Title

Forescout must use DOD-approved PKI rather than proprietary or self-signed device certificates. (Cat I impact)

Discussion

To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs. Forescout generates a key-pair and a Certificate Signing Request (CSR). The CSR is sent to the approved certificate authority (CA), who signs it and returns it as a certificate. That certificate is then installed. The process to obtain a device PKI certificate requires the generation of a CSR, submission of the CSR to a CA, approval of the request by an RA, and retrieval of the issued certificate from the CA.

Check Content

Navigate to Tools >> Options >> Certificates >> Trusted Certificates. 1. The System Certificates page appears and provides information for the local certificates. 2. Select a certificate to display the certificate details. If Forescout does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.

Fix Text

Replace the self-signed certificate with a CA-signed certificates for greater security. To obtain a CA-signed certificate: Generate a certificate signing request (CSR) to obtain a CA-signed certificate for the nodes in your deployment. 1. Navigate to Tools >> Options >> Certificates >> System Certificates. 2. On the right of the screen click "Generate CSR". 3. Enter the values for generating a CSR. - Key Length – <select an approved key length from the drop down list> - Signature Algorithm – <select an approved algorithm from the drop down list> Examples: RSA: rsa size <512 | 1024 | 2048 | 4096>> ECDSA: size <256 | 384>> - Key Usages – < Checking all items that apply Client Authentication, Server Authentication and Email Signing> - Validity – <years> 4. Click "Next". To import the required trusted CA certificates by completing the following procedures: 1. Login to the console. 2. Navigate to Tools >> Options >> Certificates >> Trusted Certificates. 3. Click "Add". 4. Specify the Certificate file. 5. Ensure "Enable trusting this certificate" is checked. 6. Click "Next". 7. Click "Next" after reviewing the certificate data. 8. Ensure "All subsystems" is selected, and then click "Next". 9. Ensure "All Forescout devices" is selected, and then click "Finish". 10. Click "Apply".

Additional Identifiers

Rule ID: SV-230959r1026165_rule

Vulnerability ID: V-230959

Group Title: SRG-APP-000142-NDM-000245

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.