Check: AADC-AG-000103
A10 Networks ADC ALG STIG:
AADC-AG-000103
(in versions v2 r1 through v1 r1)
Title
The A10 Networks ADC, when used to load balance web applications, must examine incoming user requests against the URI White Lists. (Cat II impact)
Discussion
Unrestricted traffic may contain malicious traffic, which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. Access control policies and access control lists implemented on devices that control the flow of network traffic (e.g., application level firewalls and Web content filters), ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the Internet or CDS) must be kept separate. The URI White List defines acceptable destination URIs allowed for incoming requests. The White List Check compares the URI of an incoming request against the rules contained in the URI White List policy file. Connection requests are accepted only if the URI matches a rule in the URI White List. Note: A URI Black List can also be configured, which takes priority over a URI White List. However, since deny-all, permit by exception is a fundamental principle, a URI White List is necessary.
Check Content
If the device is not used to load balance web servers, this is not applicable. Review the device configuration. The following command displays WAF templates: show slb template waf If the configured WAF template does not have the "uri-wlistcheck" option configured, this is a finding.
Fix Text
If the device is used to load balance web servers, configure the URI White List. The following commands configure the ADC to compare incoming traffic against the URI White List: slb template waf [template-name] uri-wlistcheck [file-name]
Additional Identifiers
Rule ID: SV-237052r639603_rule
Vulnerability ID: V-237052
Group Title: SRG-NET-000364-ALG-000122
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002403 |
The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations. |
Controls
Number | Title |
---|---|
SC-7 (11) |
Restrict Incoming Communications Traffic |