Welcome
About document conventions
About documentation and release notes
Contacting Riverbed
About Security Technical Implementation
Understanding Vulnerability Severity Category Code Definitions
Obtaining the SteelHead STIG
Security Assessment Considerations
Overview of the SteelHead
SteelHead Deployments
Additional SteelHead Security Best Practices
Connecting to the Management Console and the Command Line Interface
Connecting to the Management Console
Connecting to the CLI
Network Device Management Rules
About automated support for account management
About automated support for account management settings
Configuring automated support for account management
Verifying automated support for account management
Ensuring local shared and group account credentials are terminated
Verifying local shared and group account credentials are terminated
Terminating local shared and group account credentials
Ensuring that the monitor and shark accounts are disabled
Verifying that the monitor and shark accounts are disabled
Disabling the monitor and shark accounts
Ensuring the correct privilege level for administrators
Verifying that administrators have the correct security privileges
Configuring correct security privileges for administrators
Ensuring log events are generated when accounts are created
Verifying log events are generated when accounts are created
Generating log events when accounts are created
Ensuring log events are generated when accounts are modified
Verifying log events are generated when accounts are modified
Generating log events when accounts are modified
Ensuring log events are generated when accounts are disabled
Verifying log events are generated when accounts are disabled
Generating logging events when accounts are disabled
Ensuring log events are generated when accounts are removed
Verifying log events are generated when accounts are removed
Generating log events when accounts are removed
Ensuring log events are generated when privileged commands are executed
Verifying log events are generated when commands are executed
Generating log events when commands are executed
Ensuring log events of privileged commands are generated
Verifying log events are generated for privileged commands
Generating log events for privileged commands
Protecting audit information
Verifying the system is protecting audit information
Configuring the system to protect audit information
Protecting audit information from unauthorized modification
Verifying audit information is protected from unauthorized modification
Configuring the system to protect audit information from unauthorized modification
Protecting audit information from unauthorized deletion
Verifying audit information is protected from unauthorized deletion
Configuring the system to protect audit information from unauthorized deletion
Protecting audit tools from unauthorized access
Verifying audit tools are protected from unauthorized access
Configuring the system to protect audit tools from unauthorized access
Protecting audit tools from unauthorized deletion
Verifying audit tools are protected from unauthorized deletion
Configuring the system to protect audit tools from unauthorized deletion
Generating audit records
Verifying if the system is generating audit records
Configuring the system to generate audit records
Ensuring auditable events are configured by the ISSM
Verifying the system restricts permissions on auditable events
Configuring the system to restrict permissions on auditable events
Generating SNMP alerts when local accounts are created
Verifying that administrators have the correct security privileges
Configuring the correct security privileges for administrators
Generating SNMP alerts when accounts are modified
Verifying servers are configured as trap receivers
Configuring servers as trap receivers
Generating SNMP alerts when accounts are disabled
Verifying servers are configured as trap receivers
Configuring servers as trap receivers
Generating SNMP alerts when accounts are removed
Verifying servers are configured as trap receivers
Configuring servers as trap receivers
Generating email alerts
Verifying the system is generating email alerts
Configuring the system is generating email alerts
Ensuring SNMP alerts are generated if logging fails
Verifying servers are configured as trap receivers
Configuring host servers are configured as trap receivers
Ensuring limited login attempts
Verifying the system is configured for a limited number of login attempts
Configuring the system for a limited number of log in attempts
Ensuring limited login attempts for web-based management
Verifying the system is configured for a limited number of login attempts
Configuring the system for a limited number of login attempts
Ensuring the system locks after three unsuccessful login attempts
Verifying the system locks after three login attempts
Configuring the system to lock after three login attempts
Ensuring the login message displays the DoD notice
Verifying the system displays the dod notice as the login message
Configuring the system displays the DoD notice as the log in message
Limiting concurrent sessions for each administrator
Verifying concurrent sessions are limited
Configuring limited concurrent sessions
Ensuring administrator sessions are terminated
Verifying administrator sessions are terminated
Configuring administrator sessions to terminate
Ensuring time stamps are mapped to coordinated universal time
Verifying the system is configured for UTC
Configuring the system for UTC
Ensuring system clocks are secure
Verifying system clocks are secure
Configuring system clocks for security
NTP settings
Ensuring logging of system changes
Verifying logging of changes to the system
Configuring logging of changes to the system
Ensuring secure passwords
Verifying passwords are secured
Configuring a password policy
Ensuring the system backs up configuration files
Verifying the system backs up configuration files
Configuring the system to back up configuration files
Ensuring the system implements replay-resistant authentication
Verifying the system implements replay-resistant authentication
Configuring the system implements replay-resistant authentication
