Check: SRG-NET-000400-ALG-000097
Application Layer Gateway (ALG) SRG (SRG):
SRG-NET-000400-ALG-000097
(in version v1 r2)
Title
The ALG providing user authentication intermediary services must transmit only encrypted representations of passwords. (Cat II impact)
Discussion
Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. This requirement applies to ALGs that provide user authentication intermediary services. This does not apply to authentication for the purpose of configuring the device itself (device management).
Check Content
If the ALG does not provide user authentication intermediary services, this is not applicable. Verify the ALG transmits only encrypted representations of passwords. If the ALG does not transmit only encrypted representations of passwords, this is a finding.
Fix Text
If user authentication intermediary services are provided, configure the ALG to transmit only encrypted representations of passwords.
Additional Identifiers
Rule ID: SV-68771r1_rule
Vulnerability ID: V-54525
Group Title: SRG-NET-000400-ALG-000097
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000197 |
The information system, for password-based authentication, transmits only cryptographically-protected passwords. |
Controls
| Number | Title |
|---|---|
| IA-5 (1) |
Password-Based Authentication |