STIGQter: STIG Summary: IBM DataPower ALG Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 25 Jan 2016:

The DataPower Gateway providing content filtering must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.

DISA Rule

SV-79779r1_rule

Vulnerability Number

V-65289

Group Title

SRG-NET-000390-ALG-000139

Rule Version

WSDP-AG-000111

Severity

CAT II

CCI(s)

• CCI-002661 - The information system monitors inbound communications traffic per organization-defined frequency for unusual or unauthorized activities or conditions.

Weight

10

Fix Recommendation

Create a new service, such as a MultiProtocol Gateway, by clicking the icon on the Control Panel.

Click Add to create a new service >> Set the Name and back end destination for the service.

Under MultiProtocol Gateway Policy, click “+” to create a new Policy >> Provide a name for the Policy >> Click New Rule >> Set the Rule Direction to Client to Server >> Double-click the existing Match Action on the rule line and select default-accept-service providers >> Drag the Validate action down onto the processing line >> Double-click the action.

Upload the necessary schema definition file to the action >> Click Done.

Drag the AAA action onto the processing line after the Validate action >> Double-click the action to open it >> Click “+” to create a new AAA Policy >> Follow the wizard steps to create the desired policy.

When done, close the action >> Click Apply to complete the Policy.

Complete the Gateway configuration by clicking Apply.

Check Contents

Verify a service, such as a MultiProtocol Gateway, by clicking the icon on the Control Panel.

Click the name of the service in the list >> Set the Name and back end destination for the service.

Under MultiProtocol Gateway Policy, click “...” to inspect the Policy >> Verify the Rule Direction is set to Client to Server.

Double-click the existing Match Action on the rule line and verify it is set to default-accept-service providers.

Double-click the Validate action >> Verify that it is set to a schema file.

Double-click the AAA action to open it >> Click “...” to inspect the AAA Policy >> Follow the wizard steps to review the desired policy.

When done, click cancel >> Click Cancel or Close window to close the Policy.

If these items have not been configured, this is a finding.

Vulnerability Number

V-65289

Documentable

False

Rule Version

WSDP-AG-000111

Severity Override Guidance

Verify a service, such as a MultiProtocol Gateway, by clicking the icon on the Control Panel.

Click the name of the service in the list >> Set the Name and back end destination for the service.

Under MultiProtocol Gateway Policy, click “...” to inspect the Policy >> Verify the Rule Direction is set to Client to Server.

Double-click the existing Match Action on the rule line and verify it is set to default-accept-service providers.

Double-click the Validate action >> Verify that it is set to a schema file.

Double-click the AAA action to open it >> Click “...” to inspect the AAA Policy >> Follow the wizard steps to review the desired policy.

When done, click cancel >> Click Cancel or Close window to close the Policy.

If these items have not been configured, this is a finding.

Check Content Reference

M

Target Key

2859

Comments