From 383dd9d51ac3a03f9ffa87ae434bdb120326d5e2 Mon Sep 17 00:00:00 2001 From: Automated Update Date: Fri, 8 Nov 2024 00:03:38 +0000 Subject: [PATCH] Update Benchmarks --- ...working_AOS_NDM_STIG_V1R1_Manual-xccdf.xml | 553 ++++++++++++++++ ...working_AOS_VPN_STIG_V1R1_Manual-xccdf.xml | 600 ++++++++++++++++++ ...ng_AOS_Wireless_STIG_V1R1_Manual-xccdf.xml | 290 +++++++++ stigs.json | 20 +- 4 files changed, 1456 insertions(+), 7 deletions(-) create mode 100644 benchmarks/DISA/U_HPE_Aruba_Networking_AOS_NDM_STIG_V1R1_Manual-xccdf.xml create mode 100644 benchmarks/DISA/U_HPE_Aruba_Networking_AOS_VPN_STIG_V1R1_Manual-xccdf.xml create mode 100644 benchmarks/DISA/U_HPE_Aruba_Networking_AOS_Wireless_STIG_V1R1_Manual-xccdf.xml diff --git a/benchmarks/DISA/U_HPE_Aruba_Networking_AOS_NDM_STIG_V1R1_Manual-xccdf.xml b/benchmarks/DISA/U_HPE_Aruba_Networking_AOS_NDM_STIG_V1R1_Manual-xccdf.xml new file mode 100644 index 000000000..564e3d5fb --- /dev/null +++ b/benchmarks/DISA/U_HPE_Aruba_Networking_AOS_NDM_STIG_V1R1_Manual-xccdf.xml @@ -0,0 +1,553 @@ +acceptedHPE Aruba Networking AOS NDM Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 22 Oct 20243.51.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-NET-000371-VPN-001640<GroupDescription></GroupDescription>ARBA-VN-001640AOS, when used as an IPsec VPN Gateway, must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation.<VulnDiscussion>PFS generates each new encryption key independently from the previous key. Without PFS, compromise of one key will compromise all communications. + +The phase 2 (Quick Mode) Security Association (SA) is used to create an IPsec session key. Hence, its rekey or key regeneration procedure is very important. The phase 2 rekey can be performed with or without Perfect Forward Secrecy (PFS). With PFS, every time a new IPsec Security Association is negotiated during the Quick Mode, a new Diffie-Hellman (DH) exchange occurs. The new DH shared secret will be included with original keying material (SYKEID_d, initiator nonce, and responder nonce} from phase 1 for generating a new IPsec session key. If PFS is not used, the IPsec session key will always be completely dependent on the original keying material from the Phase-1. Hence, if an older key is compromised at any time, it is possible that all new keys may be compromised. + +The DH exchange is performed in the same manner as was done in phase 1 (Main or Aggressive Mode). However, the phase 2 exchange is protected by encrypting the phase 2 packets with the key derived from the phase 1 negotiation. Because DH negotiations during phase 2 are encrypted, the new IPsec session key has an added element of secrecy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-002418Configure AOS with the following commands: +configure terminal +crypto-local ipsec-map <map name> <priority #> +set pfs group 19 +exit +write memoryVerify the AOS configuration with the following command: +show crypto-local ipsec-map + +If each active IPsec map does not show PFS enabled, this is a finding.SRG-NET-000063-VPN-000220<GroupDescription></GroupDescription>ARBA-VN-000220AOS, when used as a VPN Gateway, must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.<VulnDiscussion>Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection. + +SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. DOD systems must not be configured to use SHA-1 for integrity of remote access sessions. + +The remote access VPN provides access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. + +Satisfies: SRG-NET-000063-VPN-000220, SRG-NET-000074-VPN-000250, SRG-NET-000168-VPN-000600, SRG-NET-000230-VPN-000780</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-001453CCI-000068CCI-000803CCI-001184Configure AOS with the following commands: +configure terminal +crypto isakmp policy <priority> +hash sha2-384-192 +exit +write memory1. Verify the AOS configuration with the following command: +show crypto-local ipsec-map + +Note the IKEv2 Policy number for each configured map. + +2. For each configured policy number, run the following command: +show crypto isakmp policy <IKEv2 Policy #> + +If each configured IKEv2 policy hash algorithm is not configured with SHA-2 at 384 bit, this is a finding.SRG-NET-000164-VPN-000560<GroupDescription></GroupDescription>ARBA-VN-000560AOS, when used as a VPN Gateway and using public key infrastructure (PKI)-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.<VulnDiscussion>Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. To meet this requirement, the information system must create trusted channels between itself and remote trusted authorized IT product (e.g., syslog server) entities that protect the confidentiality and integrity of communications. The information system must create trusted paths between itself and remote administrators and users that protect the confidentiality and integrity of communications. + +A trust anchor is an authoritative entity represented via a public key and associated data. It is most often used in the context of public key infrastructures, X.509 digital certificates, and Domain Name System Security Extensions (DNSSEC). However, applications that do not use a trusted path are not approved for nonlocal and remote management of DOD information systems. + +Use of SSHv2 to establish a trusted channel is approved. Use of FTP, TELNET, HTTP, and SNMPV1 is not approved because they violate the trusted channel rule set. Use of web management tools that are not validated by common criteria may also violate the trusted channel rule set. + +When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a certificate authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. + +This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-000185Configure AOS using the web interface: + +1. Navigate to Configuration >> System >> Certificates tab. +2. Under "Import Certificates", click the plus sign (+) and upload the trusted root CA. Provide the certificate name, upload the certificate file, and select the matching certificate format. +3. Choose the TrustedCA Certificate type. +4. Click Submit >> Pending Changes >> and Deploy Changes.1. Verify the AOS configuration with the following command: +show crypto-local pki trusted CA + +2. Note the name(s) of each trust CA. +show crypto-local pki trustedCA <name> + +3. Verify that each trusted CA is a valid DOD PKI CA. + +If the trusted CAs are not DOD PKI or no DOD PKI CAs are present, this is a finding.SRG-NET-000317-VPN-001090<GroupDescription></GroupDescription>ARBA-VN-001090AOS, when used as an IPsec VPN Gateway, must use Advanced Encryption Standard (AES) encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.<VulnDiscussion>Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. + +Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. + +AES is the Federal Information Processing Standard (FIPS)-validated cipher block cryptographic algorithm approved for use in DOD. For an algorithm implementation to be listed on a FIPS 140-2/140-3 cryptographic module validation certificate as an approved security function, the algorithm implementation must meet all the requirements of FIPS 140-2/140-3 and must successfully complete the cryptographic algorithm validation process. Currently, the National Institute of Standards and Technology (NIST) has approved the following confidentiality modes to be used with approved block ciphers in a series of special publications: ECB, CBC, OFB, CFB, CTR, XTS-AES, FF1, FF3, CCM, GCM, KW, KWP, and TKW. + +Satisfies: SRG-NET-000317-VPN-001090, SRG-NET-000371-VPN-001650, SRG-NET-000400-VPN-001940, SRG-NET-000525-VPN-002330</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-000068CCI-002418CCI-000197Configure AOS with the following commands for each IKEv2 Policy number noted: +configure terminal +crypto isakmp policy <priority> +encryption aes256 +exit +write memory1. Verify the AOS configuration with the following commands: +show crypto-local ipsec-map + +Note the IKEv2 Policy number for each configured map. + +2. For each configured policy number, run the following command: +show crypto isakmp policy <IKEv2 Policy #> + +If each configured IKEv2 policy is not configured with AES256 or greater encryption, this is a finding.SRG-NET-000352-VPN-001460<GroupDescription></GroupDescription>ARBA-VN-001460AOS, when used as a VPN Gateway, must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. + +The National Security Agency/Central Security Service's (NSA/CSS) CSfC program enables commercial products to be used in layered solutions to protect classified National Security Systems (NSS) data. Currently, Suite B cryptographic algorithms are specified by the National Institute of Standards and Technology (NIST) and are used by the NSA's Information Assurance Directorate in solutions approved for protecting classified and unclassified NSS. However, quantum-resistant algorithms will be required for future required Suite B implementations. + +Satisfies: SRG-NET-000352-VPN-001460, SRG-NET-000565-VPN-002390, SRG-NET-000565-VPN-002400</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-002450Configure AOS with the following commands: + +1. crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email> +show crypto pki csr +2. Use DOD PKI to generate a public certificate based on the CSR. +3. