| Checked | Name | Title |
|---|
| ☐ | SV-91087r1_rule | Kona Site Defender must immediately use updates made to policy enforcement mechanisms to enforce that all traffic flows over HTTPS port 443. |
| ☐ | SV-91089r1_rule | Kona Site Defender must immediately apply updates to the Kona Rule Set to block designated traffic of interest in response to new or emerging threats. |
| ☐ | SV-91091r1_rule | Kona Site Defender must immediately use updates made to policy enforcement mechanisms to block traffic from organizationally defined geographic regions. |
| ☐ | SV-91093r1_rule | Kona Site Defender must immediately use updates made to policy enforcement mechanisms to block traffic from organizationally defined IP addresses (i.e., IP blacklist). |
| ☐ | SV-91095r1_rule | Kona Site Defender must immediately use updates made to policy enforcement mechanisms to allow traffic from organizationally defined IP addresses (i.e., IP whitelist). |
| ☐ | SV-91097r1_rule | Kona Site Defender that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52. |
| ☐ | SV-91099r1_rule | To protect against data mining, Kona Site Defender providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. |
| ☐ | SV-91101r1_rule | To protect against data mining, Kona Site Defender providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code. |
| ☐ | SV-91103r1_rule | To protect against data mining, Kona Site Defender providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. |
| ☐ | SV-91105r1_rule | To protect against data mining, Kona Site Defender providing content filtering must detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. |
| ☐ | SV-91107r1_rule | To protect against data mining, Kona Site Defender providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. |
| ☐ | SV-91109r1_rule | To protect against data mining, Kona Site Defender providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code. |
| ☐ | SV-91111r1_rule | Kona Site Defender must off-load audit records onto a centralized log server. |
| ☐ | SV-91113r1_rule | Kona Site Defender must off-load audit records onto a centralized log server in real time. |
| ☐ | SV-91115r1_rule | Kona Site Defender must not strip origin-defined HTTP session headers. |
| ☐ | SV-91117r1_rule | Kona Site Defender providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis. |
| ☐ | SV-91119r1_rule | Kona Site Defender providing content filtering must protect against known types of denial-of-service (DoS) attacks by employing signatures. |
| ☐ | SV-91121r1_rule | Kona Site Defender that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies. |
| ☐ | SV-91123r1_rule | Kona Site Defender providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes. |
| ☐ | SV-91125r1_rule | Kona Site Defender providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures. |
| ☐ | SV-91127r1_rule | Kona Site Defender providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services. |
| ☐ | SV-91129r1_rule | Kona Site Defender providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions. |
| ☐ | SV-91131r1_rule | Kona Site Defender providing content filtering must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures. |
| ☐ | SV-91133r1_rule | Kona Site Defender providing content filtering must block malicious code upon detection. |
| ☐ | SV-91135r1_rule | Kona Site Defender providing content filtering must send an immediate (within seconds) alert to the system administrator, at a minimum, in response to malicious code detection. |
| ☐ | SV-91137r1_rule | Kona Site Defender providing content filtering must be configured to integrate with a system-wide intrusion detection system. |
| ☐ | SV-91139r1_rule | Kona Site Defender providing content filtering must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions. |
| ☐ | SV-91141r1_rule | Kona Site Defender providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur. |
| ☐ | SV-91143r1_rule | Kona Site Defender providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected. |
| ☐ | SV-91145r1_rule | Kona Site Defender providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when denial-of-service (DoS) incidents are detected. |
| ☐ | SV-91147r1_rule | Kona Site Defender must check the validity of all data inputs except those specifically identified by the organization. |
| ☐ | SV-91149r1_rule | Kona Site Defender must reveal error messages only to the ISSO, ISSM, and SCA. |
| ☐ | SV-91151r1_rule | Kona Site Defender must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations. |
STIGQter: STIG Summary: