Ensuring the system generates unique session identifiers
Rule Title: RiOS must generate unique session identifiers using a FIPS 140-2 approved random number generator.
STIG ID: RICX-DM-000141
Rule ID: SV-77479r1_rule Severity: CAT II
Vuln ID: V-62989 Class: Unclass
An attacker can easily guess sequentially generated session IDs. Ensuring unique session identifiers are randomly generated helps to protect against brute-force attacks to determine future session identifiers.
Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.
This requirement applies to devices that use a web interface for device management. The recommended best practice is that the FIPS license be installed and used.
Verifying the system generates unique session identifiers
Verify that RiOS is configured to generate unique session identifiers using a FIPS 140-2 approved random number generator.
1. Connect to the CLI and enter these commands:
enable
configuration terminal
show fips status
2. Verify that FIPS Mode: Enabled is displayed on the console. If FIPS Mode: Enabled is not displayed on the console, this is a security vulnerability finding.
Configuring the system to generate unique session identifiers
Configure RiOS to generate unique session identifiers using a FIPS 140-2 approved random number generator.
1. Connect to the CLI and enter these commands:
enable
configuration terminal
fips enable
write memory
reload
show fips status
2. Verify that FIPS Mode: Enabled is displayed on the screen.