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates. +4. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, "ServerCert" type, and click "Submit". +5. Navigate to Configuration >> System >> Admin and choose the imported certificate under "Server Certificate" and click "Submit". +6. Click Pending Changes >> Deploy Changes. + +configure terminal +crypto ipsec transform-set <name> esp-aes256-gcm +crypto isakmp policy <#> +authentication ecdsa-384 +encryption aes256 +group 20 +hash sha2-384-192 +prf prf-hmac-sha384 +version v2 +exit +crypto-local ipsec-map <name> <priority> +set transform-set <set created earlier name> +<configure VPN settings as needed> +exit +write memoryIf AOS is not being used for CSFC, this requirement is not applicable. + +1. Verify the AOS configuration with the following command: +show crypto-local ipsec-map + +Note the IKEv2 Policy number for each configured map. + +2. For each configured policy number, run the following command: +show crypto isakmp policy <IKEv2 Policy #> + +3. Verify each configured transform-set by running the following command: +show crypto ipsec transform-set + +If the configured IPsec map, ISAKMP policy, and transform-set do not contain the following, this is a finding: +ECDCA 384 certificate +IKEv2 policy with AES256, SHA-384, ECDSA-384, Group 20 +Transform set with AES-256-GCMSRG-NET-000148-VPN-000540<GroupDescription></GroupDescription>ARBA-VN-000540AOS, when used as a VPN Gateway, must uniquely identify all network-connected endpoint devices before establishing a connection.<VulnDiscussion>Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification decisions (as opposed to the actual identifiers) to the services that need to act on those decisions. + +This requirement applies to applications that connect locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers outside a datacenter, Voice Over Internet Protocol [VoIP] phones, and video teleconference codecs). Gateways and service-oriented architecture (SOA) applications are examples of where this requirement would apply.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-000778Configure AOS using the web interface: + +1. Navigate to Configuration >> Services >> VPN and expand "Site-to-Site". +2. Select the configured site-to-site VPN IPsec maps. Select the applicable Server certificate. Select the applicable trusted DOD root CA under "CA certificate:". +3. Click Submit >> Pending Changes >> Deploy Changes. +4. Navigate to Configuration >> Access Points >> Remote APs tab. +5. Select the check box next to the AP Name in the Remote AP table and click "Provision". +6. In the "General" tab, select "Certificate" from the "Authentication method:" drop-down list. +7. Click "Submit" to apply the configuration and reboot the AP as a certificate Remote AP. +8. Click Pending Changes >> Deploy Changes.Verify the AOS configuration with the following command: + +1. Site-to-site VPN: +Using the CLI: +show crypto isakmp sa + +If the IPsec security association is not operating with certificates ("-c"), this is a finding. + +2. Hardware client VPN: +Using the web GUI, navigate to Configuration >> Access Points >> Remote APs. Review each provisioned Remote Access Point (RAP) and verify that each AP has "c" in the FLAGS column. + +If certificate authentication is not configured for each RAP, this is a finding.SRG-NET-000343-VPN-001370<GroupDescription></GroupDescription>ARBA-VN-001370AOS, when used as a VPN Gateway, must authenticate all network-connected endpoint devices before establishing a connection.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions. + +This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC codecs). Gateways and SOA applications are examples of where this requirement would apply. + +Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific preauthorized devices can access the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-001958Configure AOS using the web interface: + +1. Navigate to Configuration >> Services >> VPN and expand "Site-to-Site". +2. Select the configured site-to-site VPN IPsec maps. Select the applicable Server certificate. Select the applicable trusted DOD root CA under "CA certificate:". +3. Click Submit >> Pending Changes >> Deploy Changes. +4. Navigate to Configuration >> Access Points >> Remote APs tab. +5. Select the check box next to the AP Name in the Remote AP table and click "Provision". +6. In the "General" tab, select "Certificate" from the "Authentication method:" drop-down list. +7. Click "Submit" to apply the configuration and reboot the AP as a certificate Remote AP. +8. Click Pending Changes >> Deploy Changes.Verify the AOS configuration with the following command: + +1. Site-to-site VPN: +Using the CLI: +show crypto isakmp sa + +If the IPsec security association is not operating with certificates ("-c"), this is a finding. + +2. Hardware client VPN: +Using the web GUI, navigate to Configuration >> Access Points >> Remote APs. Review each provisioned RAP and verify that each AP has "c" in the FLAGS column. + +If certificate authentication is not configured for each RAP, this is a finding.SRG-NET-000041-VPN-000110<GroupDescription></GroupDescription>ARBA-VN-000110The Remote Access VPN Gateway and/or client must display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the network.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +In most VPN implementations, the banner is configured in the management backplane (NDM Security Requirements Guide) and serves as the presentation for the VPN client connection as well as for administrator logon to the device management tool/backplane. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway. + +The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + +Satisfies: SRG-NET-000041-VPN-000110, SRG-NET-000042-VPN-000120, SRG-NET-000043-VPN-000130</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-000048CCI-000050CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure AOS with the following commands: +configure terminal +banner via # +You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. +-At any time, the USG may inspect and seize data stored on this IS. +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.# +write memoryVerify the AOS configuration with the following command: +show bannervia + +If the Standard Mandatory DOD Notice and Consent Banner is not set, this is a finding.SRG-NET-000213-VPN-000720<GroupDescription></GroupDescription>ARBA-VN-000720AOS, when used as a VPN Gateway, must terminate all network connections associated with a communications session at the end of the session.<VulnDiscussion>Idle Transmission Control Protocol (TCP) sessions can be susceptible to unauthorized access and hijacking attacks. By default, routers do not continually test whether a previously connected TCP endpoint is still reachable. If one end of a TCP connection idles out or terminates abnormally, the opposite end of the connection may still believe the session is available. These "orphaned" sessions use up valuable router resources and can be hijacked by an attacker. + +To mitigate this risk, routers must be configured to send periodic keep-alive messages to check that the remote end of a session is still connected. If the remote device fails to respond to the TCP keep-alive message, the sending router will clear the connection and free resources allocated to the session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-001133Configure AOS with the following commands: +configure terminal +crypto-local isakmp dpd idle-timeout <idle_sec> retry-timeout <retry_sec> retry-attempts <retry_number> +write memoryVerify the AOS configuration with the following command: +show configuration effective | include dpd + +If DPD is not configured, this is a finding.SRG-NET-000132-VPN-000480<GroupDescription></GroupDescription>ARBA-VN-000480For site-to-site VPN implementations using AOS, the Layer 2 Tunneling Protocol (L2TP) must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave.