STIGQter: STIG Summary: WLAN Controller Security Technical Implementation Guide (STIG) Version: 6 Release: 15 Benchmark Date: 26 Apr 2019:

Network devices must authenticate all NTP messages received from NTP servers and peers.

DISA Rule

SV-15327r6_rule

Vulnerability Number

V-14671

Group Title

NTP messages are not authenticated.

Rule Version

NET0813

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Configure the device to authenticate all received NTP messages using a FIPS-approved message authentication code algorithm.

Check Contents

Review the network element configuration and verify that it is authenticating NTP messages received from the NTP server or peer using a FIPS-approved message authentication code algorithm. FIPS-approved algorithms for authentication are the cipher-based message authentication code (CMAC) and the keyed-hash message authentication code (HMAC). AES and 3DES are NIST-approved CMAC algorithms. The following are NIST-approved HMAC algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.

Downgrade:
If the network device is not capable of authenticating the NTP server or peer using a FIPS-approved message authentication code algorithm, then MD5 can be utilized for NTP message authentication and the finding can be downgraded to a CAT III.

If the network element is not configured to authenticate received NTP messages using a FIPS-approved message authentication code algorithm, this is a finding. A downgrade can be determined based on the criteria above.

Network devices must authenticate all NTP messages received from NTP servers and peers.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments