Check: AADC-AG-000047
A10 Networks ADC ALG STIG:
AADC-AG-000047
(in versions v2 r1 through v1 r1)
Title
The A10 Networks ADC must not have any unnecessary or unapproved virtual servers configured. (Cat II impact)
Discussion
A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. A virtual server is an instance where the device accepts traffic from outside hosts and redirects traffic to one or more real servers. In keeping with a deny-all, permit-by-exception policy, the services that the device provides to outside hosts must be only those that are necessary, documented, and approved.
Check Content
Review the configured servers, service groups, and virtual servers. The following command shows information for SLB servers: show slb server The following command shows information for service groups (multiple servers): show slb service-group The following command shows information for virtual servers (the services visible to outside hosts): show slb virtual-server Ask the Administrator for the list of approved services being provided by the device and compare this against the output of the command listed above. If there are more configured virtual servers than are approved, this is a finding.
Fix Text
Do not configure a server, service group, or virtual server for any unnecessary or unapproved service.
Additional Identifiers
Rule ID: SV-237039r639564_rule
Vulnerability ID: V-237039
Group Title: SRG-NET-000202-ALG-000124
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001109 |
The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception). |
Controls
Number | Title |
---|---|
SC-7 (5) |
Deny By Default / Allow By Exception |