SYMP-AG-000380 - Symantec ProxySG providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.

Information

A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.

An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.

A nonprivileged account is any account with the authorizations of a nonprivileged user. Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Security-relevant roles include key management, account management, network and system administration, database administration, and web administration.

Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one time use) or challenges (e.g., TLS). Additional techniques include time-synchronous or challenge-response one-time authenticators.

Solution

Configure the ProxySG to use only FIPS-compliant HMAC algorithms.

1. Log on to the ProxySG SSH CLI.
2. Type 'enable' and enter the enable password.
3. Type 'configure terminal' and press 'Enter'.
4. Type 'management-services,' press 'Enter'. Type 'edit HTTPS-Console' and press 'Enter'.
5. Type 'view' to display the list of configured cipher suites.
6. Type 'attribute cipher-suite' followed by a space-delimited list of only cipher suites from step 5 that use FIPS-compliant HMAC algorithms.
7. Press 'Enter'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SYM_ProxySG_Y20M04_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(9), CAT|II, CCI|CCI-001942, Rule-ID|SV-104245r1_rule, STIG-ID|SYMP-AG-000380, Vuln-ID|V-94291

Plugin: BlueCoat

Control ID: 5972e219cc76e8f69a728eb05ecca046a7e895d352039aa6e4814268a33c6fd9