The F5 BIG-IP appliance must be configured to deny access when revocation data is unavailable using OCSP.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-260050 | F5BI-AP-000231 | SV-260050r947408_rule | Medium |
| Description |
|---|
| Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). Caching of CRL files on BIG-IP is not feasible or possible due to the large sizes of DOD/DISA CRL files. Use the alternate mitigation, configuring the system to deny access when revocation data is unavailable, which is done in the APM VPE. |
| STIG | Date |
|---|---|
| F5 BIG-IP Access Policy Manager Security Technical Implementation Guide | 2024-01-26 |
Details
| Check Text ( C-63781r947371_chk ) |
|---|
| If the BIG-IP appliance does not provide PKI-based user authentication intermediary services, this is not applicable. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Verify an "OSCP Auth" object is configured in the Access Profile VPE AND that the fallback branch of this object leads to a "Deny" ending. If the BIG-IP appliance is not configured to deny access when revocation data is unavailable, this is a finding. |
| Fix Text (F-63688r947372_fix) |
|---|
| Update the OCSP Auth. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Add an "OCSP Auth" in the Access Profile. Note: To create an OCSP Responder, go to Access >> Authentication >> OCSP Responder. 6. Ensure the fallback branch goes to a "Deny" ending. 7. Click "Apply Access Policy". |