The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256079	RINP-DM-000029	SV-256079r882745_rule		High

Description
The lack of role-based access control could result in the immediate compromise of and unauthorized access to sensitive information. Additionally, without mapping the PKI certificate to a unique user account, the ability to determine the identities of individuals or assert nonrepudiation is lost. Individual accountability mandates that each administrator is uniquely identified. For public key infrastructure (PKI)-based authentication, the device must be configured to map validated certificates to unique user accounts. This requirement applies to accounts or roles created and managed on or by the network device. Satisfies: SRG-APP-000153-NDM-000249, SRG-APP-000119-NDM-000236, SRG-APP-000120-NDM-000237, SRG-APP-000121-NDM-000238, SRG-APP-000122-NDM-000239, SRG-APP-000123-NDM-000240, SRG-APP-000329-NDM-000287, SRG-APP-000177-NDM-000263, SRG-APP-000033-NDM-000212

Description

The lack of role-based access control could result in the immediate compromise of and unauthorized access to sensitive information. Additionally, without mapping the PKI certificate to a unique user account, the ability to determine the identities of individuals or assert nonrepudiation is lost. Individual accountability mandates that each administrator is uniquely identified. For public key infrastructure (PKI)-based authentication, the device must be configured to map validated certificates to unique user accounts. This requirement applies to accounts or roles created and managed on or by the network device. Satisfies: SRG-APP-000153-NDM-000249, SRG-APP-000119-NDM-000236, SRG-APP-000120-NDM-000237, SRG-APP-000121-NDM-000238, SRG-APP-000122-NDM-000239, SRG-APP-000123-NDM-000240, SRG-APP-000329-NDM-000287, SRG-APP-000177-NDM-000263, SRG-APP-000033-NDM-000212

STIG	Date
Riverbed NetProfiler Security Technical Implementation Guide	2023-01-11

Details

Check Text ( C-59753r882743_chk )
Review the site's System Security Plan (SSP) to determine which personnel are assigned to each NetProfiler role. Go to Administration >> Account Management >> User Accounts. Go to the Roles-Attributes Mapping section of the RADIUS, TACACS+, or SAML tab of the Configuration >> Account Management >> Remote Authentication page. If account roles are not configured, or if the roles assigned do not match the site's SSP, this is a finding.

Check Text ( C-59753r882743_chk )

Review the site's System Security Plan (SSP) to determine which personnel are assigned to each NetProfiler role.

Go to Administration >> Account Management >> User Accounts.

Go to the Roles-Attributes Mapping section of the RADIUS, TACACS+, or SAML tab of the Configuration >> Account Management >> Remote Authentication page.

If account roles are not configured, or if the roles assigned do not match the site's SSP, this is a finding.

Fix Text (F-59696r882744_fix)
Although all individual admin accounts must be configured on an authentication server, the NetProfiler must be configured to point to a PKI-based authentication server and the NetProfiler roles must be mapped to the authorization attributes on the authentication server. The following is an example using RADIUS. Refer to the user's guide for instructions for TACACS+ or SAML. Users who do not have a NetProfiler or NetExpress account must have both their authentication information (login name, password) and authorization information (user role indicated by the value of the Class attribute or the Cascade-User-Role attribute) specified on the RADIUS server. The values of the RADIUS authorization attributes must be mapped to their corresponding user roles on NetProfiler or NetExpress. The values on the RADIUS server and the values on NetProfiler or NetExpress must match for the user to be logged on. To map the NetProfiler or NetExpress user roles to RADIUS authorization attributes: 1. Click "Edit" in the Roles-Attributes Mapping section of the RADIUS tab of the Configuration >> Account Management >> Remote Authentication page. 2. For the first user role, click "Add new attribute" to display an edit box. 3. Select the RADIUS authorization attribute (Class or Cascade-User-Role). (If assigning the Restricted user account role, use the Restricted-Filter attribute to limit the account to traffic specified by traffic expressions. Refer to the in-product help system for additional information about Restricted user accounts.) 4. Enter the value of the attribute that is required for a RADIUS-authorized user to be logged on in this user role. 5. If applicable, click "Add new attribute" to add another mapping. 6. Continue with the next user role that is to be authorized by RADIUS. 7. When the RADIUS authorization attributes have been mapped to their corresponding NetProfiler user roles, click "Save".

Fix Text (F-59696r882744_fix)

Although all individual admin accounts must be configured on an authentication server, the NetProfiler must be configured to point to a PKI-based authentication server and the NetProfiler roles must be mapped to the authorization attributes on the authentication server.

The following is an example using RADIUS. Refer to the user's guide for instructions for TACACS+ or SAML.

Users who do not have a NetProfiler or NetExpress account must have both their authentication information (login name, password) and authorization information (user role indicated by the value of the Class attribute or the Cascade-User-Role attribute) specified on the RADIUS server. The values of the RADIUS authorization attributes must be mapped to their corresponding user roles on NetProfiler or NetExpress.

The values on the RADIUS server and the values on NetProfiler or NetExpress must match for the user to be logged on. To map the NetProfiler or NetExpress user roles to RADIUS authorization attributes:

1. Click "Edit" in the Roles-Attributes Mapping section of the RADIUS tab of the Configuration >> Account Management >> Remote Authentication page.
2. For the first user role, click "Add new attribute" to display an edit box.
3. Select the RADIUS authorization attribute (Class or Cascade-User-Role). (If assigning the Restricted user account role, use the Restricted-Filter attribute to limit the account to traffic specified by traffic expressions. Refer to the in-product help system for additional information about Restricted user accounts.)
4. Enter the value of the attribute that is required for a RADIUS-authorized user to be logged on in this user role.
5. If applicable, click "Add new attribute" to add another mapping.
6. Continue with the next user role that is to be authorized by RADIUS.
7. When the RADIUS authorization attributes have been mapped to their corresponding NetProfiler user roles, click "Save".