SYMP-AG-000510 - Symantec ProxySG must fail to a secure state upon failure of initialization, shutdown, or abort actions.

Information

Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Network elements that fail suddenly and with no incorporated failure state planning may leave the hosting system available but with a reduced security protection capability. Preserving system state information also facilitates system restart and return to the operational mode of the organization with less disruption to mission-essential processes.

An example is a firewall that blocks all traffic rather than allowing all traffic when a firewall component fails (e.g., fail closed and do not forward traffic). This prevents an attacker from forcing a failure of the system to obtain access.

Depending on the deployment architecture, there are many configurations to check external to the ProxySG to ensure that failures of initialization, shutdown, or abort actions result in a secure state. With these external configurations in place, the ProxySG meets this requirement inherently. However, if a ProxySG hardware appliance is configured in a transparent, physically in-path manner, the check and fix apply.

Solution

Configure the transparent, physically in-line hardware ProxySG appliance to fail securely in the event of failures of initialization, shutdown, or abort actions.

1. Browse to Configuration >> Network >> Adapters >> Bridges.
2. Select the appropriate bridge-pair (whichever is in use) and click 'Edit'.
3. Select the 'fail-closed' radio button and click 'Apply'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SYM_ProxySG_Y20M04_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-24, CAT|II, CCI|CCI-001190, Rule-ID|SV-104269r1_rule, STIG-ID|SYMP-AG-000510, Vuln-ID|V-94315

Plugin: BlueCoat

Control ID: a71b97e8313affc9e72152a8b854649e73bb830a4207d6cfe50bb6f2864429d9