Ensuring the system authenticates endpoint devices
Verifying the system authenticates endpoint devices
Configuring the system authenticates endpoint devices
Ensuring centrally managed authentication settings
Verifying centrally managed authentication settings
Configuring centrally managed authentication
TACAS+ settings
RADIUS settings
Global default key settings
Ensuring authentication settings are applied
Verifying that authentication settings are centrally applied
Configuring the system to centrally apply authentication settings
Ensuring authentication settings are centrally verified
Verifying that authentication settings are centrally verified
Configuring the system to centrally verify authentication settings
Ensuring the system prohibits use of nonsecure functions
Verifying the system prohibits use of nonsecure functions
Configuring the system to prohibit use of nonsecure functions
About management ACL settings
Ensuring the system authenticates SNMP servers before establishing a connection
Verifying the system authenticates SNMP servers before establishing a connection
Configuring the system to authenticate SNMP servers before establishing a connection
Ensuring the system authenticates NTP servers
Verifying the system authenticates NTP servers
Configuring the system to authenticate NTP servers
NTP server and key settings
Ensuring the correct password length
Verifying the correct password length
Configuring the correct password length
Ensuring passwords have an uppercase character
Verifying passwords have an uppercase character
Configuring passwords to have and uppercase character
Ensuring passwords have a lowercase character
Verifying passwords have a lowercase character
Configuring passwords to have a lowercase character
Ensuring passwords have a numeric character
Verifying passwords have a numeric character
Configuring passwords to have a numerical character
Ensuring passwords have a special character
Verifying passwords have a special character
Configuring passwords to have a special character
Ensuring at least 15 password characters are changed
Verifying at least 15 password characters are changed
Configuring passwords so that at least 15 password characters are changed
Ensuring passwords enforce 60-day maximum lifetime
Verifying passwords enforce 60-day maximum lifetime
Configuring passwords to enforce 60-day maximum lifetime
Prohibiting password reuse for five generations
Verifying password is not reused for five generations
Configuring passwords to not be reused for five generations
Ensuring the system is using FIPS 140-2 cryptographic modules
Verifying the system is using FIPS 140-2 cryptographic modules
Configuring the system to use FIPS 140-2 cryptographic modules
Ensuring maintenance functions are restricted
Verifying that maintenance functions are restricted
Configuring the system so that maintenance functions are restricted
Ensuring nonlocal maintenance is restricted
Verifying nonlocal maintenance is restricted
Configuring the system so that nonlocal maintenance is restricted
Ensuring applications implement cryptographic mechanisms
Verifying applications implement cryptographic mechanisms
Configuring applications to implement cryptographic mechanisms
Ensuring the system terminates network connections
Verifying the system terminates network connections
Configuring the system to terminate network connections
Ensuring the system obtains approved public key certificates
Verifying the system obtains approved public key certificates
Configuring the system to obtain approved public key certificates
Ensuring the system generates unique session identifiers
Verifying the system generates unique session identifiers
Configuring the system to generate unique session identifiers
Ensuring the system protects against denial-of-service attacks
Verifying the system protects against denial-of-service attacks
Configuring the system to protect against denial-of-service attacks
Management ACL rule settings
Ensuring the system generates alerts to security personnel
Verifying the system generates alerts to security personnel
Configuring the system to generate alerts to security personnel
Ensuring applications only reveal error messages to authorized personnel
Verifying the system restricts error messages
Configuring the system restricts error messages
Application Layer Gateway Rules
Ensuring firewall, intrusion, and prevention systems are in compliance
Verifying SteelHead placement for firewall and IDPS security requirements
Deploying SteelHeads for firewall and IDPS security requirements
Ensuring signed SMB and encrypted MAPI protect the integrity of the data
Verifying the SMB and MAPI security settings
Configuring the SMB and MAPI security settings
Ensuring private keys stay in the data center
Verifying end-to-end SSL security settings
Configuring end-to-end SSL security settings
Ensuring secure pairing trust relationships for SSL
Verifying the TLS version
Configuring TLS version for peer, client, and server ciphers
Ensuring RFC 5280-compliant certification path validation
Verifying certificate path validation is configured
Configuring certificate path validation
Ensuring NIST FIPS-validated cryptography to protect the confidentiality of TLS
Verifying the TLS version support
Configuring TLS version for peer, client, and server ciphers
Ensuring FIPS-approved management of private and secret cryptographic keys
Configuring TLS for National Institute of Standards and Technology Special Publication (NIST SP) 800-52
Verifying the TLS version
Configuring TLS version support
NIST FIPS-validated cryptography to protect the integrity of remote access sessions
Verifying the management of cryptographic keys
Configuring the management of cryptographic keys
Ensuring unnecessary services are not enabled on the host
Verifying unnecessary services are not enabled on the host
Disabling unnecessary services on the host
Ensuring unnecessary services and functions are not enabled
Verifying unnecessary services are not enabled
Disabling unnecessary services
Ensuring Protocols, Ports, and Services, compliance
Verifying PPSM CAL compliance
Achieving PPSM CAL compliance
Index
SteelHeadā¢ Security Technical Implementation Guides (STIGs)
Index