2.5.3 Ensure Client Authentication is secured.

Information

Client Authentication allows a user and device to authenticate to the firewall and inherit pre-configured firewall rules for a set amount of time. By default, these connections are unencrypted yet can travel over unsecured networks. It is recommended that all Client Authentication connections be made using the HTTPS configuration. This both uniquely identifies the gateway and keeps the authentication credentials from being copied when going over the network.

Rationale:

The Client Authentication is used to authenticate a user or device to the firewall and by default, it works on HTTP port 900 and telnet port 259. The setting is stored in $FWDIR/conf/fwauthd.conf file. HTTP and telnet both are non-secure plaintext protocol and there is a number of published vulnerabilities, including the possibility of information disclosure and unauthorized access to the host system, which could permit sensitive data to be compromised. HTTPS configuration for all Client Authentication connections helps in identifying the gateway and keeps the authentication credentials from being copied when passes through the network.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Comment out or remove the following line from $FWDIR/conf/fwauthd.conf file, or disable the telnet service listening on port 259 by default, write a rule that prevents connections to the daemon in the rulebase.

#259 fwssd in.aclientd wait 259

Edit the following line to include SSL setting in $FWDIR/conf/fwauthd.conf file.

900 fwssd in.ahclientd wait 900 ssl:defaultCert

Default Value:

259 fwssd in.aclientd wait 259 900 fwssd in.ahclientd wait 900

See Also

https://workbench.cisecurity.org/files/2828

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: CheckPoint

Control ID: 25b7b3145ac658a489a6694220e3c6beb2d412e9f29a1b6387231bd54cdf70a4