| V-94653 | | Symantec ProxySG must be configured with only one local account that is used as the account of last resort. | Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local da... |
| V-94659 | | Symantec ProxySG must be configured to enforce assigned privilege levels for approved administrators when accessing the management console, SSH, and the command line interface (CLI). | A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management informati... |
| V-94661 | | Symantec ProxySG must be configured to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-94665 | | Symantec ProxySG must enable event access logging. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-94667 | | Symantec ProxySG must be configured to support centralized management and configuration of the audit log. | Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious beha... |
| V-94671 | | Symantec ProxySG must compare internal information system clocks at least every 24 hours with an authoritative time server. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-94673 | | Symantec ProxySG must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources. | The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly in... |
| V-94675 | | Symantec ProxySG must protect the Web Management Console, SSH, and command line interface (CLI) from unauthorized modification. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is ne... |
| V-94677 | | Symantec ProxySG must protect the Web Management Console, SSH, and command line interface (CLI) from unauthorized access. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is ne... |
| V-94679 | | Symantec ProxySG must back up event logs onto a different system or system component than the system or component being audited. | Protection of log data includes assuring log data is not accidentally lost or deleted. Regularly backing up audit records to a different system or ont... |
| V-94681 | | Symantec ProxySG must employ automated mechanisms to centrally verify authentication settings. | The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network de... |
| V-94683 | | Accounts for device management must be configured on the authentication server and not on Symantec ProxySG itself, except for the account of last resort. | Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important... |
| V-94685 | | Symantec ProxySG must use Role-Based Access Control (RBAC) to assign privileges to users for access to files and functions. | Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizationa... |
| V-94687 | | Symantec ProxySG must employ automated mechanisms to centrally apply authentication settings. | The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network de... |
| V-94689 | | Symantec ProxySG must support organizational requirements to conduct backups of system level information contained in the ProxySG when changes occur or weekly, whichever is sooner. | System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configurat... |
| V-94691 | | Symantec ProxySG must obtain its public key certificates from an appropriate certificate policy through an approved service provider. | For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agenci... |
| V-94693 | | Symantec ProxySG must configure the maintenance and health monitoring to send an alarm when a critical condition occurs for a component. | Predictable failure prevention requires organizational planning to address device failure issues. If components key to maintaining the device's securi... |
| V-94697 | | Symantec ProxySG must implement HTTPS-console to provide replay-resistant authentication mechanisms for network access to privileged accounts. | A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the applicati... |
| V-94699 | | Symantec ProxySG must configure SNMPv3 so that cryptographically-based bidirectional authentication is used. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authenticati... |
| V-94701 | | Symantec ProxySG must be configured to enforce a minimum 15-character password length for local accounts. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password ... |
| V-94705 | | Symantec ProxySG must not have a default manufacturer passwords when deployed. | Network devices not protected with strong password schemes provide the opportunity for anyone to crack the password and gain access to the device, whi... |
| V-94663 | | Symantec ProxySG must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device. | Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is c... |
| V-94669 | | Symantec ProxySG must generate an alert to the console when a log processing failure is detected such as loss of communications with the Central Log Server or log records are no longer being sent. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without an alert, securi... |
| V-94413 | | Symantec ProxySG must enable Attack Detection. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-94655 | | Symantec ProxySG must be configured to enforce user authorization to implement least privilege. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-94657 | | Symantec ProxySG must configure Web Management Console access restrictions to authorized IP address/ranges. | It is important that administrative access (SSH, web) to an appliance using the account of last resort be able to be restricted to only the appropriat... |
| V-94695 | | Symantec ProxySG must use only approved management services protocols. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-94703 | | Symantec ProxySG must transmit only encrypted representations of passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-94707 | | Symantec ProxySG must be configured to use only FIPS 140-2 approved algorithms for authentication to a cryptographic module with any application or protocol. | Unapproved mechanisms that are used for authentication to the cryptographic module are not validated and therefore cannot be relied upon to provide co... |
| V-94709 | | The Symantec ProxySG Web Management Console and SSH sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications. | This requirement requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and ... |
| V-94711 | | The Symantec ProxySG must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide con... |
| V-94713 | | Symantec ProxySG must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
