Forescout Network Device Management STIG Version Comparison

There are 2 differences between versions v1 r1 (Nov. 20, 2020) (the "left" version) and v2 r2 (Oct. 24, 2024) (the "right" version).

Check FORE-NM-000330 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

Forescout must be configured to prohibit the use DOD-approved PKI rather than proprietary or self-signed device certificates. of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.

Check Content

Navigate to the plugin tool and remove all unneeded or unsecure services. 1. Connect to the Forescout Console and select Tools >> Options >> Plugins. 2. Review Certificates >> Trusted Certificates. 1. The System Certificates page appears and provides information for the list of plugins. If local certificates. 2. Select a certificate to display the certificate details. If Forescout does not obtain its public key certificates from an unnecessary or nonsecure appropriate certificate policy through an approved service provider, is "Enabled", select the plugin and then select "Configure". If no configuration is present, this is a finding. If any unnecessary or nonsecure functions are enabled, this is a finding.

Discussion

To prevent mitigate the risk of unauthorized connection access to sensitive information by entities that have been issued certificates by DOD-approved PKIs. Forescout generates a key-pair and a Certificate Signing Request (CSR). The CSR is sent to the approved certificate authority (CA), who signs it and returns it as a certificate. That certificate is then installed. The process to obtain a device PKI certificate requires the generation of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. Forescout is capable of providing a CSR, submission wide variety of functions and services. Some of the CSR functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a CA, approval single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. Wireless is an example only of a service that is frequently unnecessary in many Forescout implementations. Reword more generically and be sure to look for module that are not part of the UC ACL default request by an RA, and retrieval of may have been installed by the issued certificate from the CA. site and therefore are not authorized for use in DoD.

Fix

Configure Replace the network device self-signed certificate with a CA-signed certificates for greater security. To obtain a CA-signed certificate: Generate a certificate signing request (CSR) to prohibit obtain a CA-signed certificate for the nodes in your deployment. 1. Navigate use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. The following is an example of disabling the wireless plugin if no wireless devices are directly managed by Forescout. Example ONLY: 1. Connect to the Forescout Console and select Tools >> Options >> Modules Certificates >> Network. 2. Determine if System Certificates. 2. On the right of the screen wireless plugin is running. If it is running, click "Generate CSR". 3. Enter the option values for generating a CSR. - Key Length – <select an approved key length from the drop down list> - Signature Algorithm – <select an approved algorithm from the drop down list> Examples: RSA: rsa size <512 | 1024 | 2048 | 4096>> ECDSA: size <256 | 384>> - Key Usages – < Checking all items that apply Client Authentication, Server Authentication and Email Signing> - Validity – <years> 4. click Click "Stop". If "Next". To import the user is logged in required trusted CA certificates by completing the following procedures: 1. Login to the enterprise manager, console. 2. Navigate to Tools >> Options >> Certificates >> Trusted Certificates. 3. Click "Add". 4. Specify the Certificate file. 5. Ensure "Enable trusting this will stop it on all certificate" is checked. 6. Click "Next". 7. Click "Next" after reviewing the appliances in certificate data. 8. Ensure "All subsystems" is selected, and the then enterprise. This process can be used to disable or remove plugins not being used. click "Next". 9. Ensure "All Forescout devices" is selected, and then click "Finish". 10. Click "Apply".