F5BI-AP-000235 - The F5 BIG-IP appliance APM Access Policies that grant access to web application resources must allow only client certificates that have the User Persona Name (UPN) value in the User Persona Client Certificates.

Information

To enhance the security, it is advisable to append additional checks and APM Deny/Fallback branches to APM Access Profiles in scenarios where a UPN cannot be extracted. To guarantee the exclusive use of User Persona DISA Certificates for accessing Web Applications, it is recommended to carry out additional APM Access Policy checks against the Client Certificate. DISA incorporates a User Principal Name (UPN) in their User Persona Client Certificates. However, this key/value pair is not present in the DISA server certificates.

Based on DOD session authentication policy, the LTM+APM configuration will include Client Certificate Authentication, OCSP Revocation Check, a Variable Assignment to extract the UserPrincipalName, followed by an LDAP query. This query verifies the existence of a corresponding Active Directory User object for the provided UserPrincipalName. Subsequently, the identified sAMAccountName is set as an APM Session variable for use by the SSO Profile. Once an APM LTM+APM session is granted, the User-Agent is permitted to transmit data to the Server-Side of the proxy, which will invoke the SSO Profile if applicable.

To ensure that only DISA Client Certificates from CACs can access the Web Application, an additional branch was added to the Variable Assignment. The scripts were adjusted to verify the existence of the UserPrincipalName. If it does not exist, the value of the UserPrincipalName APM session variable is set to 'UPN Collection Error', which would be directed to an APM Policy Deny.

NPE Certificates issued by DISA incorporate both the TLS WWW Client Authentication (OID.1.3.6.1.5.5.7.3.2) and TLS WWW Server Authentication
(OID.1.3.6.1.5.5.7.3.1) key usage policies.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Note: If NPE certificates are not in use, implementation is REQUIRED.

Note: If NPE certificates are in use, implementation is OPTIONAL. Sites should test this configuration to prevent operational impacts since this process may potentially flag server and NPE certificates, resulting in denied sessions.

Configure each APM Access Policy to verify use of user persona DISA client certificates for accessing web applications.

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click 'Edit' on each profile listed to enter the VPE.
5. Click on the object where the Certificate UPN is extracted and assigned to a variable.
6. Append a known variable to the end of the variable assignment expression that will trigger if the UPN cannot be extracted from the client certificate, such as:

else {
return 'UPN Collection Error'
}

7. Click 'Finished'.
8. In the same Variable Assign object, click the 'Branch Rules' tab.
9. On the branch that continues the policy evaluation (Does not lead to Deny ending) click the 'change' link next to 'Expression'.
10. 'Advanced' tab.
11. Enter an expression that verifies the UPN was extracted successfully, such as:

expr {[mcget {session.logon.last.upn}] !='UPN Collection Error'}
Note - the above assumes the UPN variable name is 'session.logon.last.upn'. Adjust this if another variable name is used to store the client UPN.

12. Click 'Finished'.
13. Click 'Save'.
14. Click 'Apply Access Policy'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_F5_BIG-IP_Y24M01_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23(5), CAT|III, CCI|CCI-002470, Rule-ID|SV-260054r947386_rule, STIG-ID|F5BI-AP-000235, Vuln-ID|V-260054

Plugin: F5

Control ID: 1e6350a01221afe0ff8f206218975399555e898aa2d73f1a1c2394621ba802a6