NIST FIPS-validated cryptography to protect the integrity of remote access sessions

Application Layer Gateway Rules : NIST FIPS-validated cryptography to protect the integrity of remote access sessions

Rule Title: RiOS must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.

STIG ID: RICX-AG-000042

Rule ID: SV-77313r1_rule Severity: CAT II

Vuln ID: V-62823 Class: Unclass

Without cryptographic integrity protections, information can be altered by unauthorized users without detection.

Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (for example, TLS gateways, web content filters, and webmail proxies).

Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.

This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (for example, OWA or TLS gateway).

Verifying the management of cryptographic keys

Verify that RiOS is configured to support FIPS-approved key management technology and processes in the production and control of private and secret cryptographic keys.

1. Connect to the Management Console.

2. Choose Optimization > SSL: Advanced Settings to display the Advanced Settings page.

3. Scroll down to Peer Ciphers.

4. Verify that Peer Ciphers: Rank 1 contains the following string:

TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL

5. Verify that Client Ciphers: Rank 1 contains the following string:

TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL

6. Verify that Server Ciphers: Rank 1 contains the following string:

TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL

If any of the above Ciphers contains strings or groups other than what is listed, this is a security vulnerability finding.

Configuring the management of cryptographic keys

Configure RiOS to support FIPS-approved key management technology and processes in the production and control of private and secret cryptographic keys.

1. Connect to the Management Console.

2. Choose Optimization > SSL: Advanced Settings to display the Advanced Settings page.

3. Click Add a New Peer Cipher, Add a New Client Cipher, and Add a New Server Cipher to expand the page.

4. Select this option from the Cipher drop-down list:

TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL

5. Select 2 from the Insert Cipher At drop-down list.

6. Click Add.

7. Select the Rank 1 Default Cipher String check box and click Remove Selected to remove the default cipher string.

8. Repeat Step 4 through Step 7 for Client Ciphers and Server Ciphers.