STIGQter: STIG Summary: Symantec ProxySG ALG Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Apr 2020:

If reverse proxy is used for validating and restricting certs from external entities, and this function is required by the SSP, Symantec ProxySG providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.

DISA Rule

SV-104267r1_rule

Vulnerability Number

V-94313

Group Title

SRG-NET-000355-ALG-000117

Rule Version

SYMP-AG-000500

Severity

CAT II

CCI(s)

• CCI-002470 - The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Weight

10

Fix Recommendation

Configure reverse proxy services to only trust DoD-approved Certificate Authorities.

1. Log on to the Web Management Console.
2. Browse to Configuration >> Services >> Proxy Services.
3. Browse to SSL >> CA Certificates >> CA Certificate Lists.
4. Click "Import," provide a "Name," and paste in the first DoD CA certificate in PEM format and click "OK". Repeat for each DoD CA certificate desired.
5. Click CA Certificate Lists >> New.
6. Provide a "Name," click each DoD CA certificate created in step 4, and click "Add". Once all certificates have been added, click "OK".
7. Browse to Configuration >> Services >> Proxy Services.
8. Select each HTTPS Reverse Proxy service and click "Edit Service".
9. Select the CCL created in step 6, click "OK," and then click "Apply".

Check Contents

Verify that only DoD-approved Certificate Authorities are trusted by the ProxySG for reverse proxy services.

1. Log on to the Web Management Console.
2. Browse to Configuration >> Services >> Proxy Services.
3. Select each HTTPS Reverse Proxy service and click "Edit Service".
4. Note the name of the CCL listed.
5. Browse to SSL >> CA Certificates >> CA Certificate Lists.
6. Select the CCL from step 4 and click "View".
7. Verify that only DoD-approved CA Certifications are listed in the box on the right.

If any CA certifications that are not DoD approved are found in a CCL assigned to a reverse proxy service, this is a finding.

Vulnerability Number

V-94313

Documentable

False

Rule Version

SYMP-AG-000500

Severity Override Guidance

Verify that only DoD-approved Certificate Authorities are trusted by the ProxySG for reverse proxy services.

1. Log on to the Web Management Console.
2. Browse to Configuration >> Services >> Proxy Services.
3. Select each HTTPS Reverse Proxy service and click "Edit Service".
4. Note the name of the CCL listed.
5. Browse to SSL >> CA Certificates >> CA Certificate Lists.
6. Select the CCL from step 4 and click "View".
7. Verify that only DoD-approved CA Certifications are listed in the box on the right.

If any CA certifications that are not DoD approved are found in a CCL assigned to a reverse proxy service, this is a finding.

Check Content Reference

M

Target Key

3515

Comments