the Management Console you must know the URL and administrator password that you assigned in the configuration wizard of the SteelHead appliance. For details, see the SteelHead Installation Guide.
To connect to the Management Console
1. Specify the URL for the Management Console in the address bar of your web browser:
<protocol>://<host>.<domain>
<protocol> is HTTPS. HTTPS uses the SSL protocol to ensure a secure environment. When you connect using HTTPS, the system prompts you to inspect and verify the approved DoD SSL certificate. Self signed certificates are not approved for use in DoD. You must use a DoD approved Certificate Authority.
<host> is the hostname you assigned to the SteelHead appliance primary interface in the configuration wizard. If your DNS server maps that IP address to a name, you can specify the DNS name.
<domain> is the full domain name for the appliance.
Alternatively, you can specify the IP address instead of the host and domain name.
The Management Console appears, displaying the Login page.
2. In the Username text box, specify the user login from a RADIUS or TACACS+ database, or any local accounts created using the Role-Based Accounts feature.
Users with administrator (admin) privileges can configure and administer the SteelHead appliance. Users with monitor (monitor) privileges can view the SteelHead appliance reports, user logs, and change their own password. A monitor user cannot make configuration changes.
3. In the Password text box, specify the password you assigned in the configuration wizard of the SteelHead appliance.
4. Click Log In to display the Home page.
For detailed information about configuring SteelHead features, see the SteelHead User Guide.
Connecting to the CLI
This section assumes you have already performed the initial setup of the appliance using the configuration wizard. For detailed information, see the SteelHead Installation Guide.
To connect to the CLI
1. You can connect to the CLI using one of the following options:
– An ASCII terminal or emulator that can connect to the serial console. It must have the following settings: 9600 baud, 8 bits, no parity, 1 stop bit, and no flow control.
– A computer with an SSH client that is connected to the appliance Primary port. (In rare cases, you might connect through the Auxiliary port.)
2. At the system prompt enter the following command if the appliance resolves to your local DNS:
ssh admin@<host>.<domain>
Otherwise at the system prompt enter the following command:
ssh admin@<ipaddress>
3. When prompted, enter the administrator password. This is the password you set during the initial configuration process.