STIGQter: STIG Summary: Forescout Network Device Management Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

Before establishing a connection with a Network Time Protocol (NTP) server, Forescout must authenticate using a bidirectional, cryptographically based authentication method that uses a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the NTP server.

DISA Rule

SV-230962r615886_rule

Vulnerability Number

V-230962

Group Title

SRG-APP-000395-NDM-000347

Rule Version

FORE-NM-000361

Severity

CAT II

CCI(s)

• CCI-001967 - The information system authenticates organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

Weight

10

Fix Recommendation

Configure Forescout to authenticate SNMP endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

1. Select Tools >> Options >> Switch.
2. Select a network device and review the "SNMP" tab.
3. Ensure the "SNMPv3" option is selected and the "HMAC-SHA" authentication protocol is selected.
4. Ensure the "use privacy" radio button is selected and "AES-128" is also selected from the drop-down box.

Note: According to the vendor, this configuration uses SHA-1 for NTP configuration only when in FIPS mode. Use of SHA-2 for integrity processes usually incurs a finding, however this configuration sets AES-128. Thus, this vendor-recommended configuration is considered to mitigate the risk for NTP on Forescout only. This is specifically and only applicable to this requirement.

Check Contents

Review the Forescout configuration to determine if Forescout authenticates SNMP endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

1. Select Tools >> Options >> Switch.
2. Select a network device and review the "SNMP" tab.
3. Verify the "SNMPv3" option is selected and the "HMAC-SHA" authentication protocol is selected.
4. Verify the "use privacy" radio button is selected and "AES-128" is also selected from the drop-down box.

If SNMPv3 with HMAC-SHA is configured, this is not a finding.

Vulnerability Number

V-230962

Documentable

False

Rule Version

FORE-NM-000361

Severity Override Guidance

Review the Forescout configuration to determine if Forescout authenticates SNMP endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

1. Select Tools >> Options >> Switch.
2. Select a network device and review the "SNMP" tab.
3. Verify the "SNMPv3" option is selected and the "HMAC-SHA" authentication protocol is selected.
4. Verify the "use privacy" radio button is selected and "AES-128" is also selected from the drop-down box.

If SNMPv3 with HMAC-SHA is configured, this is not a finding.

Check Content Reference

M

Target Key

5245

Comments