<VulnDiscussion>Unlike Generic Routing Encapsulation (GRE) (a simple encapsulating header), L2TP is a full-fledged communications protocol with control channel, data channels, and a robust command structure. In addition to Point-to-Point Protocol (PPP), other link layer types (called pseudowires) can be and are defined for delivery in L2TP by separate Internet Engineering Task Force Request for Comments (RFC) documents. Further complexity is created by the capability to define vender-specific parameters beyond those defined in the L2TP specifications. + +The endpoint devices of an L2TP connection can be an L2TP Access Concentrator (LAC), in which case it inputs/outputs the layer 2 protocol to/from the L2TP tunnel. Otherwise, it is an L2TP Network Server (LNS), in which case it inputs/outputs the layer 3 (IP) protocol to/from the L2TP tunnel. The specifications describe three reference models: LAC-LNS, LAC-LAC, and LNS-LNS, the first of which is the most common case. The LAC-LNS model allows a remote access user to reach their home network or internet service provider from a remote location. The remote access user connects to a LAC device, which tunnels the connection home to a waiting LNS. The LAC could also be located on the remote user's laptop, which connects to an LNS at home using a generic internet connection. The other reference models may be used for more obscure scenarios. + +Although the L2TP protocol does not contain encryption capability, it can be operated over IPsec, which would provide authentication and confidentiality. A remote user in the LAC-LNS model would most likely obtain a dynamically assigned IP address from the home network to ultimately use through the tunnel back to the home network. The outer IP source address used to send the L2TP tunnel packet to the home network is likely to be unknown or highly variable. Also, because the LNS provides the remote user with a dynamic IP address, the firewall at the home network would have to be dynamically updated to accept this address in conjunction with the outer tunnel address. There is also the issue of authentication of the remote user prior to divulging an acceptable IP address. + +Because of all of these complications, the strict filtering rules applied to the IP-in-IP and GRE tunneling cases will likely not be possible in the L2TP scenario. + +In addition to the difficulty of enforcing addresses and endpoints (as explained above), the L2TP protocol itself is a security concern if allowed through a security boundary. In particular: + +1. L2TP potentially allows link layer protocols to be delivered from afar. These protocols were intended for link-local scope only and are less defended and not as well known. +2. The L2TP tunnels can carry IP packets that are very difficult to see and filter because of the additional layer 2 overhead. +3. L2TP is highly complex and variable (vender-specific variability) and therefore would be a viable target that is difficult to defend. It is better left outside of the main firewall where less damage occurs if the L2TP-processing node is compromised. +4. Filtering cannot be used to detect and prevent other unintended layer 2 protocols from being tunneled. The strength of the application layer code would have to be relied on to achieve this task. +5. Regardless of whether the L2TP is handled inside or outside of the main network, a secondary layer of IP filtering is required; therefore, bringing it inside does not save resources. + +It is not recommended to allow unencrypted L2TP packets across the security boundary into the network's protected areas. Reference the Backbone Transport STIG for additional L2TP guidance and use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-000382Configure AOS with the following commands: +configure terminal +cd /mm +ip access-list session vpnlogon +any any svc-l2tp deny +exit +write memory +cd /mynode +vpdn group l2tp +disable +exit +write memoryVerify the AOS configuration with the following command: +show ip access-list vpnlogon +show firewall-cp + +If L2TP or UDP 1701 are permitted, this is a finding.SRG-NET-000019-VPN-000040<GroupDescription></GroupDescription>ARBA-VN-000040AOS, when used as a VPN Gateway, must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.<VulnDiscussion>Unrestricted traffic may contain malicious traffic, which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. + +VPN traffic received from another enclave with different security policy or level of trust must not bypass being inspected by the firewall before being forwarded to the private network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-001414Configure AOS with the following commands: +configure terminal +ip access-list session <name> +network <A.B.C.D> <netmask A.B.C.D> any any permit +any any any deny log +ipv6 network <X:X:X:X::X/<0-128> any any permit +ipv6 any any any deny log +exit +write memory +interface gigabit <#/#/#> +ip access-group session <ACL name> +exit +write memVerify the AOS configuration with the following command: +show running-config | begin "interface gigabit" + +Note the configured IP access-group session ACL for each active interface. + +For each configured ACL: +show ip access-list <ACL name> + +If each ACL does not end in an "any any deny log" for both IPv4 and IPv6, this is a finding.SRG-NET-000053-VPN-000170<GroupDescription></GroupDescription>ARBA-VN-000170AOS, when used as a VPN Gateway, must limit the number of concurrent sessions for user accounts to one or to an organization-defined number.<VulnDiscussion>VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to denial-of-service attacks. + +This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. + +The intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-000054Configure AOS with the following commands: +configure terminal +user-role <vpn user role> +max-sessions 1 +exit +write memoryVerify the AOS configuration with the following command: +show running-config | begin "user-role <vpn user role>" + +If the vpn user role is not configured to max-sessions 1 (or an organization-defined number), this is a finding.SRG-NET-000166-VPN-000580<GroupDescription></GroupDescription>ARBA-VN-000580The Remote Access VPN Gateway must use a separate authentication server (e.g., Lightweight Directory Access Protocol [LDAP], Remote Authentication Dial-In User Service [RADIUS], Terminal Access Controller Access-Control System+ [TACACS+] to perform user authentication.<VulnDiscussion>The VPN interacts directly with public networks and devices and should not contain user authentication information for all users. Authentication, Authorization, and Accounting (AAA) network security services provide the primary framework through which a network administrator can set up access control and authorization on network points of entry or network access servers. It is not advisable to configure access control on the VPN gateway or remote access server. Separation of services provides added assurance to the network if the access control server is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-000187Configure AOS with the following commands: + +1. crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email> +show crypto pki csr +2. Use DOD PKI to generate a public certificate based on the CSR. +3. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates. +4. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, select Certificate type: "ServerCert", and click "Submit". +5. Click Pending Changes >> Deploy Changes. + +Continue configuring with the CLI: +configure terminal +crypto-local isakmp ca-certificate <CA certificate name> +crypto-local isakmp certificate-group server-certificate <EC certificate name> ca-certificate <CA certificate name> +write memory + +crypto dynamic-map <name> <priority> +version v2 +set pfs group20 +set transform-set default-gcm256 +set security-association lifetime seconds 28800 +exit +write memory + +aaa authentication-server radius <name> +host <A.B.C.D or X:X:X:X::X or hostname> +key <preshared key> +enable +exit +write memory + +aaa server-group <name> +auth-server <name> +exit +write memory + +ip access-list session <name> +any any any permit +ipv6 any any any permit +exit +write memory + +user-role <name> +access-list session <name> +exit +write memory + +aaa authentication via auth-profile <name> +default-role <name> +client-cert-enable +server-group <name> +exit +write memory + +aaa authentication via connection-profile <name> +auth-profile <name> +enable-fips +ikev2-policy 10009 +ikev2-proto +ikev2auth eap-tls +ipsecv2-cryptomap map <name> number <priority> +max-timeout value <0-65535> +suiteb-crypto +validate-server-cert +exit +write memory + +aaa authentication via web-auth default +auth-profile <name> +exit +write memory + +user-role <name> +via <name> +exit +write memoryVerify the AOS configuration with the following commands: +show aaa authentication via auth-profile + +Note each referenced VIA authentication profile. + +For each referenced VIA authentication profile: +show aaa authentication via auth-profile <name> + +Note the server-group. + +For each server-group: +show aaa server-group <name> + +If the remote access authentication profile is not set to use a separate authentication server, this is a finding.SRG-NET-000138-VPN-000490<GroupDescription></GroupDescription>ARBA-VN-000490The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).<VulnDiscussion>To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. + +Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following. + +(i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and + +(ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals' in-group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. + +This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN or proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management). + +Satisfies: SRG-NET-000138-VPN-000490, SRG-NET-000166-VPN-000590, SRG-NET-000341-VPN-001350</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-000764CCI-000187CCI-001953Configure AOS with the following commands: + +1. crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email> +show crypto pki csr +2. Use DOD PKI to generate a public certificate based on the CSR. +3. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates. +4. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, select Certificate type: "ServerCert", and click "Submit". +5. Click Pending Changes >> Deploy Changes. + +Continue configuring with the CLI: +configure terminal +crypto-local isakmp ca-certificate <CA certificate name> +crypto-local isakmp certificate-group server-certificate <EC certificate name> ca-certificate <CA certificate name> +write memory + +crypto dynamic-map <name> <priority> +version v2 +set pfs group20 +set transform-set default-gcm256 +set security-association lifetime seconds 28800 +exit +write memory + +aaa authentication-server radius <name> +host <A.B.C.D or X:X:X:X::X or hostname> +key <preshared key> +enable +exit +write memory + +aaa server-group <name> +auth-server <name> +exit +write memory + +ip access-list session <name> +any any any permit +ipv6 any any any permit +exit +write memory + +user-role <name> +access-list session <name> +exit +write memory + +aaa authentication via auth-profile <name> +default-role <name> +client-cert-enable +server-group <name> +exit +write memory + +aaa authentication via connection-profile <name> +auth-profile <name> +enable-fips +ikev2-policy 10009 +ikev2-proto +ikev2auth eap-tls +ipsecv2-cryptomap map <name> number <priority> +max-timeout value <0-65535> +suiteb-crypto +validate-server-cert +exit +write memory + +aaa authentication via web-auth default +auth-profile <name> +exit +write memory + +user-role <name> +via <name> +exit +write memoryVerify the AOS configuration with the following commands: +show aaa authentication via connection-profile + +Note each referenced VIA connection profile. + +For each referenced connection profile: +show aaa authentication via connection-profile <name> | include "IKEv2 Authentication method" + +If the authentication method is not set to "eap-tls", this is a finding.SRG-NET-000213-VPN-000721<GroupDescription></GroupDescription>ARBA-VN-000721The Remote Access VPN Gateway must terminate remote access network connections after an organization-defined time period.<VulnDiscussion>This requirement is in response to the DOD Office of Inspector General Audit of Maintaining Cybersecurity in the Coronavirus Disease-2019 Telework Environment. + +Best practice is to terminate inactive user sessions after a period; however, when setting timeouts to any VPN connection, the organization must consider the risk to the mission and the purpose of the VPN. VPN connections that provide user access to the network are the prime candidates for VPN session termination and are the primary focus of this requirement. + +To determine if and when the VPN connections warrant termination, the organization must perform a risk assessment to identify the use case for the VPN and determine if periodic VPN session termination puts the mission at significant risk. + +The organization must document the results and the determination of the risk assessment in the VPN section of the System Security Plan. The organization must also configure VPN session terminations in accordance with the risk assessment. + +Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. Quickly terminating an idle session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. + +This requirement applies to any network element that tracks individual sessions (e.g., stateful inspection firewall, ALG, or VPN).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-000057CCI-001133Configure AOS with the following commands: + +For each VIA authentication profile: +aaa authentication via connection-profile + +configure terminal +aaa authentication via +connection-profile<name> +max-timeout value <0-65535> +exit +write memoryVerify the AOS configuration with the following commands: +show aaa authentication via connection-profile + +Note each referenced VIA connection profile. + +For each referenced connection profile: +show aaa authentication via connection-profile <name> | include "VIA max session timeout" + +If the max session timeout is not set to the organization-defined time, this is a finding.SRG-NET-000337-VPN-001300<GroupDescription></GroupDescription>ARBA-VN-001300AOS, when used as a VPN Gateway, must renegotiate the security association after 24 hours or less or as defined by the organization.<VulnDiscussion>When a VPN gateway creates an IPsec security association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint inactivity, which could result in the gateway's inability to create new SAs for other endpoints, thereby preventing new sessions from connecting. + +The Internet Key Exchange (IKE) idle timeout may also be set to allow SAs associated with inactive endpoints to be deleted before the SA lifetime has expired, although this setting is not recommended at this time. The value of one hour or less is a common best practice. + +Satisfies: SRG-NET-000337-VPN-001300, SRG-NET-000337-VPN-001290</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-002038Configure AOS with the following commands: +configure terminal +crypto-local ipsec-map <name> <priority> +set security-association lifetime seconds 28800 +exit +write memory + +crypto dynamic-map <name> <priority> +set security-association lifetime seconds 28800 +exit +write memoryVerify the AOS configuration with the following commands: +show crypto-local ipsec-map +show crypto dynamic-map + +If the configured IPSec maps are not configured to support a security association lifetime of 28,800 seconds (8 hours), this is a finding.SRG-NET-000132-VPN-000470<GroupDescription></GroupDescription>ARBA-VN-000470The Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F).<VulnDiscussion>PPTP and L2F are obsolete methods for implementing virtual private networks. Both protocols may be easy to use and readily available, but they have many well-known security issues and exploits. Encryption and authentication are both weak.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-000382Configure AOS with the following commands: +configure terminal +cd /mm +ip access-list session vpnlogon +any any svc-pptp deny +exit +write memory +cd /mynode +firewall cp +ipv4 deny any proto 6 ports 1723 1723 +ipv6 deny any proto 6 ports 1723 1723 +exit +write memoryVerify the AOS configuration with the following commands: +show ip access-list vpnlogon +show firewall-cp + +If PPTP or TCP 1723 are permitted, this is a finding.SRG-NET-000205-VPN-000710<GroupDescription></GroupDescription>ARBA-VN-000710AOS, when used as a VPN Gateway, must be configured to route sessions to an intrusion detection and prevention system (IDPS) for inspection.