STIGQter: STIG Summary: IBM DataPower Network Device Management Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Oct 2017:

The DataPower Gateway must be compliant with at least one IETF standard authentication protocol.

DISA Rule

SV-79621r1_rule

Vulnerability Number

V-65131

Group Title

SRG-APP-000325-NDM-000285

Rule Version

WSDP-NM-000087

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-002353 - The information system transmits organization-defined access authorization information using organization-defined security safeguards to organization-defined information systems which enforce access control decisions.

Weight

10

Fix Recommendation

The DataPower Gateway provides support for the secure transmission of authorization information to any supported authorization server. The following methods are supported: binarytokenx509, cleartrust, client-ssl, custom, kerberos, ldap, ltpa, netegrity, radius, saml-artifact, saml-authen-query, saml-signature, tivoli, token, validate-signer, ws-secureconversation, ws-trust, xmlfile, zosnss.

To configure secure authorization, use the WebGUI to go to Objects >> XML Processing >> AAA Policy >> Press the "Add" button.

After completing the parameters for authentication (Main, Identity extraction, Authentication, and Credential Mapping tabs), complete the parameters for authorization (Resource extraction, Resource mapping, and Authorization tabs).

DataPower provides secure access to all of the above-listed supported authorization methods. For example, on the AAA Policy Authorization tab described above, select "Check membership in LDAP group" as the authentication method. Parameters will then appear that allow the configuration of a secure SSL/TLS connection to that authorization server.

Check Contents

To verify that the secure transmission of authentication information has been configured, use the WebGUI to go to Objects >> XML Processing >> AAA Policy, select and existing AAA Policy.

Validate the authorization parameters on the Resource extraction, Resource mapping, and Authorization tabs.

On the Authorization tab, confirm that all necessary parameters are properly configured for secure access to the authorization server. If they are not, this is a finding.

Vulnerability Number

V-65131

Documentable

False

Rule Version

WSDP-NM-000087

Severity Override Guidance

To verify that the secure transmission of authentication information has been configured, use the WebGUI to go to Objects >> XML Processing >> AAA Policy, select and existing AAA Policy.

Validate the authorization parameters on the Resource extraction, Resource mapping, and Authorization tabs.

On the Authorization tab, confirm that all necessary parameters are properly configured for secure access to the authorization server. If they are not, this is a finding.

Check Content Reference

M

Target Key

2861

Comments