Rule ID
SV-284534r1244941_rule
Version
V1R1
CCIs
Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DoW data may be compromised. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2/140-3-validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules. Separate requirements for configuring applications and protocols used by each application (e.g., SNMPv3, SSHv2, NTP, HTTPS, and other protocols and applications that require server/client authentication) are required to implement this requirement. Where SSH is used, the SSHv2 protocol suite is required because it includes layer 7 protocols such as SCP and SFTP, which can be used for secure file transfers.
1. In the Web UI, navigate to System >> Configuration >> Advanced Networking. 2. Verify the management interface is selected for NTP, SNMP, Syslog and Log Archiving. 1. In the Web UI, navigate to Administrators >> Admin Realms. 2. Click each Admin Authentication Realm. 3. Click on Authentication policy for each realm. 4. Verify the "Enable to sign in" check box is not checked for "Management Port". If the device is not configured to connect to the management port for NTP, SNMP, and Syslog and Log Archiving communications, this is a finding.
Enable and configure alternative protocols and the admins to login to the Management port as well as the default URL port. 1. In the Web UI, navigate to Network >> Management >> Settings. 2. Check the box for "Use Port" to enable. 3. Add an IPv4 Address, Netmask, and GW. 4. Check the box to enable IPv6. 5. Add an IP Address, Prefix, and GW. 1. In the Web UI, navigate to System >> Configuration >> Advanced Networking. 2. Select the management interface for NTP, SNMP, Syslog & Log Archive (this should be selected by default). 3. Click "Save". 1. In the Web UI, navigate to Administrators >> Admin Realms. 2. Click each Admin Authentication Realm. 3. Click on Authentication policy. 4. Select each realm and select "Enable administrators to sign in on the Management port". This should be the only port checked.