STIGQter: STIG Summary: F5 BIG-IP Local Traffic Manager 11.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The BIG-IP Core implementation must be configured to inspect for protocol compliance and protocol anomalies in inbound HTTP and HTTPS traffic to virtual servers.

DISA Rule

SV-215803r557356_rule

Vulnerability Number

V-215803

Group Title

SRG-NET-000512-ALG-000066

Rule Version

F5BI-LT-000307

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-001125 - The information system enforces adherence to protocol format.

Weight

10

Fix Recommendation

If the BIG-IP Core provides intermediary/proxy services for HTTP and HTTPS communications traffic, configure the BIG-IP Core to inspect inbound HTTP and HTTPS communications traffic for protocol compliance and protocol anomalies.

Check Contents

If the BIG-IP Core does not provide intermediary/proxy services for HTTP and HTTPS communications traffic for virtual servers, this is not applicable.

When intermediary/proxy services for HTTP and HTTPS communications traffic are provided, verify the BIG-IP Core is configured as follows:

Verify the BIG-IP LTM module is configured to inspect for protocol compliance and protocol anomalies in inbound HTTP and HTTPS communications traffic.

Navigate to the BIG-IP System manager >> Security >> Protocol Security >> Security Profiles >> HTTP.

Verify there is at least one profile for managing HTTP traffic.

Select a Profile from the list to verify.

Review each of the following tabs to verify the proper criteria are selected and are set to "Alarm" at a minimum:

"HTTP Protocol Checks"
"Request Checks"
"Blocking Page"

If the BIG-IP Core does not inspect inbound HTTP and HTTPS communications traffic for protocol compliance and protocol anomalies, this is a finding.

Vulnerability Number

V-215803

Documentable

False

Rule Version

F5BI-LT-000307

Severity Override Guidance

If the BIG-IP Core does not provide intermediary/proxy services for HTTP and HTTPS communications traffic for virtual servers, this is not applicable.

When intermediary/proxy services for HTTP and HTTPS communications traffic are provided, verify the BIG-IP Core is configured as follows:

Verify the BIG-IP LTM module is configured to inspect for protocol compliance and protocol anomalies in inbound HTTP and HTTPS communications traffic.

Navigate to the BIG-IP System manager >> Security >> Protocol Security >> Security Profiles >> HTTP.

Verify there is at least one profile for managing HTTP traffic.

Select a Profile from the list to verify.

Review each of the following tabs to verify the proper criteria are selected and are set to "Alarm" at a minimum:

"HTTP Protocol Checks"
"Request Checks"
"Blocking Page"

If the BIG-IP Core does not inspect inbound HTTP and HTTPS communications traffic for protocol compliance and protocol anomalies, this is a finding.

Check Content Reference

M

Target Key

4019

Comments