Ensuring secure pairing trust relationships for SSL

Application Layer Gateway Rules : Ensuring secure pairing trust relationships for SSL

Rule Title: RiOS must protect the authenticity of communication sessions by configuring securing pairing trust relationships for SSL and secure protocols.

STIG ID: RICX-AG-000123

Rule ID: SV-77323r1_rule Severity: CAT II

Vuln ID: V-62833 Class: Unclass

Authenticity protection provides protection against man-in-the-middle attacks, session hijacking, and the insertion of false information into sessions.

This authenticity protection control focuses on communications protection for the application session rather than for the network packet and establishes grounds for confidence at both ends of communication sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services and service-oriented architecture (SOA) will require the use of mutual authentication (that is, two-way or bidirectional).

Verifying the TLS version

Verify RiOS is configured to support TLS v1.1 as a minimum and preferably TLS v1.2.

1. Connect to the Management Console.

2. Choose Optimization > SSL: Advanced Settings to display the Advanced Settings page.

3. Scroll down to Peer Ciphers.

4. Verify that Peer Ciphers: Rank 1 contains the following string:

TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL

5. Verify that Client Ciphers: Rank 1 contains the following string:

TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL

6. Verify that Server Ciphers: Rank 1 contains the following string:

TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL

If any of the above Ciphers contains strings or groups other than what is listed, this is a security vulnerability finding.

Configuring TLS version for peer, client, and server ciphers

Configure RiOS to support TLS v1.1 as a minimum and preferably TLS v1.2.

1. Connect to the Management Console.

2. Choose Optimization > SSL: Advanced Settings to display the Advanced Settings page.

3. Click Add a New Peer Cipher, Add a New Client Cipher, and Add a New Server Cipher to expand the page.

4. Select this option from the Cipher drop-down list:

TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL

5. Select 2 from the Insert Cipher At drop-down list.

6. Click Add.

7. Select the Rank 1 Default Cipher String check box and click Remove Selected to remove the default cipher string.

8. Repeat Step 4 through Step 7 for Client Ciphers and Server Ciphers.

9. Click Save at the top of the page to save your settings permanently.