| V-94217 | | If Symantec ProxySG filters externally initiated traffic, reverse proxy services must be configured. | Automated monitoring of remote access traffic allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access polic... |
| V-94219 | | Symantec ProxySG providing intermediary services for remote access communications traffic must ensure outbound traffic is monitored for compliance with remote access security policies. | Automated monitoring of remote access traffic allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access polic... |
| V-94223 | | Symantec ProxySG providing reverse proxy intermediary services for TLS must be configured to version 1.1 or higher with an approved cipher suite. | SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrect... |
| V-94225 | | Symantec ProxySG storing secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys. | Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key d... |
| V-94231 | | Symantec ProxySG must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. | Information flow control regulates where information is allowed to travel within a network. The flow of all network traffic must be monitored and cont... |
| V-94233 | | Symantec ProxySG must immediately use updates made to policy enforcement mechanisms such as policies and rules. | Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changes ... |
| V-94235 | | Symantec ProxySG providing user access control intermediary services must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network. | Display of a standardized and approved use notification before granting access to the network ensures that privacy and security notification verbiage ... |
| V-94237 | | Symantec ProxySG providing user access control intermediary services for publicly accessible applications must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system. | Display of a standardized and approved use notification before granting access to the publicly accessible network element ensures privacy and security... |
| V-94239 | | Symantec ProxySG providing user access control intermediary services must generate audit records when successful/unsuccessful logon attempts occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-94241 | | Symantec ProxySG providing user access control intermediary services must generate audit records showing starting and ending time for user access to the system. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-94243 | | Symantec ProxySG providing user access control intermediary services must generate audit records when successful/unsuccessful attempts to access web resources occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-94245 | | Symantec ProxySG must produce audit records containing information to establish what type of events occurred. | Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or... |
| V-94247 | | Symantec ProxySG must produce audit records containing information to establish when (date and time) the events occurred. | Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
In... |
| V-94249 | | Symantec ProxySG must produce audit records containing information to establish where the events occurred. | Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
I... |
| V-94251 | | Symantec ProxySG must produce audit records containing information to establish the source of the events. | Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. ... |
| V-94253 | | Symantec ProxySG must produce audit records containing information to establish the outcome of the events. | Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if ch... |
| V-94255 | | Symantec ProxySG must generate audit records containing information to establish the identity of any individual or process associated with the event. | Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, sec... |
| V-94257 | | Symantec ProxySG must use a centralized log server. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-94259 | | Symantec ProxySG must be configured to send the access logs to the centralized log server continuously. | Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in ... |
| V-94261 | | Symantec ProxySG must provide an alert to, at a minimum, the SCA and ISSO of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server. | Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely aff... |
| V-94263 | | The reverse proxy Symantec ProxySG providing intermediary services for FTP must inspect inbound FTP communications traffic for protocol compliance and protocol anomalies. | Application protocol anomaly detection examines application layer protocols such as FTP to identify attacks based on observed deviations in the normal... |
| V-94265 | | Symantec ProxySG providing intermediary services for FTP must inspect outbound FTP communications traffic for protocol compliance and protocol anomalies. | Application protocol anomaly detection examines application layer protocols such as FTP to identify attacks based on observed deviations in the normal... |
| V-94267 | | Symantec ProxySG providing intermediary services for HTTP must inspect inbound HTTP traffic for protocol compliance and protocol anomalies. | Application protocol anomaly detection examines application layer protocols such as HTTP to identify attacks based on observed deviations in the norma... |
| V-94269 | | Symantec ProxySG providing intermediary services for HTTP must inspect outbound HTTP traffic for protocol compliance and protocol anomalies. | Application protocol anomaly detection examines application layer protocols such as HTTP to identify attacks based on observed deviations in the norma... |
| V-94271 | | Symantec ProxySG must not have unnecessary services and functions enabled. | Information systems are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and service... |
| V-94273 | | Symantec ProxySG must be configured to remove or disable unrelated or unneeded application proxy services. | Unrelated or unneeded proxy services increase the attack vector and add excessive complexity to the securing of the ALG. Multiple application proxies ... |
| V-94277 | | Symantec ProxySG providing user authentication intermediary services must require users to reauthenticate every 900 seconds when organization-defined circumstances or situations require reauthentication. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
In addition to the reauthentication r... |
| V-94285 | | Symantec ProxySG providing user authentication intermediary services must implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access. | For remote access to nonprivileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of ... |
| V-94287 | | Symantec ProxySG providing user authentication intermediary services must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access. | For remote access to privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the... |
| V-94289 | | Symantec ProxySG providing user authentication intermediary services must use multifactor authentication for network access to nonprivileged accounts. | To assure accountability and prevent unauthenticated access, nonprivileged users must use multifactor authentication to prevent potential misuse and c... |
| V-94291 | | Symantec ProxySG providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts. | A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the applicati... |
| V-94293 | | Symantec ProxySG must prohibit the use of cached authenticators after 300 seconds at a minimum. | If the cached authenticator information is out of date, the validity of the authentication information may be questionable.
This requirement applies ... |
| V-94295 | | Symantec ProxySG, when configured for reverse proxy/WAF services and providing PKI-based user authentication intermediary services, must map the client certificate to the authentication server store. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individua... |
| V-94297 | | Symantec ProxySG providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. | Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked... |
| V-94299 | | Symantec ProxySG providing user authentication intermediary services must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles. | Without conforming to FICAM-issued profiles, the information system may not be interoperable with FICAM-authentication protocols, such as SAML 2.0 and... |
| V-94303 | | Symantec ProxySG providing forward proxy encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptogr... |
| V-94305 | | Symantec ProxySG providing reverse proxy encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptogr... |
| V-94307 | | Symantec ProxySG providing reverse proxy encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptogr... |
| V-94309 | | Symantec ProxySG providing reverse proxy encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptogr... |
| V-94313 | | If reverse proxy is used for validating and restricting certs from external entities, and this function is required by the SSP, Symantec ProxySG providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions. | Non-DoD-approved PKIs have not been evaluated to ensure they have security controls and identity vetting procedures in place that are sufficient for D... |
| V-94315 | | Symantec ProxySG must fail to a secure state upon failure of initialization, shutdown, or abort actions. | Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Ne... |
| V-94317 | | Symantec ProxySG providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis. | If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users.
Installation of content filtering gat... |
| V-94319 | | Symantec ProxySG must implement load balancing to limit the effects of known and unknown types of denial-of-service (DoS) attacks. | If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Load balancing provides service redund... |
| V-94321 | | Symantec ProxySG must block outbound traffic containing known and unknown denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints. | DoS attacks can take multiple forms but have the common objective of overloading or blocking a network or host to deny or seriously degrade performanc... |
| V-94323 | | Symantec ProxySG must allow incoming communications only from organization-defined authorized sources routed to organization-defined authorized destinations. | Unrestricted traffic may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffi... |
| V-94325 | | Symantec ProxySG must fail securely in the event of an operational failure. | If a boundary protection device fails in an unsecure manner (open), information external to the boundary protection device may enter, or the device ma... |
| V-94327 | | Symantec ProxySG must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | A deny-all, permit-by-exception network communications traffic policy ensures that only connections that are essential and approved are allowed.
As a... |
| V-94329 | | Symantec ProxySG must identify and log internal users associated with denied outgoing communications traffic posing a threat to external information systems. | Without identifying the users who initiated the traffic, it would be difficult to identify those responsible for the denied communications.
This requ... |
| V-94331 | | Symantec ProxySG must tailor the Exceptions messages to generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries. | Providing too much information in error messages risks compromising the data and security of the application and system.
Organizations must carefully... |
| V-94333 | | Symantec ProxySG providing content filtering must be configured to integrate with a system-wide intrusion detection system. | Without coordinated reporting between separate devices, it is not possible to identify the true scale and possible target of an attack.
Integration o... |
| V-94335 | | Symantec ProxySG providing content filtering must detect use of network services that have not been authorized or approved by the ISSM and ISSO, at a minimum. | Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogue... |
| V-94337 | | Symantec ProxySG providing content filtering must generate a log record when access attempts to unauthorized websites and/or services are detected. | Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogue... |
| V-94339 | | Symantec ProxySG providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when access attempts to unauthorized websites and/or services are detected. | Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogue... |
| V-94341 | | Reverse proxy Symantec ProxySG providing content filtering must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions. | If inbound communications traffic is not continuously monitored, hostile activity may not be detected and prevented. Output from application and traff... |
| V-94343 | | Symantec ProxySG providing content filtering must continuously monitor outbound communications traffic crossing internal security boundaries for unusual/unauthorized activities or conditions. | If outbound communications traffic is not continuously monitored, hostile activity may not be detected and prevented. Output from application and traf... |
| V-94345 | | Symantec ProxySG providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss ... |
| V-94347 | | Symantec ProxySG providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when denial-of-service (DoS) incidents are detected. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss ... |
| V-94221 | | Symantec ProxySG providing forward proxy intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52. | SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrect... |
| V-94227 | | Symantec ProxySG must implement security policies that enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies. | Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access contro... |
| V-94229 | | Symantec ProxySG must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restrictin... |
| V-94275 | | Symantec ProxySG must be configured to prohibit or restrict the use of network services as defined in the PPSM CAL and vulnerability assessments. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-94279 | | Symantec ProxySG must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-94281 | | Symantec ProxySG must be configured with a pre-established trust relationship and mechanisms with appropriate authorities that validate user account access authorizations and privileges. | User account and privilege validation must be centralized to prevent unauthorized access using changed or revoked privileges.
ALGs can implement func... |
| V-94283 | | Symantec ProxySG providing user authentication intermediary services must restrict user authentication traffic to specific authentication servers. | User authentication can be used as part of the policy filtering rule sets. Some URLs or network resources can be restricted to authenticated users onl... |
| V-94301 | | Symantec ProxySG must terminate all network connections associated with a communications session at the end of the session or terminate user sessions (nonprivileged session) after 15 minutes of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-94311 | | Symantec ProxySG must use Transport Layer Security (TLS) to protect the authenticity of communications sessions. | Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
... |
