The IDPS auxiliary port or modem must be configured to use cryptography to protect the integrity of remote access sessions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000063-IDPS-000013	SRG-NET-000063-IDPS-000013	SRG-NET-000063-IDPS-000013_rule		Medium

Description
If a modem is installed on the auxiliary port of the IDPS management console to provide direct remote management access, cryptographic mechanisms must be implemented to protect the integrity of information. Unless restrictions are put in place, transmissions over commercial network could be corrupted or altered with malicious traffic. This control requires the configuration of cryptographic modules with strong integrity protection. Integrity protection is provided by the hashing algorithm used by the cryptographic module. Two hashing algorithms are approved for use in DoD. Both algorithms create a checksum that changes if the data is altered. (i) Select the Secure Hash Algorithm (SHA-2). (ii) Select a keyed, sequenced implementation of the Message Digest (MD5) algorithm only if SHA-2 is not available on the device. Integrity protection also requires the following: (i) The firmware of the device must be signed and verified using RSA 2048 or ECDSA with P25. (ii) The firmware health checks must be authenticated with either Hashed Message Authentication Code (HMAC-SHA256) or a digital signature (RSA 2048 or ECDSA P256).

Description

If a modem is installed on the auxiliary port of the IDPS management console to provide direct remote management access, cryptographic mechanisms must be implemented to protect the integrity of information. Unless restrictions are put in place, transmissions over commercial network could be corrupted or altered with malicious traffic. This control requires the configuration of cryptographic modules with strong integrity protection. Integrity protection is provided by the hashing algorithm used by the cryptographic module. Two hashing algorithms are approved for use in DoD. Both algorithms create a checksum that changes if the data is altered. (i) Select the Secure Hash Algorithm (SHA-2). (ii) Select a keyed, sequenced implementation of the Message Digest (MD5) algorithm only if SHA-2 is not available on the device. Integrity protection also requires the following: (i) The firmware of the device must be signed and verified using RSA 2048 or ECDSA with P25. (ii) The firmware health checks must be authenticated with either Hashed Message Authentication Code (HMAC-SHA256) or a digital signature (RSA 2048 or ECDSA P256).

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43125_chk )
Inspect the encryption configuration for the auxiliary port attached to the modem or the modem management application. Verify the encryption module uses either the SHA-2 or MD5 hashing algorithm. If the modem (rather than the auxiliary port) provides the integrity protection: Verify the firmware of the modem is digitally signed using RSA 2048 or ECDSA with P25. Verify the firmware health checks are authenticated with either HMAC-SHA256 or a digital signature (RSA 2048 or ECDSA P256). If the auxiliary port or modem is not configured to use the SHA-2 or MD5 hashing algorithm, this is a finding: If the firmware of the modem is not digitally signed, this is a finding. If the firmware health checks are not authenticated, this is a finding.

Check Text ( C-43125_chk )

Inspect the encryption configuration for the auxiliary port attached to the modem or the modem management application.
Verify the encryption module uses either the SHA-2 or MD5 hashing algorithm.
If the modem (rather than the auxiliary port) provides the integrity protection:
Verify the firmware of the modem is digitally signed using RSA 2048 or ECDSA with P25.
Verify the firmware health checks are authenticated with either HMAC-SHA256 or a digital signature (RSA 2048 or ECDSA P256).

If the auxiliary port or modem is not configured to use the SHA-2 or MD5 hashing algorithm, this is a finding: If the firmware of the modem is not digitally signed, this is a finding. If the firmware health checks are not authenticated, this is a finding.

Fix Text (F-43125_fix)
Configure the cryptographic module of the auxiliary port or the modem to use either the SHA-2 or the MD5 hashing algorithm. If the modem (rather than the auxiliary port) provides the integrity protection: Replace the modem firmware with digitally signed (using RSA 2048 or ECDSA with P25) version. Enable authentication for the modem firmware health checks. Authentication will use either HMAC-SHA256 or a digital signature (RSA 2048 or ECDSA P256).

Fix Text (F-43125_fix)

Configure the cryptographic module of the auxiliary port or the modem to use either the SHA-2 or the MD5 hashing algorithm.
If the modem (rather than the auxiliary port) provides the integrity protection:
Replace the modem firmware with digitally signed (using RSA 2048 or ECDSA with P25) version.
Enable authentication for the modem firmware health checks. Authentication will use either HMAC-SHA256 or a digital signature (RSA 2048 or ECDSA P256).