<VulnDiscussion>Remote access devices, such as those providing remote access to network devices and information systems, that lack automated capabilities increase risk and make remote user access management difficult at best. + +Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. + +Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities from a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-001097Configure AOS with the following commands: +configure terminal +ip default-gateway <ipv4> +ipv6 default-gateway <ipv6> +ip route <A.B.C.D IPv4 network> <A.B.C.D netmask> <A.B.C.D nexthop> <cost> +ipv6 route <X:X:X:X::X IPv6 network/prefix> <X:X:X:X::X nexthop> <cost> +write memoryVerify the AOS configuration with the following commands: +show running-config | include default-gateway +show running-config | include "ipv4 route" +show running-config | include "ipv6 route" + +If any routes exist that do not route sessions to an IDPS for inspection, this is a finding.SRG-NET-000369-VPN-001620<GroupDescription></GroupDescription>ARBA-VN-001620AOS, when used as a VPN Gateway, must disable split-tunneling for remote client VPNs.<VulnDiscussion>Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. + +A VPN hardware or software client with split tunneling enabled provides an unsecured backdoor to the enclave from the internet. With split tunneling enabled, a remote client has access to the internet while at the same time has established a secured path to the enclave via an IPsec tunnel. A remote client connected to the internet that has been compromised by an attacker on the internet provides an attack base to the enclave's private network via the IPsec tunnel. Hence, it is imperative that the VPN gateway enforces a no split-tunneling policy to all remote clients.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-002397Configure AOS using the following commands: +configure terminal +wlan virtual-ap <profile name> +forward-mode tunnel +exit +write memory +ap system-profile <profile name> +double-encrypt +exit +write memory + +For each VIA connection profile: +vaaa authentication via connection-profile <name> +no split-tunneling +exit +write memoryVerify the AOS configuration with the following commands: +show wlan virtual-ap + +For each active WLAN virtual-ap profile: +show wlan virtual-ap <name> | include "Forward mode" + +show ap system-profile + +For each active AP system-profile: +show ap system-profile <name> | include "Double Encrypt" + +show aaa authentication via connection-profile + +For each referenced profile: +show aaa authentication via connection-profile <name> | include "Enable split tunneling" + +If any instances of remote access or virtual-ap profile forward mode of split-tunnel are found or if double-encrypt is not enabled per active AP system profile, this is a finding.SRG-NET-000512-VPN-002220<GroupDescription></GroupDescription>ARBA-VN-002220AOS, when used as an IPsec VPN Gateway, must use Internet Key Exchange (IKE) for IPsec VPN security associations (SAs).<VulnDiscussion>Without IKE, the SPI is manually specified for each security association. IKE peers will negotiate the encryption algorithm and authentication or hashing methods as well as generate the encryption keys. + +An IPsec SA is established using either IKE or manual configuration. When using IKE, the security associations are established when needed and expire after a period of time or volume of traffic threshold. If manually configured, they are established as soon as the configuration is complete at both end points, and they do not expire. When using IKE, the Security Parameter Index (SPI) for each security association is a pseudo-randomly derived number. + +With manual configuration of the IPsec security association, both the cipher key and authentication key are static. Hence, if the keys are compromised, the traffic being protected by the current IPsec tunnel can be decrypted as well as traffic in any future tunnels established by this SA. Furthermore, the peers are not authenticated prior to establishing the SA, which could result in a rogue device establishing an IPsec SA with either of the VPN endpoints. + +IKE provides primary authentication to verify the identity of the remote system before negotiation begins. This feature is lost when the IPsec security associations are manually configured, which results in a nonterminating session using static preshared keys. + +Satisfies: SRG-NET-000512-VPN-002220, SRG-NET-000132-VPN-000460, SRG-NET-000147-VPN-000530</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-000366CCI-000382CCI-001942Configure AOS with the following commands: +configure terminal +crypto-local ipsec-map <name> <priority> +version v2 +exit +write memoryVerify the AOS configuration with the following command: +show crypto-local ipsec-map + +If each configured IPsec map is not configured with IKE, this is a finding.SRG-NET-000345-VPN-002430<GroupDescription></GroupDescription>ARBA-VN-002430AOS, when used as a VPN Gateway, must not accept certificates that have been revoked when using PKI for authentication.<VulnDiscussion>Situations may arise in which the certificate issued by a certificate authority (CA) may need to be revoked before the lifetime of the certificate expires (for example, when the certificate is known to have been compromised). + +When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the revocation list configured for use by the VPN server is checked to determine if the certificate is valid. If the certificate is revoked, IKE will fail, and an IPsec security association will not be established for the remote endpoint.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS VPNDISADPMS TargetHPE Aruba Networking AOS VPN5645CCI-004068Configure AOS using the web interface: + +1. Navigate to Configuration >> System >> Certificates tab. Under "Import Certificates", upload the trust root CA. +2. Choose the TrustCA Certificate type. Click "Submit". +3. Upload the same certificate and select the OCSPResponderCert Certificate type (provide a different friendly name). Click "Submit". +4. Click Pending Changes >> Deploy Changes. +5. Expand "Revocation Checkpoint". Select the configured trusted root CA. +6. Select "ocsp" for Revocation method 1. Enter the OCSP server URL in the OCSP URL field (remove "http://"). +7. Choose the configured certificate under OCSP responder cert. Click "Submit". +8. Click Pending Changes >> Deploy Changes.Verify the AOS configuration with the following command: +show crypto-local pki rcp + +If any configured trusted root certificate authorities are not configured to use OCSP, this is a finding. \ No newline at end of file diff --git a/benchmarks/DISA/U_HPE_Aruba_Networking_AOS_Wireless_STIG_V1R1_Manual-xccdf.xml b/benchmarks/DISA/U_HPE_Aruba_Networking_AOS_Wireless_STIG_V1R1_Manual-xccdf.xml new file mode 100644 index 000000000..642ce5cdf --- /dev/null +++ b/benchmarks/DISA/U_HPE_Aruba_Networking_AOS_Wireless_STIG_V1R1_Manual-xccdf.xml @@ -0,0 +1,290 @@ +acceptedHPE Aruba Networking AOS Wireless Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 22 Oct 20243.51.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-NET-000062<GroupDescription></GroupDescription>ARBA-NT-000100AOS must use Transport Layer Security (TLS) 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.<VulnDiscussion>Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. + +This requirement applies to TLS gateways (also known as Secure Sockets Layer [SSL] gateways). Application protocols such as Hypertext Transfer Protocol Secure (HTTPS), Secure File Transfer Protocol (SFTP), and others use TLS as the underlying security protocol and thus are in scope for this requirement. National Institute of Standards and Technology (NIST) Special Publication 800-52 provides guidance for client negotiation on either DOD-only or public-facing servers. + +Satisfies: SRG-NET-000062, SRG-NET-000530</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS WirelessDISADPMS TargetHPE Aruba Networking AOS Wireless5646CCI-000068CCI-001453Configure AOS with the following commands: +configure terminal +web-server profile +ssl-protocol tlsv1.2 +exit +write memoryVerify the AOS configuration with the following command: +show web-server profile + +If "tlsv1.2" is not returned for "SSL/TLS Protocol Config", this is a finding.SRG-NET-000069<GroupDescription></GroupDescription>ARBA-NT-000120AOS must protect wireless access to the network using authentication of users and/or devices.