STIGQter: STIG Summary: Forescout Network Device Management Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

Forescout must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

DISA Rule

SV-230961r615886_rule

Vulnerability Number

V-230961

Group Title

SRG-APP-000395-NDM-000310

Rule Version

FORE-NM-000350

Severity

CAT I

CCI(s)

• CCI-001967 - The information system authenticates organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

Weight

10

Fix Recommendation

Configure Forescout to authenticate SNMP endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

1. Select Tools >> Options >> Switch.
2. Select a network device and review the "SNMP" tab.
3. Ensure the "SNMPv3" option is selected and the "HMAC-SHA" authentication protocol is selected.
4. Ensure the "use privacy" radio button is selected and "AES-128" or higher is selected from the drop-down box.

Check Contents

Review the Forescout configuration to determine if the network device authenticates SNMP endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

1. Select Tools >> Options >> Switch.
2. Select a network device and review the "SNMP" tab.
3. Verify that the "SNMPv3" option is selected and the "HMAC-SHA" authentication protocol is selected.
4. Verify that the "use privacy" radio button is selected and "AES-128" is also selected from the drop-down box.

If Forescout does not authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC), this is a finding.

Vulnerability Number

V-230961

Documentable

False

Rule Version

FORE-NM-000350

Severity Override Guidance

Review the Forescout configuration to determine if the network device authenticates SNMP endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

1. Select Tools >> Options >> Switch.
2. Select a network device and review the "SNMP" tab.
3. Verify that the "SNMPv3" option is selected and the "HMAC-SHA" authentication protocol is selected.
4. Verify that the "use privacy" radio button is selected and "AES-128" is also selected from the drop-down box.

If Forescout does not authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC), this is a finding.

Check Content Reference

M

Target Key

5245

Comments