<VulnDiscussion>Allowing devices and users to connect to the system without first authenticating them allows untrusted access and can lead to a compromise or attack. + +The security boundary of a wireless local area network (WLAN) extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most vulnerable to attack and must be protected. Within this boundary there must be two distinct, but related, security protection mechanisms: authentication and data-in-transit encryption. These protections ensure access control and protection from eavesdropping for both the WLAN system and the DOD network enclave. + +Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., Extensible Authentication Protocol (EAP)/Transport Layer Security (TLS) and Protected EAP [PEAP]), which provide credential protection and mutual authentication. + +Satisfies: SRG-NET-000069, SRG-NET-000070</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS WirelessDISADPMS TargetHPE Aruba Networking AOS Wireless5646CCI-001443CCI-001444Configure AOS with the following commands: +configure terminal +wlan ssid-profile <profile name> +opmode <wpa2-aes or wpa3-cnsa> +exit +write memoryVerify the AOS configuration with the following command: +show wlan ssid-profile + +For each WLAN SSID: +show wlan ssid-profile <SSID profile name> + +If a WPA Passphrase is set or if Encryption is not set with wpa2-aes or wpa3-cnsa, this is a finding.SRG-NET-000070<GroupDescription></GroupDescription>ARBA-NT-000130The network element must protect wireless access to the system using Federal Information Processing Standard (FIPS)-validated Advanced Encryption Standard (AES) block cipher algorithms with an approved confidentiality mode.<VulnDiscussion>Allowing devices and users to connect to the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Because wireless communications can be intercepted, encryption must be used to protect the confidentiality of information in transit. + +Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., Extensible Authentication Protocol (EAP)/Transport Layer Security (TLS) and Protected EAP [PEAP]), which provide credential protection and mutual authentication. + +This requirement applies to operating systems that control wireless devices. + +A block cipher mode is an algorithm that features the use of a symmetric key block cipher algorithm to provide an information service, such as confidentiality or authentication. + +AES is the FIPS-validated cipher block cryptographic algorithm approved for use in the DOD. For an algorithm implementation to be listed on a FIPS 140-2/140-3 cryptographic module validation certificate as an approved security function, the algorithm implementation must meet all the requirements of FIPS 140-2/140-3 and must successfully complete the cryptographic algorithm validation process. Currently, the National Institute of Standards and Technology (NIST) has approved the following confidentiality modes to be used with AES: ECB, CBC, OFB, CFB, CTR, XTS-AES, FF1, FF3, CCM, GCM, KW, KWP, and TKW. + +Satisfies: SRG-NET-000070, SRG-NET-000151</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS WirelessDISADPMS TargetHPE Aruba Networking AOS Wireless5646CCI-001444CCI-001967Configure AOS with the following command: +configure terminal + +For each ap system-profile, run the following commands: +ap system-profile <profile-name> +fips-enable +exit +fips enable +write memory +reloadVerify the AOS configuration with the following commands: +show fips +show ap system-profile + +For each configured ap system profile: +show ap system-profile <profile-name> | include FIPS + +If FIPS is not enabled, this is a finding.SRG-NET-000131<GroupDescription></GroupDescription>ARBA-NT-000300AOS must be configured to disable nonessential capabilities.<VulnDiscussion>It is detrimental for network elements to provide, or enable by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +Network elements are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions and functions).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS WirelessDISADPMS TargetHPE Aruba Networking AOS Wireless5646CCI-000381Configure AOS with the following commands: +configure terminal +firewall cp +ipv4 deny any proto 6 ports 17 17 ipv4 deny any proto 6 ports 8080 8080 +ipv4 deny any proto 6 ports 8081 8081 +ipv4 deny any proto 6 ports 8082 8082 +ipv4 deny any proto 6 ports 8088 8088 +ipv6 deny any proto 6 ports 17 17 +ipv6 deny any proto 6 ports 8080 8080 +ipv6 deny any proto 6 ports 8081 8081 +ipv6 deny any proto 6 ports 8082 8082 +ipv6 deny any proto 6 ports 8088 8088 +exit +write memory + +Block any other ports as desired using the following example: +<ipv4/ipv6> deny any proto <ftp, http, telnet, tftp, protocol #> ports <start port 0-65535> <end port 0-65535>Verify the AOS configuration with the following command: +show firewall-cp + +Verify that nonessential capabilities, functions, ports, protocols, and/or services are denied. + +If any nonessential capabilities, functions, ports, protocols, and/or services are allowed, this is a finding.SRG-NET-000193<GroupDescription></GroupDescription>ARBA-NT-000440AOS must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.<VulnDiscussion>A network element experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering, resulting in route flapping, and will eventually sinkhole production traffic. + +The device must be configured to contain and limit a DoS attack's effect on the device's resource utilization. The use of redundant components and load balancing are examples of mitigating "flood-type" DoS attacks through increased capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS WirelessDISADPMS TargetHPE Aruba Networking AOS Wireless5646CCI-001095Configure AOS using the web interface: + +Navigate to Configuration >> Services >> Firewall and enable DoS protection in accordance with organization-defined policy. + +Click Submit >> Pending Changes >> Deploy Changes.Verify the AOS configuration using the web interface: + +Navigate to Configuration >> Services >> Firewall. + +If the organization-defined safeguards are not enabled to protect against known DoS attacks, this is a finding.SRG-NET-000338<GroupDescription></GroupDescription>ARBA-NT-000800AOS must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity on the network. + +In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of devices, including (but not limited to), the following other situations: + +(i) When authenticators change; +(ii) When roles change; +(iii) When security categories of information systems change; +(iv) After a fixed period of time; or +(v) Periodically. + +This requirement only applies to components where this is specific to the function of the device or has the concept of device authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS WirelessDISADPMS TargetHPE Aruba Networking AOS Wireless5646CCI-002039Configure AOS with the following commands: +configure terminal +crypto-local ipsec-map <name> <priority> +set security-association lifetime seconds 28800 +exit +write memoryVerify the AOS configuration with the following command: +show crypto-local ipsec-map + +If the configured IPSec maps are not configured to support a security association lifetime of 28,800 seconds (8 hours), this is a finding.SRG-NET-000343<GroupDescription></GroupDescription>ARBA-NT-000850The network element must authenticate all network-connected endpoint devices before establishing any connection.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions. + +This requirement applies to applications that connect locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers outside a datacenter, Voice over Internet Protocol phones, and video teleconferencing codecs). Gateways and service-oriented architecture applications are examples of where this requirement would apply. + +Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific preauthorized devices can access the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS WirelessDISADPMS TargetHPE Aruba Networking AOS Wireless5646CCI-001958Configure AOS using the web interface: + +1. Navigate to Configuration >> Services >> VPN and expand "Site-to-Site". +2. Select the configured site-to-site VPN IPsec maps. Select the applicable Server certificate. Select the applicable trusted DOD root CA under "CA certificate:". +3. Click Submit >> Pending Changes >> Deploy Changes. +4. Navigate to Configuration >> Access Points >> Remote APs tab. +5. Select the check box next to the AP Name in the Remote AP table and click "Provision". +6. In the "General" tab, select "Certificate" from the "Authentication method:" drop-down list. +7. Click "Submit" to apply the configuration and reboot the AP as a certificate Remote AP. +8. Click Pending Changes >> Deploy Changes.If the AP is not being used as a Remote AP, this check is not applicable. + +Verify the AOS configuration with the following commands: + +1. Site-to-site VPN: +show crypto-local ipsec-map + +If a CA certificate and Server certificate are not configured for each IPsec map, this is a finding. + +2. Hardware client VPN: +show "remote ap profile" + +If certificate authentication is not configured for each RAP profile, this is a finding.SRG-NET-000352<GroupDescription></GroupDescription>ARBA-NT-000920AOS must use cryptographic algorithms approved by the National Security Agency (NSA) to protect national security systems (NSS) when transporting classified traffic across an unclassified network.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. + +National Institute of Standards and Technology (NIST) cryptographic algorithms are approved by NSA to protect NSS. Based on an analysis of the impact of quantum computing, cryptographic algorithms specified by CNSSP-15 and approved for use in products in the Commercial Solutions for Classified (CSfC) program have been changed to more stringent protocols and configured with increased bit sizes and other secure characteristics to protect against quantum computing threats. The Commercial National Security Algorithm (CNSA) Suite replaces Suite B. + +Satisfies: SRG-NET-000352, SRG-NET-000565</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS WirelessDISADPMS TargetHPE Aruba Networking AOS Wireless5646CCI-002450Configure AOS with the following commands: +crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email> +show crypto pki csr + +1. Use DOD PKI to generate a public certificate based on the CSR. +2. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates. +3. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, "ServerCert" type, and click "Submit". +4. Navigate to Configuration >> System >> Admin, choose the imported certificate under "Server Certificate", and click "Submit". +5. Click Pending Changes >> Deploy Changes. + +configure terminal +crypto ipsec transform-set <name> esp-aes256-gcm +crypto isakmp policy <#> +authentication ecdsa-384 +encryption aes256 +group 20 +hash sha2-384-192 +prf prf-hmac-sha384 +version v2 +exit +crypto-local ipsec-map <name> <priority> +set transform-set <set created earlier name> +<configure VPN settings as needed> +exit +write memoryIf AOS is not being used for CSFC, this requirement is not applicable. + +1. Verify the AOS configuration with the following command: +show crypto-local ipsec-map + +Note the IKEv2 Policy number for each configured map. + +2. For each configured policy number, run the following command: +show crypto isakmp policy <IKEv2 Policy #> + +3. Verify each configured transform-set with the following command: +show crypto ipsec transform-set + +If the configured IPsec map, ISAKMP policy, and transform-set do not contain the following, this is a finding: + +ECDCA 384 certificate +IKEv2 policy with AES256, SHA-384, ECDSA-384, Group 20 +Transform set with AES-256-GCMSRG-NET-000369<GroupDescription></GroupDescription>ARBA-NT-000970AOS, in conjunction with a remote device, must prevent the device from simultaneously establishing nonremote connections with the system and communicating via some other connection to resources in external networks.<VulnDiscussion>Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. + +This requirement applies to virtual private network (VPN) concentrators and clients. It is implemented within remote devices (e.g., notebook computers) through configuration settings to disable split tunneling in those devices and by preventing those configuration settings from being readily configurable by users. This requirement is implemented within the information system by the detection of split tunneling (or configuration settings that allow split tunneling) in the remote device and by prohibiting the connection if the remote device is using split tunneling. + +The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as nonremote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing nonremote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS WirelessDISADPMS TargetHPE Aruba Networking AOS Wireless5646CCI-002397Configure AOS using the web interface: + +1. Navigate to Configuration >> System >> Profiles. +2. Under "All Profiles", expand "Virtual AP". +3. Select each Virtual AP profile. Under "General", select tunnel as the Forward mode. +4. Click Submit >> Pending Changes >> Deploy Changes. +5. In configuration mode (CLI), for each ap system-profile, run the following commands: +ap system-profile <profile-name> +double-encrypt +exit +write memoryVerify the AOS configuration with the following commands: +show running-configuration | include split-tunnel +show running-config | include double-encrypt + +If any instances of forward-mode split-tunnel are found or if double-encrypt is not enabled, this is a finding.SRG-NET-000070<GroupDescription></GroupDescription>ARBA-NT-001590When AOS is used as a wireless local area network (WLAN) controller, WLAN Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) implementation must use certificate-based public key infrastructure (PKI) authentication to connect to DOD networks.<VulnDiscussion>DOD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with certificate-based PKI could have security vulnerabilities. + +For example, an implementation that uses a client certificate on a laptop without a second factor could enable an adversary with access to the laptop to connect to the WLAN without a PIN or password. Systems that do not use the certificate-based PKI are also much more likely to be vulnerable to weaknesses in the underlying public key infrastructure (PKI) that supports EAP-TLS. + +Certificate-based PKI authentication must be used to connect WLAN client devices to DOD networks. The certificate-based PKI authentication should directly support the WLAN EAP-TLS implementation. + +At least one layer of user authentication must enforce network authentication requirements (e.g., CAC authentication) before the user is able to access DOD information resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS WirelessDISADPMS TargetHPE Aruba Networking AOS Wireless5646CCI-001444Configure AOS using the web interface: + +1. Navigate to Configuration >> Authentication. +2. Click the plus sign (+) under the "All Servers" field. +3. Add enterprise RADIUS servers by providing the Name and IP address/hostname. +4. Click on the added RADIUS server. Configure the Shared key. +5. Click Submit >> Pending Changes >> Deploy Changes. +6. Navigate to Configuration >> WLANs and select the desired WLAN in the "WLANs" field. +7. Under the selected WLAN, select "Security". +8. Click the plus sign (+) in the "Auth servers:" field and add the previously created enterprise RADIUS servers. +9. Click Submit >> Pending Changes >> Deploy Changes.Verify the AOS configuration using the web interface: + +1. Navigate to Configuration >> WLANs and select the desired WLAN in the WLANs field. +2. Under the selected WLAN, select "Security". Note which Auth servers are configured. +3. Navigate to Configuration >> Authentication. +4. In the "All Servers" field, select each WLAN authentication server noted earlier. +5. Verify each configured authentication server is configured to support EAP-TLS with DOD PKI. + +If each WLAN authentication server is not configured to support EAP-TLS with DOD PKI, this is a finding.SRG-NET-000512<GroupDescription></GroupDescription>ARBA-NT-001600The site must conduct continuous wireless Intrusion Detection System (IDS) scanning.<VulnDiscussion>DOD networks are at risk and DOD data could be compromised if wireless scanning is not conducted to identify unauthorized wireless local area network (WLAN) clients and access points connected to or attempting to connect to the network. + +DOD Components must ensure that a wireless intrusion detection system (WIDS) is implemented that allows for monitoring of WLAN activity and the detection of WLAN-related policy violations on all unclassified and classified DOD wired and wireless LANs. The WIDS must be implemented regardless of whether or not an authorized WLAN has been deployed. + +The WIDS must be capable of monitoring IEEE 802.11 transmissions within all DOD LAN environments and detecting nearby unauthorized WLAN devices. + +The WIDS is not required to monitor non-IEEE 802.11 transmissions. + +The WIDS must continuously scan for and detect authorized and unauthorized WLAN activities 24 hours a day, seven days a week. + +Note: Exceptions to WIDS implementation criteria may be made by the authorizing official (AO) for DOD wired and wireless LAN operating environments. This exception allows the AO to implement periodic scanning conducted by designated personnel using hand-held scanners during walkthrough assessments. Periodic scanning may be conducted as the alternative to the continuous scanning only in special circumstances, where it has been determined on a case-by-case basis that continuous scanning is either infeasible or unwarranted. The AO exception must be documented. + +The "infeasible" criteria includes the following use case examples: +- It is not my building - This scenario means that for contractual or other similar reasons, the DOD component is not allowed to install a WIDS. +- There is no power or space is limited - This scenarios means that for space, weight, and power (SWAP) reasons, the addition of continuous scanning capabilities cannot be accomplished because it would exceed SWAP availability. Power would also affect the decision to waive continuous scanning requirements if the entire LAN is only in operation periodically (e.g., the wired/wireless LAN is enabled on a vehicle that is only operating when the vehicle is being used for a specific operation). +- The exception for "Minimal Impact WLAN Systems" that do not provide connectivity to WLAN-enabled PEDs (e.g., backhaul systems), have no available FIPS 140-validated 802.1X EAP-TLS supplicant, support a very small number of users for a specific mission (e.g., 10 or less users), are standalone networks, or are highly specialized WLAN systems that are isolated from the DODIN (e.g., hand-held personal digital assistants [PDAs] used as radio-frequency identification [RFID] readers, a network of WLAN-enabled Voice over Internet Protocol [VoIP] phones) allows the AO to waive any of the security requirements in the Instruction. This includes using nonstandard/proprietary FIPS-validated encryption, using an alternative FIPS-validated EAP type, and not having a continuous WIDS. +- The cost of the continuous WIDS capability is more expensive that the total cost of the LAN without a WIDS. + +The AO must conduct a wireless threat risk assessment where analysis has shown that the threat environment is extremely unlikely to nonexistent to meet the "unwarranted" exception criteria.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS WirelessDISADPMS TargetHPE Aruba Networking AOS Wireless5646CCI-000366Configure AOS using the web interface: + +1. To provision access points as dedicated air monitors to perform continuous WIDS scanning, navigate to Configuration >> AP Groups. +2. Click on the "+" sign to add a new AP group. +3. Name the group. +4. Select the created group. +5. Click on "Radio". Change each Radio mode to "am-mode".   +6. Click Submit >> Pending Changes >> Deploy Changes. +7. Navigate to "Access Points". +8. Select "Allowlist". +9. Configure the desired access points as air monitors by provisioning them to the AP group created earlier. +10. Click Submit >> Pending Changes >> Deploy Changes. + +Note: Access points in ap-mode perform WIDS scanning between processing client data packets. Air monitors do not advertise WLANs or handle client data.Interview the site information system security officer (ISSO). Determine if scanning by a WIDS is being conducted and if it is continuous or periodic. + +If a continuous scanning WIDS is used, there is no finding. + +If periodic scanning is used, verify the exception to policy is documented and signed by the AO. Verify the exception meets one of the required criteria. + +If periodic scanning is being performed but requirements have not been met, this is a finding. + +If no WIDS scanning is being performed at the site, this is a finding.SRG-NET-000131<GroupDescription></GroupDescription>ARBA-NT-001610AOS, when configured as a WLAN bridge, must not be configured to have any feature enabled that calls home to the vendor.<VulnDiscussion>Call-home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. + +There is a risk that transmission of sensitive data sent to unauthorized persons could result in data loss or downtime due to an attack. (Refer to SRG-NET-000131-RTR-000083.)</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS WirelessDISADPMS TargetHPE Aruba Networking AOS Wireless5646CCI-002403Configure AOS using the web interface: + +1. Navigate to Configuration >> System >> More tab. +2. Expand "Phone Home". +3. Click the toggle button to disable "Phone Home". +4. Click Submit >> Pending Changes >> Deploy Changes. Verify the AOS configuration using the web interface: + +1. Navigate to Configuration >> System >> More tab. +2. Expand "Phone Home ". + +If "Phone Home" is enabled, this is a finding.SRG-NET-000205<GroupDescription></GroupDescription>ARBA-NT-001650AOS, when used as a WLAN bridge or controller, must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.<VulnDiscussion>The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will be directly connected to the OOBM network. (Refer to SRG-NET-000205-RTR-000012.) + +Network boundaries, also known as managed interfaces, include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis, and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). + +Methods used for prohibiting interfaces within organizational information systems include, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS WirelessDISADPMS TargetHPE Aruba Networking AOS Wireless5646CCI-001097Configure AOS with the following commands: +configure terminal +ip default-gateway mgmt <A.B.C.D IPv4 address> +ipv6 default-gateway mgmt <X:X:X:X::X IPv6 address> +write memoryVerify the AOS configuration with the following command: +show ip route verbose + +If any the management traffic network is not configured with a route to the OOBM gateway, this is a finding.SRG-NET-000512<GroupDescription></GroupDescription>ARBA-NT-001660AOS wireless local area network (WLAN) service set identifiers (SSIDs) must be changed from the manufacturer's default to a pseudo random word that does not identify the unit, base, organization, etc.<VulnDiscussion>An SSID that identifies the unit, site, or purpose of the WLAN or is set to the manufacturer default may cause an operational security vulnerability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target HPE Aruba Networking AOS WirelessDISADPMS TargetHPE Aruba Networking AOS Wireless5646CCI-000366Configure AOS using the web interface: + +1. Navigate to Configuration >> WLANs and click on the "+" sign to create a guest WLAN. +2. Configure the SSID with a pseudo random word. +3. Finish configuring the WLAN. +4. Click Pending Changes >> Deploy Changes.Review AOS WLAN configuration by navigating to Configuration >> WLANs. + +If the WLAN SSIDs listed in the "NAME (SSID)" column are not pseudo random words, this is a finding. \ No newline at end of file diff --git a/stigs.json b/stigs.json index fc131c606..10c315633 100644 --- a/stigs.json +++ b/stigs.json @@ -5563,18 +5563,24 @@ "version": "V1R1", "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_HYCU_Protege_STIG_V1R1_Manual-xccdf.xml" }, - { - "id": "d7f2dce1-d524-4da2-ad37-306ebfa9f18b", - "name": "z/OS TSS Products - Ver 6, Rel 62", - "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_TSS_V6R62_Products.zip", - "size": "8.62 MB", - "version": "V6R62" - }, { "id": "4377594a-0e91-456e-ab57-9e8c0123b52d", "name": "z/OS SRR Scripts - Ver 6, Rel 62", "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_V6R62_SRR.zip", "size": "1.9 MB", "version": "V6R62" + }, + { + "id": "c501af64-a77c-49c6-b7c2-5d3584a22aa0", + "name": "HPE Aruba Networking AOS STIG", + "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_HPE_Aruba_Networking_AOS_Y24M10_STIG.zip", + "size": "2.08 MB" + }, + { + "id": "c916023f-b41d-4d30-9a95-699109fb9434", + "name": "z/OS RACF Products - Ver 6, Rel 62", + "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_RACF_V6R62_Products.zip", + "size": "8.7 MB", + "version": "V6R62" } ] \ No newline at end of file